Blog Main Image
May 19, 2026

SPF, DKIM and DMARC: Proving Your Email Really Came From You

Impersonation is the engine of phishing. If an attacker can make an email look as though it came from your company, your brand, or your finance director, much of their work is already done. The reassuring news is that email has three built-in defences designed to make that impersonation far harder, and used together they quietly stop a great deal of fraud before anyone even sees it. They are SPF, DKIM and DMARC.

They sound like alphabet soup, but the idea behind them is simple: prove that a message really came from who it claims to, and tell the world what to do when it did not.

Put simply: SPF lists which servers may send email for your domain, DKIM adds a cryptographic signature that proves a message is genuine and unaltered, and DMARC ties the two together. DMARC tells receiving servers to reject or quarantine anything that fails, and reports back on who is trying to abuse your name. Set to a strict policy, the three stop most direct spoofing of your domain.

What each record actually does

SPF: who is allowed to send

Sender Policy Framework is a published list of the mail servers permitted to send email on behalf of your domain. When a receiving server gets a message claiming to be from you, it checks whether the sending server is on that list. If not, the message looks suspect. SPF alone is fragile, because forwarding can break it, which is why it works best alongside the other two.

DKIM: proof it was not tampered with

DomainKeys Identified Mail adds an invisible cryptographic signature to each message, created with a private key only you hold. The receiver checks it against a public key published in your DNS. If the signature is valid, the message genuinely came from your domain and has not been altered in transit.

DMARC: the policy and the reports

DMARC is the record that makes the other two count. It tells receiving servers what to do when a message fails SPF and DKIM checks, whether to let it through, quarantine it to junk, or reject it outright. Just as valuably, it sends you reports showing who is sending mail in your name, which is often the first time an organisation sees the scale of attempted abuse.

Diagram of how SPF, DKIM and DMARC work together to prove an email came from your domain
Three records that prove an email really came from you.

Why this matters for phishing

With all three in place and DMARC set to reject, an attacker can no longer simply send email that appears to come from your exact domain, one of the most convincing lures there is. That does not end the threat, but it forces attackers onto weaker ground, such as look-alike domains and display-name tricks, which are easier to spot and to monitor. The DMARC reports also give you ongoing visibility of who is impersonating you.

Deploying them without breaking your email

The one real risk is blocking your own legitimate mail, so roll out carefully.

Inventory every legitimate sender

List all the services that send email as you: your mail platform, marketing tools, invoicing systems, helpdesk and so on. Missing one is the usual cause of problems later.

Start DMARC in monitoring mode

Publish DMARC at a monitoring-only policy first and read the reports. They will show any legitimate senders that are failing, so you can fix their SPF and DKIM before you start enforcing.

Tighten to quarantine, then reject

Once genuine mail passes cleanly, move the policy to quarantine and then to reject. Only at reject does spoofing of your exact domain truly stop.

Consider BIMI

With DMARC enforced, BIMI can display your verified logo beside your emails in supporting clients, a small trust signal that also rewards getting the basics right.

What these records do not cover

Email authentication is powerful but not complete. It does nothing about a genuinely compromised account sending real mail, and it does not stop domain spoofing that uses a similar-looking domain rather than yours exactly. So keep monitoring for impersonation, train your people, and give them an easy way to report suspicious emails that slip through.

The bottom line

SPF, DKIM and DMARC are among the highest-value, lowest-glamour controls in email security. Deployed carefully and enforced properly, they make it far harder for anyone to send mail in your name, and they hand you a clear view of who is trying. Pair them with monitoring for look-alike domains and a workforce that reports what gets through, and you close one of phishing’s most effective doors.

Phishing Tackle offers the tools businesses need to strengthen their human risk strategies, with multi-platform testing, real-time behavioural insights, and actionable data to keep your organisation ahead of modern cyber threats.

Contact us today to learn how Phishing Tackle can help safeguard your organisation from the growing array of cyber risks.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Scroll To Top Arrow