Qutzl Insights

Tutorial

DNS and email authentication: SPF, DKIM, and DMARC

A plain-language tour of the three records that decide whether your mail looks legitimate.

1 min readBy Michael NarehoodNetworking

Advertisement

If spammers can send as you, your brand pays the price. SPF, DKIM, and DMARC are how the internet checks your homework.

1. SPF

Lists which servers may send mail for your domain. Too many includes (or a missing ESP) breaks deliverability.

2. DKIM

Cryptographic signatures on messages. Enable it in Microsoft 365 or your ESP, then publish the DNS records they give you.

3. DMARC

Tells receivers what to do with failures (p=nonequarantinereject) and where to send reports.

Rollout tip

Start with monitoring (p=none), fix legitimate sources, then tighten. Do not jump to reject on day one without reports.

Need a DMARC plan for your domains? Contact Qutzl.