Email Authentication: SPF, DKIM, and DMARC Explained

25 April 2019 Chris 2 min read
Email DNS Security
Email Authentication: SPF, DKIM, and DMARC Explained

SPF, DKIM, and DMARC are DNS-based email authentication records. They help receiving mail servers decide whether messages claiming to come from your domain should be trusted.

They do not guarantee inbox placement, but missing or broken records can make legitimate business email look suspicious.

What SPF Does

SPF lists the servers and services allowed to send email for your domain. It is published as a TXT record on the root domain.

A simple SPF record might include your hosting mail server and a third-party email provider. The important rule is that a domain should normally have one SPF record, not several separate SPF TXT records.

What DKIM Does

DKIM adds a cryptographic signature to outgoing email. The public key is published in DNS, usually under a selector such as selector._domainkey.example.co.uk.

When DKIM passes, the receiving server has evidence that the message was authorised by the domain and was not changed in transit.

What DMARC Does

DMARC tells receiving servers what to do when SPF or DKIM checks fail. It can also send reports so you can see who is sending mail using your domain.

DMARC policies usually move through stages:

  • none: monitor only.
  • quarantine: send suspicious mail to spam.
  • reject: reject failing mail.

Why It Matters for Website Owners

Email authentication matters for contact forms, order confirmations, password resets, invoices, support replies, newsletters, and staff mailboxes. If your website sends mail from your domain, DNS authentication should be part of the setup.

Common Mistakes

  • Multiple SPF records on the same domain.
  • SPF includes the old provider but not the new one.
  • DKIM selector missing after an email provider change.
  • DMARC set to reject before all legitimate senders are aligned.
  • Contact forms sending from the visitor's email address.

How to Check Records

Use DNS tools or command-line checks:

dig example.co.uk TXT
dig selector._domainkey.example.co.uk TXT
dig _dmarc.example.co.uk TXT

If you use TekLan email with TekLan nameservers, ask support for the correct current records before changing anything. If DNS is managed elsewhere, records must be added at the active DNS provider.

Related TekLan Posts

Read How to Check Email DNS Records, Why Your Contact Form Emails Go Missing, and Creating Email Accounts in Enhance.

← Older How to Choose a Domain for a New Business Newer → What Is a Control Panel in Web Hosting?
← Back to Blog

Related Posts

Email Deliverability Basics for Business Websites
Email
Email Deliverability Basics for Business Websites
17 Jan 2024
How to Check Email DNS Records
Email
How to Check Email DNS Records
25 May 2026
How to Point a Domain to Your Hosting Without Breaking Email
Domains
How to Point a Domain to Your Hosting Without Breaking Email
9 Apr 2026