DMARC, SPF, and DKIM Explained: How to Stop Hackers Spoofing Your Email
DMARC, SPF, and DKIM are three DNS records that protect your email domain from being spoofed by attackers — and missing even one of them leaves your business and your customers exposed.
The problem: anyone can send email pretending to be you
Without the right DNS records in place, there is nothing stopping an attacker from sending an email that appears to come from your domain. Your customers receive a message that looks like it is from you — same domain, same format — asking them to click a link, make a payment, or hand over their credentials.
This is called email spoofing, and it is one of the most common techniques used in phishing attacks against UK businesses. The good news is that three DNS records — SPF, DKIM, and DMARC — exist specifically to prevent it. The bad news is that missing DMARC is the single most common finding we see on UK small business domains.
SPF — who is allowed to send email for your domain
SPF (Sender Policy Framework) is a DNS record that lists which mail servers are authorised to send email on behalf of your domain. When an email arrives claiming to be from you, the receiving mail server checks your SPF record to see if it came from an approved source.
A basic SPF record looks like this:
v=spf1 include:_spf.google.com ~allThis tells receiving servers: "Only Google's mail servers are authorised to send email from this domain. Treat anything else with suspicion."
What happens without SPF: Receiving servers have no way to verify whether an email from your domain is genuine. Many will accept it anyway, making spoofing trivially easy.
DKIM — a cryptographic signature on every email
DKIM (DomainKeys Identified Mail) adds a digital signature to every email you send. The private key lives on your mail server; the public key is published in your DNS. When an email arrives, the receiving server uses your public key to verify the signature is genuine.
If the signature does not match — because the email was forged or tampered with in transit — the check fails.
What happens without DKIM: Emails from your domain cannot be cryptographically verified. Attackers can send forged emails and there is no signature for receiving servers to check.
DMARC — what to do when SPF or DKIM fails
DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells receiving mail servers what to do when either check fails.
A DMARC record looks like this:
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.comThe p= value is the policy:
| Policy | What it means |
|---|---|
p=none | Monitor only — do nothing with failures, just report them |
p=quarantine | Send failing emails to the spam folder |
p=reject | Block failing emails entirely — they never reach the inbox |
DMARC also enables reporting. The rua= address receives aggregate reports from mail servers around the world, showing you who is sending email from your domain and whether they are passing authentication checks. This is how you find out if someone is actively spoofing your domain.
What happens without DMARC: Even if you have SPF and DKIM set up, there is no policy telling receiving servers what to do when they fail. Most servers will deliver the email anyway. DMARC is what actually enforces protection.
How to check your current email authentication setup
The fastest way is to scan your domain with Olimpio — it checks your DMARC, SPF, and DKIM records automatically and flags any issues with plain-English explanations. Every plan starts with a 7-day free trial.
If you want to check manually, you can look up your DNS records directly. In a terminal:
# Check SPF
dig TXT yourdomain.com
# Check DMARC
dig TXT _dmarc.yourdomain.com
# Check DKIM (replace 'selector' with your mail provider's selector)
dig TXT selector._domainkey.yourdomain.comCommon selectors for popular mail providers: Google Workspace uses google, Microsoft 365 uses selector1 and selector2.
How to fix missing records
If you use Google Workspace
Google publishes step-by-step instructions for setting up SPF, DKIM, and DMARC in Google Workspace Admin. In short: SPF and DKIM are set up in your DNS provider's control panel using values Google gives you; DMARC you add yourself once the other two are working.
If you use Microsoft 365
Microsoft 365 sets up SPF automatically when you add your domain, but DKIM needs to be enabled manually in the Microsoft 365 Defender portal. DMARC is a separate DNS record you add yourself.
If you use another provider
Your mail provider's documentation will have the specific values for SPF and DKIM. DMARC is always a TXT record on _dmarc.yourdomain.com that you write yourself — start with p=none to monitor, then move to p=quarantine once you have confirmed all legitimate email is passing.
The right order to implement these
- Set up SPF first. Straightforward — one DNS record listing your mail provider.
- Enable DKIM. Done through your mail provider's admin panel, then publish the public key in DNS.
- Add DMARC with
p=none. Start in monitoring mode. Check the reports for a week or two to make sure all legitimate email sources are covered. - Move to
p=quarantine, thenp=reject. Once you are confident everything is set up correctly, tighten the policy.
Jumping straight to p=reject without checking your setup first can cause legitimate emails to be blocked — so the staged approach matters.
DMARC and Cyber Essentials
Missing DMARC is flagged under Cyber Essentials Control 1 (Firewalls) and Control 2 (Secure Configuration). Assessors check DNS records as part of the evaluation. Getting SPF, DKIM, and DMARC in place is one of the highest-impact, lowest-effort security improvements a small business can make.
Scan your domain with a 7-day free trial to check your current email authentication status and see exactly what needs fixing.