When sending email from your domain, it’s important that messages don’t end up in spam folders or get rejected. To help with this, three key DNS records are used: SPF, DKIM, and DMARC. These records prove that your emails are genuine and authorised.

What is SPF?

Sender Policy Framework (SPF) tells receiving mail servers which servers are allowed to send emails for your domain.

  • Example SPF record:
v=spf1 include:yourhost.com ~all
  • ✅ Helps prevent spammers sending fake emails using your domain.
  • ❌ Without SPF, some emails may be marked as suspicious or rejected.

What is DKIM?

DomainKeys Identified Mail (DKIM) adds a digital signature to your emails. The receiving server checks this signature to confirm the email hasn’t been tampered with.

  • Example DKIM record (simplified):
v=DKIM1; k=rsa; p=MIGfMA0GCSq...
  • ✅ Proves your email really came from your domain and wasn’t modified.
  • ❌ Without DKIM, emails are more likely to land in spam.

What is DMARC?

Domain-based Message Authentication, Reporting & Conformance (DMARC) tells receiving servers what to do if SPF and/or DKIM checks fail.

  • Example DMARC record:
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; sp=none; aspf=r;
  • ✅ Lets you instruct mail providers to reject or quarantine suspicious messages.
  • ✅ Provides reports so you can see who is sending mail using your domain.
  • ❌ Without DMARC, unauthorised emails might still be delivered.

How They Work Together

  1. SPF → Authorises the servers allowed to send mail.
  2. DKIM → Confirms the message is genuine and hasn’t been altered.
  3. DMARC → Enforces rules and tells receiving servers how to handle failures.

Think of them like this:

  • SPF = Who can send
  • DKIM = Is it genuine?
  • DMARC = What to do if it’s not

Do You Need Them?

Yes - We highly recommend enabling all three. Many email providers (Google, Microsoft, Yahoo) now require SPF, DKIM, and DMARC for proper delivery.

If you’re hosting email with us, our system generates these records for you. You just need to make sure they’re added to your domain’s DNS zone (see our Managing DNS Records guide).