DNS Email Security
SPF, DKIM, and DMARC are DNS-based email authentication standards that prevent spoofing, phishing, and unauthorized use of your domain in email.
Every IP address used to send email must have a valid reverse DNS (PTR) record mapping it back to a hostname — and that hostname must resolve forward to the same IP (forward-confirmed reverse DNS, or FCrDNS). Many receiving mail servers perform this check before evaluating SPF or DKIM, and will refuse the SMTP connection outright if no PTR record exists. Without it, even a perfect SPF/DKIM/DMARC setup will not save your mail from being bounced.
PTR records are set by whoever owns the IP block — your VPS or cloud provider (e.g. in the server control panel), or your ISP for on-premise mail servers. See the PTR record reference for setup details and how to verify your reverse DNS is correct.
Email Authentication Standards
Each standard addresses a different aspect of email identity verification
SPF
RFC 7208Specifies which IP addresses and mail servers are authorized to send email on behalf of your domain. Verified by checking the Return-Path (envelope sender) against your DNS TXT record.
DKIM
RFC 6376Adds a cryptographic signature to outbound email headers. Recipients verify the signature using the public key published in your DNS. Proves message integrity and domain ownership.
DMARC
RFC 7489Builds on SPF and DKIM. Tells receiving servers what to do when authentication fails (none/quarantine/reject) and where to send aggregate reports. Requires alignment between header From and SPF/DKIM domains.
Sender Policy Framework
How SPF Works
When a receiving mail server gets a message, it looks up the SPF record for the domain in the email's envelope from(Return-Path) address. It then checks whether the sending server's IP is authorized in that record.
SPF Mechanisms
ip4/ip6Authorize specific IP addresses or CIDR rangesinclude:Include another domain's SPF policy (e.g., Google Workspace)aAuthorize the domain's A record IPmxAuthorize the domain's MX record IPsredirect=Use another domain's SPF record entirelyDomainKeys Identified Mail
How DKIM Works
Your mail server signs outbound messages with a private key. The corresponding public key is published as a DNS TXT record. Receiving servers retrieve the public key and verify the signature.
Generate RSA 2048-bit (minimum) or Ed25519 key pair.
Mail server adds DKIM-Signature header to every message.
Public key published as TXT at selector._domainkey.yourdomain.
Receiving server retrieves key, verifies signature mathematically.
Domain-based Message Authentication, Reporting & Conformance
DMARC Tag Reference
MTA-STS & TLS Reporting
MTA-STS (RFC 8461) forces TLS for email transport to your mail servers, preventing downgrade attacks and opportunistic interception.
SMTP TLS Reporting (RFC 8460) provides visibility into TLS negotiation failures, helping you detect misconfigurations and attacks.
Together they form the final layer of email security — after ensuring your messages are authenticated (SPF/DKIM/DMARC), MTA-STS ensures they're delivered securely.
Deployment Roadmap
A phased approach to full email authentication — from zero to p=reject
Inventory & SPF
- Identify all mail-sending systems (ESP, CRM, app servers)
- Create SPF record with ~all (softfail) initially
- Publish SPF TXT record at your apex domain
- Test with: dig thedns.guru TXT
DKIM Setup
- Generate RSA 2048-bit key pair per sending domain/service
- Publish public key as TXT record at selector._domainkey
- Configure mail server/ESP to sign outbound messages
- Verify signing with: dig mail._domainkey.thedns.guru TXT
DMARC Monitoring
- Publish DMARC record with p=none to begin
- Set rua to collect aggregate XML reports
- Analyze reports for 2-4 weeks to identify all senders
- Ensure SPF and DKIM pass for all legitimate mail
DMARC Enforcement
- Move to p=quarantine with pct=10, increase gradually
- Once confident, move to p=reject
- Consider BIMI for brand logo in email clients
- Add MTA-STS and TLS-RPT for transport security
Email Security — Common Questions
Practical answers to the questions that come up most when deploying email authentication
Do I need SPF, DKIM, and DMARC — or is one enough?
