SPF, DKIM, DMARC — and why your email needs all three.
Email was designed in 1971 without a security model. These three DNS records are how we bolted one on. Without them, your mail goes to spam.
Anyone can send email claiming to be from your domain. Nothing in the original SMTP protocol prevents that. Gmail, Outlook, Yahoo, and every modern mail provider treats this fact as a problem — so they invented three DNS records to verify that an inbound email actually came from a server authorized by the domain owner. Get all three set up correctly and your mail lands in inboxes. Miss one and a percentage of your mail goes to spam folders, depending on the receiver.
SPF — Sender Policy Framework
What it answers: "Is this sending server allowed to send mail from this domain?"
How: a TXT record on your domain that lists which mail servers are authorized.
Example:
Type: TXT Host: @ (root of your domain) Value: v=spf1 include:_spf.google.com include:_spf.mail.hostinger.com ~all
This tells receiving mail servers: "Mail from yourdomain.com is legitimate if it comes from Google's mail servers or Hostinger's. Anything else — apply spam-folder bias."
Common mistake: having two SPF records. You're only allowed one TXT record starting with v=spf1. If you add a second (e.g., when adding Microsoft 365), merge them into one with multiple include: directives.
DKIM — DomainKeys Identified Mail
What it answers: "Was this email actually sent by a server holding the private key for this domain — and was the content tampered with in transit?"
How: the sending mail server cryptographically signs each outgoing email's headers + body using a private key. The receiver fetches the corresponding public key from a special DNS record (selector._domainkey.yourdomain.com) and verifies the signature.
You don't write DKIM keys yourself — your mail provider generates them. You just publish the public-key record they give you. Example:
Type: TXT Host: hostingermail1._domainkey Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFA...(long string)
The hostingermail1 part is the "selector" — each provider picks their own. Google uses google; Microsoft uses selector1 and selector2 (two records); Hostinger uses hostingermail1. If you use multiple providers (e.g., Gmail for inbox and Mailchimp for newsletters), you publish a DKIM record for each.
Common mistake: forgetting to add DKIM records when switching mail providers. SPF will still pass; DMARC will fail. Mail goes to spam.
DMARC — Domain-based Message Authentication, Reporting and Conformance
What it answers: "What should the receiver do if SPF or DKIM fails — and how does the domain owner find out?"
How: a TXT record at _dmarc.yourdomain.com with policy + reporting addresses.
Example (monitoring mode):
Type: TXT Host: _dmarc Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Modes:
p=none— "Don't do anything different, but send me reports." Start here.p=quarantine— "Send unauthenticated mail to spam." Move here after weeks of clean reports.p=reject— "Bounce unauthenticated mail outright." Maximum protection. Move here once confident.
Reports come weekly as XML attachments from Gmail/Yahoo/Microsoft, summarizing how much mail was sent from your domain and whether it passed SPF/DKIM. Reading these manually is painful; tools like DMARC Analyzer or Dmarcian parse them for you (free tier available).
Why all three?
SPF + DKIM each prove something different, and either alone has weaknesses:
- SPF only: someone could forge mail from any server on your allowlist if they get in.
- DKIM only: someone could omit the DKIM headers entirely and your domain still looks "unsigned" rather than "forged."
- DMARC ties them together — it requires at least one of SPF or DKIM to pass and align (match the From: domain) before mail is considered legitimate.
Without DMARC, an attacker can send mail from billing@yourdomain.com that passes SPF (because they're sending from a server you authorized for a different purpose) but isn't actually from you. With DMARC + alignment, that attack fails.
How Modusdom handles all this
When you buy a Modusdom Mailbox or have us set up Google Workspace / Microsoft 365 for your domain, we configure SPF, DKIM, and DMARC for you automatically — set up in monitoring mode (p=none), verified against a clean run, then upgraded to p=quarantine after 2 weeks of clean reports.
You can see your current records in your DNS editor. If they look wrong or you want help setting them up for a non-Modusdom mailbox, email us — we'll walk through it.