SPF - DKIM - DMARC (email spoofing)

SPF, DKIM, and DMARC are complementary systems. SPF and DKIM are used by email servers as indicators of whether or not an email is spam. 

How to prevent email spoofing on your domain, using an unholy combination of silly standards. Recently, I encountered a problem. My domain didn't correctly implement SPF, DKIM, or DMARC. Then, I encountered a second problem: I had no idea what those were, and seemingly nobody has written about SPF, DKIM, or DMARC in a way that a human can understand, not to mention implement. Every article I found was either highly technical, trying to game SEO to sell me something, or too high level to be useful.

As a result, I've had to do a lot of hard work and research to understand this problem. Hopefully, because I had to do this, you won't. There's two main sections here: a human explanation of what these things are, followed by a reasonably straightforward way to implement them. This might not be easy, but if you've landed here, it's probably not optional. I hope this helps.

What are these weird acronyms?

SPF, DKIM, and DMARC are complementary systems. SPF and DKIM are used by email servers as indicators of whether or not an email is spam. DMARC then does two things: it tells email servers how important SPF and DKIM are, and what to do when an email fails to pass their tests. This probably doesn't make much sense yet - that's fine. Let's dig a little deeper.

SPF is a way to declare who's allowed to send emails from your domain. It stands for the "sender policy framework," but you don't need to know that. Just call it SPF, or "spoof." It's meant to make it harder to send spoof emails.

For example, it's a way to say "emails from mycompany.com can only be sent from Google and Postmark." Declaring SPF makes it harder for me to send emails from your domain in an attempt to phish.

Here's how it works, for a valid, non-phishing email:

  1. I send an email to you from hello@sadl.io, using my Fastmail SMTP server.
  2. Gmail (your email service) receives the email.
  3. The email is from someone at sadl.io, so Gmail grabs the DNS records for sadl.io
  4. sadl.io has a DNS record that declares its SPF policy. It says that emails can be sent from Fastmail.
  5. This email was sent from Fastmail, so it passes the SPF test.
  6. The email lands in your inbox.

That's all great! SPF hasn't stopped me from sending a real email to you. But it seems pretty simple. So... what would it stop?

Full Version


SPF sounds great in principle. But it often has no effect without DMARC.