You need all three working together. SPF authorizes sending IPs but breaks on forwarding. DKIM cryptographically signs messages but cannot stop spoofing on its own. DMARC ties both together with an enforcement policy and visibility through aggregate reports. Any one or two in isolation leaves gaps that attackers or spam filters will exploit.
My sending IP has no PTR record — will that cause deliverability problems?
Yes, seriously. Many receiving mail servers check for a valid reverse DNS (PTR) record on the connecting IP before they even evaluate SPF or DKIM. If no PTR record exists, the SMTP connection can be refused outright. Even servers that do not hard-reject it will assign a heavy spam score penalty. Every IP address you send mail from must have a PTR record, and it must forward-confirm back to the same IP (FCrDNS). Set this in your VPS or cloud provider's control panel, or ask your ISP for on-premise servers.
Why is my SPF record failing the 10-lookup limit?
RFC 7208 limits SPF evaluation to 10 DNS-resolving mechanisms (include:, a:, mx:, redirect=). Third-party senders — ESPs, CRMs, ticketing systems — each add includes, and their nested includes count too. To fix it, use an SPF flattening tool to inline the resolved IPs directly, or switch to a managed SPF provider that handles flattening automatically.
What DMARC policy should I start with?
Always start with p=none and set rua= to collect aggregate reports. Analyze reports for 2–4 weeks using a DMARC reporting service to confirm every legitimate mail stream passes SPF or DKIM alignment. Only once you are confident move to p=quarantine (start at pct=10 and increase gradually), then p=reject. Jumping straight to p=reject before auditing your senders will block legitimate mail.
What is DMARC alignment and why does it matter?
DMARC requires the domain in the visible From: header to align with the domain authenticated by SPF or DKIM. Relaxed alignment allows matching subdomains; strict alignment requires an exact match. Without alignment, an attacker could route mail through a legitimately authorized server while spoofing a different From: address — SPF would pass, but DMARC alignment would fail and the message would be subject to your policy.
Why is my email still going to spam even though SPF, DKIM, and DMARC all pass?
Authentication proves identity — it does not determine whether the mail is wanted. Spam filters also weigh sender IP reputation, domain age, content signals, engagement rates (opens, clicks, unsubscribes), and whether your IPs or domains appear on blocklists like Spamhaus. Check your sending IP against major blocklists, warm up new IPs gradually, practice list hygiene, and monitor bounce and complaint rates.
How often should I rotate DKIM keys?
Best practice is every 6–12 months, or immediately after any suspected key compromise. Use two selectors — one active, one standby — so you can publish the new key and let it propagate before switching your mail server to sign with it, then retire the old selector. Most enterprise mail platforms and ESPs handle key rotation automatically.
What is MTA-STS and do I need it if I already have DMARC?
MTA-STS (RFC 8461) and DMARC solve different problems. DMARC authenticates who sent the message. MTA-STS protects the transport channel — it forces sending servers to use TLS when delivering to your mail servers and validates the certificate, preventing downgrade attacks where an attacker strips STARTTLS from the connection. They complement each other; DMARC without MTA-STS still leaves your inbound mail transport vulnerable to interception.
Can I use a third-party ESP (like Mailchimp or SendGrid) and still pass DMARC?
Yes, but you need to set up DKIM signing through the ESP using your own domain — most ESPs let you add a CNAME-based DKIM selector that they sign on your behalf. For SPF, add the ESP's include: to your SPF record. With both in place, messages from the ESP will pass DMARC alignment. Without DKIM configured via your domain, the ESP's own DKIM will not satisfy alignment for your From: domain.
Brand Indicators for Message Identification
Once you reach DMARC p=reject, you can implement BIMI — a DNS record that displays your brand logo in supporting email clients (Gmail, Yahoo, Apple Mail).
Requires a Verified Mark Certificate (VMC) from a CA like Entrust or DigiCert, and your logo in SVG Tiny 1.2 format.