Firstly go to https://smecyber.co.uk/security-checker/ to check your current email set up for errors.

Emails should be private but many businesses are unaware they are open to impersonation and data breaches because they haven’t taken 15 minutes to secure their email systems.

Luckily, there’s a simple way to protect yourself and make sure your emails are trusted: SPF, DKIM and DMARC.

Think of them as your email’s security team:

1. SPF: The Guest List (Sender Policy Framework)

• What it does: SPF is a public list of all the servers allowed to send emails from your domain (e.g., yourcompany.com). If an email comes from a server not on your list, it’s suspicious.
• Why it matters: Stops spammers and criminals impersonating you.

2. DKIM: The Tamper-Proof Seal (DomainKeys Identified Mail)

• What it does: DKIM adds a hidden digital signature to every email. This signature confirms the email is truly from your domain and hasn’t been changed since it was sent.
• Why it matters: Proves your emails are authentic and haven’t been messed with.

3. DMARC: The Rulebook & Report Card (Domain-based Message Authentication, Reporting, and Conformance)

• What it does: DMARC tells receiving email servers what to do if an email fails SPF or DKIM (e.g., send it to spam, reject it completely). It also sends you reports on who’s trying to send emails as you.
• Why it matters: Blocks fake emails from reaching inboxes and gives you critical info on imposter attempts.

---

Why You Need Them:

• Your emails land in inboxes: Nobody wants to end up in the spam folder.
• Protect your reputation: Stop bad guys from sending scams using your name.
• Fight phishing: Keep your recipients safer.

---

---

Steps to Set Them Up:

You’ll typically do this wherever your domain’s DNS records are managed (often your web hosting provider or domain registrar like GoDaddy, Namecheap, Cloudflare).

Before you start: You’ll need to know which email service you’re using (e.g., Google Workspace/Gmail, Microsoft 365/Outlook, Zoho Mail, etc.).

Log in to your Domain’s DNS Manager:

• Find the “DNS Management,” “Zone Editor,” or “Advanced DNS” section in your hosting provider or domain registrar’s control panel.

Add Your SPF Record:

• Add a new TXT record.
• Name/Host: Usually @ or your domain name (e.g., yourdomain.com).
• Value/Text: This depends on your email provider.
  • For Google Workspace/Gmail: v=spf1 include:_spf.google.com ~all
  • For Microsoft 365/Outlook: v=spf1 include:spf.protection.outlook.com -all
  • (Find your provider’s specific SPF record if different)
• Save the record.

---

Add your DMARC Record:

• Create a New TXT Record
• Set the Host or Name to: _dmarc
• Enter the Value Field e.g. v=DMARC1; p=none; rua=mailto:postmaster@yourdomain.com;
• Explanation
  • v=DMARC1: DMARC protocol version
  • p=none: Policy to monitor but not block emails (safe start)
  • rua=mailto:postmaster@yourdomain.com: Email address to receive aggregate reports (change to your address)
• Later, you can change p=none to stricter policies like quarantine or reject when confident.

You can also add adkim=s and aspf=s which mean the SPF and DKIM domains must match your domain exactly e.g. v=DMARC1; p=none; adkim=s; aspf=s; rua=mailto:postmaster@yourdomain.com; pct=100;

---

Add Your DKIM Record(s):

Your email provider will give you specific TXT records for DKIM. You often get two or more.

• Google Workspace/Gmail: You’ll generate this in your Google Admin console (Google Workspace > Apps > Google Workspace > Gmail > Authenticate email).
  • They’ll give you a google._domainkey host and a long value.
• Microsoft 365/Outlook: You’ll manage this in the Microsoft 365 admin center (Settings > Domains > select domain > DKIM).
  • They’ll give you two selector1._domainkey and selector2._domainkey hosts with their values.

• Follow your provider’s exact instructions for DKIM setup – it’s usually copy-pasting what they provide.
• Save each record.

The CNAME Method (Delegated Keys)

Some email providers, particularly those managing their own email infrastructure, prefer to manage the DKIM key on your behalf using a CNAME record. This approach means you do not add a long TXT string with the cryptographic key; instead, you create a CNAME record that points your domain to a designated host name controlled by your email provider.

This is often preferred because it allows the provider to automatically rotate your cryptographic key for improved security without requiring you or your IT team to update your DNS records every time.

In this scenario, the steps are:

1. Ask your email provider if they use TXT or CNAME records for DKIM.
2. If they use CNAMEs, they will give you a list of records that look like this:

Name / Host	Type	Points to / Value
selector1._domainkey	CNAME	selector1.dkim.mail.providerdomain.com
selector2._domainkey	CNAME	selector2.dkim.mail.providerdomain.com

3. Copy these records exactly into your DNS manager. Remember, the value in the “Points to” column is a host name, not a website address you can visit.

Follow your provider’s exact instructions for DKIM setup – it is usually copy-pasting what they provide.

Save each record.

---

Give it a few hours for the internet to update (known as DNS propagation). Your email is now far more secure and trustworthy, as it should be.

Lastly go to https://smecyber.co.uk/security-checker/ to check it’s all in order.

NB: do not change anything without making a copy or backup to revert to if necessary.

Your preferred AI will walk you through all of this if you are in doubt. Steps may vary depending on your email set up and provider. If you use software such as mailing lists to send bulk emails you need to consider this too.

More details

https://learn.microsoft.com/en-us/defender-office-365/email-authentication-about

https://support.google.com/a/topic/9061731?hl=en&ref_topic=9202

https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf