How to setup Dkim, SPF and DMARC for your mail service
DKIM, SPF, and DMARC are email authentication protocols that help prevent email spoofing, phishing, and spam. They work together to verify that an email really comes from the domain it claims to come from.
DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It’s an email security standard that helps stop spam, phishing, and email spoofing—basically, it keeps bad actors from pretending to send email from your domain.
Here’s the plain-English version:
What problem DMARC solves
Without DMARC, anyone can forge the “From” address in an email and make it look like it came from your company or domain. That’s how a lot of phishing attacks work.
DMARC tells receiving mail servers:
How to check if an email is legit
What to do if it’s not
How to report back what they’re seeing
How it works (the trio)
DMARC sits on top of two other email checks:
SPF – verifies the sending server is allowed to send mail for your domain
DKIM – verifies the message wasn’t altered and is cryptographically signed
DMARC says:
“If SPF or DKIM passes and aligns with my domain, accept the email. If not, follow my rules.”
DMARC policies
You publish a DMARC record in DNS that tells servers what to do with failing emails:
p=none → monitor only (no blocking, just reports)
p=quarantine → send suspicious mail to spam
p=reject → block it completely 🚫
Reporting (the underrated superpower)
DMARC sends you reports showing:
Who is sending email using your domain
Which emails pass or fail authentication
Where phishing attempts are coming from
This is huge for visibility and cleanup.
Why DMARC matters
Protects your brand and customers
Improves email deliverability
Required by many providers (Google, Yahoo, etc.) for bulk senders
Reduces phishing and spoofing dramatically
TL;DR
DMARC is your domain saying:
“Here’s how to verify my emails, here’s what to do with fakes, and please tell me what you see.”
DKIM stands for DomainKeys Identified Mail.
It’s an email authentication method that helps prove an email really came from the domain it claims to be from—and that it wasn’t altered along the way.
Here’s the plain-English version:
When an email is sent, the sending mail server adds a digital signature to the message.
That signature is created using a private key owned by the sender’s domain.
The receiving mail server looks up the sender’s public key in DNS and checks the signature.
If it matches ✅ the email is legit and unchanged.
If it doesn’t ❌ the message may be spam, spoofed, or tampered with.
Improves email deliverability (less likely to land in spam)
Builds trust with providers like Gmail, Outlook, Yahoo
DKIM vs SPF vs DMARC (quick vibe check)
SPF: “Is this server allowed to send mail for this domain?”
DKIM: “Was this email really signed by this domain, and not modified?”
DMARC: “What should we do if SPF/DKIM fail?” (policy + reporting)
Why SPF matters
What it does: SPF verifies which mail servers are allowed to send email on behalf of your domain.
How it works:
You publish an SPF record in your domain’s DNS.
The record lists authorized sending servers.
When a receiving server gets your email, it checks if the sending server is on that list.
Example: If someone tries to send an email pretending to be @yourcompany.com from an unauthorized server, SPF can detect it.
Limitation: SPF only checks the sending server — it does not verify message content.
Sample result code for SPF, DKIM and Dmarc using MS Exchange
Dmarc record sample “get dmarc.lv or similar site to create this for you” (very easy to do). You can see the website is getting your mail server to talk to their mail monitoring program which then builds up a database of your mail history and identify any issues.
Easy Dmarc will generate the code for this then you just add it to your domain record as DNS Txt
Dkim record sample
Name:s1._domainkey.example.com
Type:CNAME
Value:s1.domain.dkim.example.com
Below is a sample code for the DKIM record to enable in MS Exchange.
Please publish the following two CNAME records first. Domain Name : macuser.org.uk Host Name : selector1._domainkey Points to address or value: selector1-macuser-org-uk._domainkey.macuser.onmicrosoft.com Host Name : selector2._domainkey Points to address or value: selector2-macuser-org-uk._domainkey.macuser.onmicrosoft.com .
Summary:
Finally you will need to access your domain account and amend the records to reflect the 3 items to help your mail server work in the modern work of mail servers. The 2 big plays Microsoft and Google have an option for you to configure most of the records for you. You also have to enable it within their back office.
