Email authentication is three DNS records working as a system. Each answers a different question, and the system only protects you when all three are configured and aligned.

SPF — the guest list

SPF (Sender Policy Framework) is a public list of the servers allowed to send mail for your domain. When mail arrives claiming to be from yourcompany.com, the receiving server checks: "is the sending server on yourcompany.com's published list?" If your mail host, marketing platform, and invoicing tool aren't all on the list, their mail fails the check. If the list is too loose, attackers' servers effectively pass it.

DKIM — the wax seal

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each outgoing message, created with a private key only your sending service holds. The matching public key is published in your DNS. Receivers verify the seal: if the message was altered in transit or wasn't signed by your key, verification fails. A strong setup uses 2048-bit keys.

DMARC — the bouncer with instructions

SPF and DKIM check things — but on their own, they don't tell receivers what to do when checks fail, and they don't require the checked domain to match the "From" address a human actually sees (that match is called alignment). DMARC adds both: it requires alignment with the visible From domain, and it publishes your instruction — none, quarantine, or reject.

Why you need all three

  • SPF alone: breaks on forwarded mail and doesn't bind to the visible From address.
  • DKIM alone: proves a signature exists, but not that it belongs to the visible From domain.
  • DMARC with neither aligned: a policy with nothing to enforce.

Together — SPF and/or DKIM passing with alignment, under a DMARC policy of p=reject — receiving servers worldwide refuse mail that forges your exact domain.

See your three records right now

All three records are public. The free scan reads them for your domain and shows you, in plain language, which of the three are doing their job.