Secure Your Email with SPF, DKIM and DMARC

Neil Campbell June 23, 2025 0 Comments

Firstly go to https://smecyber.co.uk/security-checker/ to check your current email set up for errors.

Emails should be private but many businesses are unaware they are open to impersonation and data breaches because they haven’t taken 15 minutes to secure their email systems.

Luckily, there’s a simple way to protect yourself and make sure your emails are trusted: SPF, DKIM and DMARC.

Think of them as your email’s security team:

1. SPF: The Guest List (Sender Policy Framework)

What it does: SPF is a public list of all the servers allowed to send emails from your domain (e.g., yourcompany.com). If an email comes from a server not on your list, it’s suspicious.
Why it matters: Stops spammers and criminals impersonating you.

2. DKIM: The Tamper-Proof Seal (DomainKeys Identified Mail)

What it does: DKIM adds a hidden digital signature to every email. This signature confirms the email is truly from your domain and hasn’t been changed since it was sent.
Why it matters: Proves your emails are authentic and haven’t been messed with.

3. DMARC: The Rulebook & Report Card (Domain-based Message Authentication, Reporting, and Conformance)

What it does: DMARC tells receiving email servers what to do if an email fails SPF or DKIM (e.g., send it to spam, reject it completely). It also sends you reports on who’s trying to send emails as you.
Why it matters: Blocks fake emails from reaching inboxes and gives you critical info on imposter attempts.

Why You Need Them:

Your emails land in inboxes: Nobody wants to end up in the spam folder.
Protect your reputation: Stop bad guys from sending scams using your name.
Fight phishing: Keep your recipients safer.

unverified emails in your inbox — The email above has failed verification by not using one or all of SPF, DMARC and DKIM and is labelled ‘unverified’.

Simple Steps to Set Them Up:

This isn’t as hard as it sounds! You’ll typically do this wherever your domain’s DNS records are managed (often your web hosting provider or domain registrar like GoDaddy, Namecheap, Cloudflare).

Before you start: You’ll need to know which email service you’re using (e.g., Google Workspace/Gmail, Microsoft 365/Outlook, Zoho Mail, etc.).

Find the “DNS Management,” “Zone Editor,” or “Advanced DNS” section in your hosting provider or domain registrar’s control panel.

Add Your SPF Record:

Add a new TXT record.
Name/Host: Usually @ or your domain name (e.g., yourdomain.com).
Value/Text: This depends on your email provider.
- For Google Workspace/Gmail: v=spf1 include:_spf.google.com ~all
- For Microsoft 365/Outlook: v=spf1 include:spf.protection.outlook.com -all
- (Find your provider’s specific SPF record if different)
Save the record.

Add Your DKIM Record(s):

Your email provider will give you specific TXT records for DKIM. You often get two or more.
- Google Workspace/Gmail: You’ll generate this in your Google Admin console (Google Workspace > Apps > Google Workspace > Gmail > Authenticate email).
  - They’ll give you a google._domainkey host and a long value.
- Microsoft 365/Outlook: You’ll manage this in the Microsoft 365 admin center (Settings > Domains > select domain > DKIM).
  - They’ll give you two selector1._domainkey and selector2._domainkey hosts with their values.
Follow your provider’s exact instructions for DKIM setup – it’s usually copy-pasting what they provide.
Save each record.