Three settings — SPF, DKIM and DMARC — stop fraudsters from sending email in your company's name. Here is how they work and where to start.
By default, email does not verify who sends a message. A fraudster can write from: billing@yourcompany.com without access to your mailbox, to trick your clients (fake invoices), your staff (CEO fraud) or damage your reputation. This is domain spoofing.
SPF, DKIM and DMARC are the three protections that close this door. They are configured in your DNS zone.
SPF lists the servers allowed to send for your domain (a TXT record). Example for Microsoft 365:
v=spf1 include:spf.protection.outlook.com -all
The -all rejects any server not listed. List all your sending services before switching to -all.
DKIM adds a digital signature to each email. The key is generated by your provider — enable it in their console, then copy the provided record into your DNS.
DMARC tells recipients what to do with fake emails. Three levels: p=none (monitor), p=quarantine (spam), p=reject (blocked — maximum protection).
v=DMARC1; p=reject; rua=mailto:dmarc@yourcompany.com
p=none, then move to quarantine and reject.Enter your domain: we test your SPF, DKIM, DMARC and website, and give you the exact action plan.
Run the free check