SPF (Sender Policy Framework)
SPF tells receiving mail servers which servers are authorized to send email for your domain. It is published as a TXT record on your domain’s root.How It Works
When a receiving server gets an email fromuser@example.com, it checks the SPF record at example.com to see if the sending server’s IP is authorized. If the IP is not listed, the message may be rejected or marked as spam.
Format
| Mechanism | Meaning |
|---|---|
include: | Authorize all IPs listed in another domain’s SPF record |
ip4: / ip6: | Authorize a specific IP address or range |
a | Authorize the IP(s) of the domain’s A record |
mx | Authorize the IP(s) of the domain’s MX record |
| Qualifier | Meaning |
|---|---|
~all | Soft fail — accept but mark as suspicious (recommended during setup) |
-all | Hard fail — reject unauthorized senders (recommended for production) |
Rules
- You may only have one SPF record per domain. Multiple SPF records cause validation failures.
- If you use multiple email services, combine them into a single record:
"v=spf1 include:_spf.mailcow.email include:amazonses.com -all" - SPF has a 10 DNS lookup limit. Each
include:andredirect:counts as a lookup. Exceeding this limit causes SPF to fail.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to outgoing email that the receiving server can verify. It proves the message was not altered in transit and that it was sent by an authorized server.How It Works
Your mail server signs each outgoing message with a private key. The corresponding public key is published as a TXT record in your DNS. The receiving server retrieves the public key and verifies the signature.Format
DKIM records are published on a subdomain using a selector. The selector name depends on your email provider.dkim is the selector. Your email provider will tell you the exact selector and record value to use.
Notes
- DKIM selectors vary by provider. DigitalFyre’s Mailcow Email uses the selector
dkim. Other providers use selectors likegoogle,s1,k1, etc. - The record value contains the public key and can be very long. Ensure your DNS provider supports TXT records of sufficient length.
- Rotating DKIM keys periodically is good practice but is typically handled by your email provider.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC ties SPF and DKIM together with a policy that tells receiving servers what to do when authentication fails. It also provides a reporting mechanism so you can monitor who is sending email as your domain.How It Works
When a message fails both SPF and DKIM alignment, the receiving server checks the DMARC policy at_dmarc.example.com to determine how to handle it.
Format
| Tag | Meaning |
|---|---|
p= | Policy for failed messages |
rua= | Email address to receive aggregate reports |
ruf= | Email address to receive forensic (failure) reports |
pct= | Percentage of messages the policy applies to (default 100) |
| Policy | Behavior |
|---|---|
none | Monitor only — no action taken on failures. Use during initial setup to collect reports. |
quarantine | Failed messages are moved to the recipient’s spam/junk folder |
reject | Failed messages are rejected outright |
Recommended Rollout
Start withp=none to collect reports and identify all legitimate sending sources. Once all senders are properly authenticated with SPF and DKIM:
- Move to
p=quarantineand monitor for false positives - Move to
p=rejectonce confident all legitimate mail passes
Testing
After configuring all three records, verify them with these tools:| Tool | URL |
|---|---|
| MXToolbox | mxtoolbox.com/SuperTool.aspx |
| Mail Tester | mail-tester.com |
| DMARC Analyzer | dmarcian.com/dmarc-inspector |
| Google Admin Toolbox | toolbox.googleapps.com/apps/checkmx |
To run a quick check, send a test email to mail-tester.com and review the resulting report. It will show whether SPF, DKIM, and DMARC are passing and highlight any issues.