Secure your business email: the SPF, DKIM, DMARC guide for small businesses

Three settings — SPF, DKIM and DMARC — stop fraudsters from sending email in your company's name. Here is how they work and where to start.

In short: without DMARC in "reject" mode, anyone can send emails that look like they come from your domain. Set up SPF, enable DKIM with your provider, then raise DMARC gradually (none → quarantine → reject).

Why your email is a target

By default, email does not verify who sends a message. A fraudster can write from: billing@yourcompany.com without access to your mailbox, to trick your clients (fake invoices), your staff (CEO fraud) or damage your reputation. This is domain spoofing.

SPF, DKIM and DMARC are the three protections that close this door. They are configured in your DNS zone.

SPF — authorize your sending servers

SPF lists the servers allowed to send for your domain (a TXT record). Example for Microsoft 365:

v=spf1 include:spf.protection.outlook.com -all

The -all rejects any server not listed. List all your sending services before switching to -all.

DKIM — sign your emails

DKIM adds a digital signature to each email. The key is generated by your provider — enable it in their console, then copy the provided record into your DNS.

DMARC — block spoofers

DMARC tells recipients what to do with fake emails. Three levels: p=none (monitor), p=quarantine (spam), p=reject (blocked — maximum protection).

v=DMARC1; p=reject; rua=mailto:dmarc@yourcompany.com

Where to start

  1. Publish an SPF with all your sending services.
  2. Enable DKIM in your provider's console.
  3. Start DMARC at p=none, then move to quarantine and reject.

Check your setup for free

Enter your domain: we test your SPF, DKIM, DMARC and website, and give you the exact action plan.

Run the free check
See also: the SPF, DKIM, DMARC guide, Microsoft 365, Google Workspace, securing your website.