DMARC, DKIM, and SPF Implementation Guide for Security Teams

Sender Policy Framework (SPF) is a DNS TXT record that lists which IP addresses and mail servers are authorized to send email for your domain. When a receiving mail server gets a message from your domain, it checks whether the sending IP is listed in your SPF record. If it is not, the message fails SPF.

SPF record syntax: `v=spf1 [mechanisms] [all]`. Common mechanisms: `ip4:` and `ip6:` for specific IP ranges, `include:` to reference another domain's SPF record (used for SaaS senders like Google Workspace, Salesforce, Mailchimp), `a:` to authorize the domain's A record, `mx:` to authorize the domain's MX records. The `all` qualifier at the end sets the default action: `-all` (hard fail — reject unauthorized senders), `~all` (soft fail — mark as spam), `?all` (neutral — no recommendation).

Example: `v=spf1 ip4:203.0.113.0/24 include:_spf.google.com include:sendgrid.net -all`

Critical SPF limitations: SPF only checks the envelope sender (the 'MAIL FROM' address used in the SMTP session), not the 'From' header visible to the recipient. This means SPF alone does not prevent header-From spoofing. SPF also breaks when email is forwarded, because the forwarding server's IP is not in the original domain's SPF record. These limitations are why DMARC is required.

DomainKeys Identified Mail (DKIM) adds a cryptographic signature to outbound email. The sending mail server signs the message with a private key, and the signature is embedded in a DKIM-Signature header. Receiving servers retrieve the corresponding public key from a DNS TXT record and verify the signature — confirming that the message originated from an authorized server and that the signed portions have not been tampered with in transit.

DKIM DNS record format: published at `[selector]._domainkey.[domain]`. Example: `mail._domainkey.example.com`. The record contains the public key (`p=`) and signing algorithm (`k=rsa` or `k=ed25519`). Use 2048-bit RSA or Ed25519 keys — 1024-bit RSA is deprecated and should not be used.

DKIM implementation for common platforms: Google Workspace (Admin console > Apps > Google Workspace > Gmail > Authenticate email), Microsoft 365 (Microsoft 365 Defender portal > Policies > DKIM), Sendgrid and Mailchimp (each provide instructions for adding their DKIM DNS records). Every email sending service your organization uses must have its own DKIM configuration — a message from Salesforce must be DKIM-signed with a key from your domain (not Salesforce's domain) to pass DMARC alignment.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM by adding a policy that instructs receiving servers what to do with messages that fail authentication, and a reporting mechanism that sends you aggregate data about all email claiming to come from your domain.

DMARC requires alignment: the domain in the 'From' header must align with either the domain that passed SPF (envelope sender) or the domain in the DKIM signature. This is the mechanism that closes the header-From spoofing gap that SPF alone cannot close.

DMARC DNS record: `_dmarc.[domain]` TXT record. Example: `v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-failures@example.com; fo=1`

Policy values: `p=none` (monitor only — do not change mail delivery, just report), `p=quarantine` (deliver to spam folder for failures), `p=reject` (block delivery of failing messages). Start at `p=none`, analyze reports for 4–8 weeks to identify all legitimate sending sources, then progress to `p=quarantine`, then to `p=reject` after confirming all legitimate senders are authenticating correctly.

DMARC aggregate reports (sent to the address in the `rua=` tag) are XML files delivered daily by major mailbox providers. They show every IP address that sent email claiming your domain, whether those messages passed SPF and DKIM, and whether they passed DMARC alignment. Without a report analysis tool, these XML files are nearly unreadable at scale.

Free DMARC report analysis tools: MXToolbox DMARC report analyzer, dmarcian's trial tier, EasyDMARC's free tier. These tools parse the XML and present it as a human-readable dashboard showing authorized vs. unauthorized senders, authentication pass rates, and messages failing DMARC.

Policy progression checklist: (1) Deploy p=none with rua= reporting and collect 4 weeks of data. (2) Identify all legitimate sending services that appear in reports — ESP, marketing automation, CRM, HR systems, ticketing tools. (3) Ensure every legitimate sender is configured with DKIM and SPF for your domain (not the vendor's domain). (4) Confirm 95%+ of your legitimate mail volume passes DMARC alignment. (5) Move to p=quarantine and monitor for 2–4 weeks for any legitimate mail entering spam. (6) Resolve any remaining misses. (7) Move to p=reject. Subdomains require separate DMARC records or a `sp=reject` tag on the root domain policy.

DMARC p=reject is the only configuration that fully prevents unauthorized parties from sending email that impersonates your domain. The path from p=none to p=reject takes 8–12 weeks of report analysis and sender cleanup for most organizations. The investment protects your domain reputation, reduces phishing attack surface for your customers and partners, and is now a requirement for bulk email senders under Google and Yahoo's sender policies.