How SPF, DKIM and DMARC work together
The three pillars of business email authentication — what each does, how they align, and the order to implement them.
SPF — who may send
SPF is a DNS TXT record listing mail servers allowed to send as your domain. Include Microsoft 365, your website form provider, CRM, and newsletter tool. End with -all when confident, or ~all while testing.
DKIM — message integrity
DKIM signs messages with a domain-aligned key. Alignment matters for DMARC: the signing domain should match the From address domain (strict alignment) or share the same organisational domain (relaxed).
DMARC — policy and reporting
DMARC tells receivers what to do when SPF or DKIM fail — none, quarantine, or reject — and where to send aggregate reports. Start at p=none, analyse reports for 2–4 weeks, then tighten.
Implementation order
Fix SPF and enable DKIM first, run DMARC at p=none with reporting, then move to quarantine and reject as legitimate senders authenticate. One broken marketing platform can cause false failures until it is fixed or excluded properly.
Try it now
Run the related tools
Need a hand?
Run the tools. Then talk to us.
Use our free diagnostics to see what is wrong, then get Melbourne IT support for the fix.
Keep reading
More guides
Fix SPF for Microsoft 365
Stop legitimate email bouncing or landing in spam by getting your SPF record right for Microsoft 365.
- Why SPF matters
- The Microsoft 365 include
Set up DMARC for your business
Move from none to quarantine with a policy that protects your domain from spoofing without breaking legitimate mail.
- What DMARC actually does
- Start with monitoring