← Lessons

quiz vs the machine

Gold1380

Networking

SPF, DKIM, and DMARC

The three records that prove an email is genuinely from your domain.

5 min read · core · beat Gold to climb

Stopping Forged Mail

SMTP lets anyone claim any sender address, which enables spoofing. Three DNS based mechanisms work together to authenticate mail and let receivers reject forgeries.

The Three Checks

  • SPF (Sender Policy Framework) publishes which servers are allowed to send mail for a domain. The receiver checks the connecting address against this list.
  • DKIM (DomainKeys Identified Mail) signs the message with a private key. The receiver verifies the signature using a public key in DNS, proving the body was not altered and came from the domain.
  • DMARC ties the two together. It tells receivers what to do when SPF or DKIM fails and requires alignment between the visible From domain and the authenticated domain.

Why All Three

SPF alone breaks on forwarding because the relaying server is not on the list. DKIM survives forwarding because the signature travels with the message. DMARC adds a policy and reporting so domain owners learn about abuse and can quarantine or reject.

Key idea

SPF authorizes sending hosts, DKIM cryptographically signs the message, and DMARC enforces alignment plus a policy so receivers can reliably reject spoofed mail.

Check yourself

Answer to earn rating on the learn ladder.

1. Which mechanism cryptographically signs the message body?

2. What does DMARC add on top of SPF and DKIM?

3. Why can SPF fail on forwarded mail while DKIM survives?