DMARC, SPF and DKIM explained
SPF, DKIM and DMARC are the email-authentication records that decide whether an attacker can send mail that looks like it came from your domain. Configured well, they stop most domain spoofing. Configured poorly — or missing — they leave the door open to phishing and business email compromise.
SPF — who is allowed to send
Sender Policy Framework (SPF) is a DNS record listing the servers permitted to send email for your domain. Receiving servers check whether the sending server is on the list. A missing or overly broad SPF record makes it easy to impersonate you.
DKIM — proof the message wasn't forged
DomainKeys Identified Mail (DKIM) attaches a cryptographic signature to outgoing mail, using a private key. Receivers verify it against a public key you publish in DNS. DKIM proves the message genuinely came from your domain and wasn't tampered with in transit.
DMARC — the policy that ties it together
DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receivers what to do when SPF and DKIM checks fail — and lets you receive reports. A strong policy (quarantine or reject) instructs receivers to refuse spoofed mail.
The common failure mode is a DMARC record set to 'none', which monitors but enforces nothing. Spoofing is still possible until you move to quarantine or reject.
How they work together
SPF authorizes sending servers, DKIM proves message integrity, and DMARC sets the enforcement policy and reporting on top. You need all three, aligned, to meaningfully reduce spoofing of your domain.
FAQ
Yes. SPF and DKIM provide the checks; DMARC sets the policy that enforces them and gives you reporting. Missing any one weakens your protection.
Inspect your domain's DNS records, or use SICenter's free DMARC checker to see all three at once and whether spoofing is currently possible.
Aim for 'quarantine' or 'reject'. A policy of 'none' only monitors — it does not stop spoofed email from being delivered.