Email Authentication Checklist: SPF, DKIM, and DMARC

15 June 2026 Chris 2 min read
Email DNS Security
Email Authentication Checklist: SPF, DKIM, and DMARC

Email authentication helps receiving mail servers decide whether a message claiming to be from your domain is legitimate. It matters for business email, contact forms, invoices, password resets, and marketing tools.

List Every Sender First

Before editing DNS, list every service that sends mail as your domain. That may include your hosting mailbox, website contact form, billing platform, newsletter tool, CRM, helpdesk, and transactional email provider.

Guessing leads to broken mail. SPF and DKIM records should reflect the real services sending messages.

SPF

SPF is a TXT record that lists which servers are allowed to send mail for the domain. A domain should normally have one SPF record, not several competing records.

Check for:

  • Only one SPF TXT record at the root domain.
  • Includes for every legitimate sending platform.
  • No stale includes for services you no longer use.
  • A sensible ending such as ~all or -all once you are confident.

DKIM

DKIM signs outgoing mail so receivers can verify that the message was authorised and not changed in transit. Each sending platform may give you its own DKIM records.

Add the exact selector record provided by the sender, then use that platform's verification tool. Do not edit the key manually unless the provider tells you to.

DMARC

DMARC tells receivers what to do when SPF or DKIM alignment fails. Start with monitoring if you are unsure, then move towards stricter policies once legitimate senders are passing.

A cautious rollout usually looks like:

  • p=none while you collect reports and fix legitimate senders.
  • p=quarantine when normal mail is passing.
  • p=reject when you are confident unauthorised mail should be refused.

Website Forms

Contact forms should normally send from an address on your own domain, through authenticated SMTP, with the visitor's email used as a reply-to address. Sending directly as the visitor often fails authentication.

After DNS Changes

Allow for DNS caching, then send test messages to major mailbox providers. Check message headers or delivery reports to confirm SPF, DKIM, and DMARC pass.

For related checks, read How to Check Email DNS Records and How to Check if a Contact Form Is Sending Email.

← Older What to Check Before Enabling Auto Updates Newer → How to Host a Static Website on Shared Hosting
← Back to Blog

Related Posts

Email Deliverability Basics for Business Websites
Email
Email Deliverability Basics for Business Websites
17 Jan 2024
Email Authentication: SPF, DKIM, and DMARC Explained
Email
Email Authentication: SPF, DKIM, and DMARC Explained
25 Apr 2019
How to Check Email DNS Records
Email
How to Check Email DNS Records
25 May 2026