SPF, DKIM, and DMARC

12 min read

Email authentication prevents spoofing and improves deliverability. SPF declares which servers can send for your domain. DKIM cryptographically signs messages. DMARC tells receivers what to do when SPF or DKIM fails. All three must be aligned for reliable delivery.

SPF Record Design

SPF is a DNS TXT record that lists authorized senders. The record must stay under 10 DNS lookups. Exceeding this limit causes a permerror and SPF fails for all messages.

v=spf1 include:spf.protection.outlook.com include:_spf.google.com -all

Common issues: too many includes (each counts as a lookup), using +all instead of -all, and forgetting third-party senders (CRM, marketing tools, helpdesk). Audit all sending sources before publishing.

If you hit the 10-lookup limit, flatten the record by resolving includes to IP ranges. Maintain a script to re-check monthly since provider IP ranges change.

DKIM Configuration

DKIM adds a cryptographic signature to outgoing messages. The public key is published in DNS. Receivers verify the signature against the DNS record to confirm the message was not modified in transit.

For M365, enable DKIM signing per domain in the Defender portal or via PowerShell. Two CNAME records must be published in DNS before activation. Verify alignment by checking the d= value in DKIM-Signature headers matches your domain.

 selector1._domainkey.yourdomain.com CNAME selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com 

DMARC Policy Progression

DMARC should be deployed in stages. Start with monitoring, move to quarantine, then enforce reject. Each stage should run for at least 2-4 weeks while reviewing aggregate reports.

Stage 1 Monitor v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com Collect reports. Identify all senders. Fix alignment issues.

Stage 2 Quarantine v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com Start quarantining failures at 25%, ramp to 100% over weeks.

Stage 3 Reject v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com Full enforcement. Unauthorized senders are rejected.

Header Analysis

When troubleshooting delivery, check the Authentication-Results header in received messages. Look for spf=pass, dkim=pass, and dmarc=pass. Any failures indicate misalignment that needs investigation. Use the Message Header Analyzer (MHA) tool from Microsoft for detailed parsing.