Understand SPF, DKIM and DMARC DNS records, how they help protect domains, and how to check email authentication settings.
- Improve email authentication
- Reduce spoofing risk
- Troubleshoot common mail delivery issues
SPF
SPF is usually published as a TXT record. It lists which mail servers or services are allowed to send mail for the domain. If you use multiple email services, the SPF record needs to include the legitimate senders without becoming too broad.
DKIM
DKIM uses a public key in DNS and a private key on the sending system. The receiving mail server can verify that the message was signed by a permitted sender and has not been altered in transit.
DMARC
DMARC builds on SPF and DKIM. It tells receiving systems what policy to apply when messages fail checks and where to send reports. Many organisations start with a monitoring policy before moving to stricter quarantine or reject policies.
Checking records safely
Check TXT records before and after email provider changes. Avoid deleting records you do not recognise until you know what they do. Verification records for Microsoft 365, Google Workspace, email platforms and marketing tools can all live in the same DNS zone.
Quick commands to try
dig example.com Adig example.com MX +shorthost -t TXT example.comPractise the command line side
DNSNow gives you quick web checks. For hands-on Linux command practice, use CommandLineQuiz dig Command Builder, the Linux Troubleshooting Hub and the Bash Scripting Hub.
FAQs
Are SPF, DKIM and DMARC all DNS records?
SPF and DMARC are published as TXT records. DKIM public keys are also published in DNS, usually under a selector hostname.
Should every domain have DMARC?
It is strongly recommended for domains that send email, and also useful for parked or defensive domains when configured correctly.
Can bad DNS records cause email to land in spam?
Yes. Missing or incorrect SPF, DKIM or DMARC records can contribute to trust and deliverability problems.