DMARC, SPF and DKIM Explained for Small Business Owners

Has a customer ever called to say they received a suspicious email that appeared to come from your business — one you never sent? Or have your legitimate emails started landing in recipients' spam folders for no obvious reason?

Both of these problems are symptoms of the same underlying issue: your domain lacks proper email authentication. Without it, anyone on the internet can send an email that appears to come from your domain — and your recipients have no reliable way to tell the difference.

Three DNS records — SPF, DKIM, and DMARC — work together to fix this. They tell receiving mail servers how to verify that an email from your domain is genuinely from you. Setting them up correctly is one of the most important technical steps you can take to protect your business's email reputation and your customers from fraud.

Why Email Impersonation Is Such a Big Problem

Email was designed in the 1970s, long before cybercrime was a concern. By default, anyone can send an email claiming to be from any address. There is no built-in verification mechanism in the original protocol.

Criminals exploit this by sending phishing emails that appear to come from trusted businesses — your bank, the ATO, a government agency, or your own company. When your domain has no authentication records, there is nothing to stop them from spoofing your brand and sending thousands of fraudulent emails to your customers, suppliers, or staff.

SPF, DKIM and DMARC were developed to solve this problem. Together, they create a system that allows receiving mail servers to verify the authenticity of incoming email and decide what to do with messages that fail the check.

SPF: Sender Policy Framework

SPF is a DNS record that lists the mail servers authorised to send email on behalf of your domain. When a receiving mail server gets an email claiming to be from your domain, it checks your SPF record to see if the sending server is on the approved list. If it is not, the email may be marked as suspicious or rejected.

Think of SPF as a list of approved delivery drivers for your business. Anyone claiming to deliver mail on your behalf who is not on the list gets turned away.

An SPF record looks something like this in your DNS settings:

v=spf1 include:spf.protection.outlook.com include:_spf.google.com ~all

This example tells mail servers that Microsoft 365 and Google Workspace are authorised to send email for your domain. The ~all at the end means that emails from other servers should be treated with suspicion (a "soft fail"). Using -all instead means they should be rejected outright (a "hard fail").

Important limitations: SPF only checks the technical sending server, not the visible "From" address that your recipients see. This is where DKIM and DMARC come in.

DKIM: DomainKeys Identified Mail

DKIM adds a digital signature to every email sent from your domain. The signature is generated using a private key that only your mail server has. When the receiving server gets the email, it retrieves your public key from your DNS records and uses it to verify that the signature is genuine and that the email has not been tampered with in transit.

Think of DKIM as a wax seal on a letter. If someone opened the letter and changed the contents, the seal would be broken. The recipient can verify that the letter arrived exactly as it was sent.

If you use Microsoft 365, DKIM signing can be enabled in the Microsoft Defender portal under Email Authentication Settings. For Google Workspace, it is enabled in the Admin console under Apps > Google Workspace > Gmail > Authenticate Email.

Once you enable DKIM, your email provider generates a key pair and gives you a DNS record to add to your domain. It looks something like this:

selector1._domainkey.yourdomain.com.au IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCS..."

DMARC: Domain-based Message Authentication, Reporting and Conformance

DMARC is the policy layer that ties SPF and DKIM together. It tells receiving mail servers what to do when an email fails the SPF and DKIM checks — and it sends you reports so you can see who is sending email on your behalf.

A DMARC policy has three possible actions:

• none — take no action, but send reports (useful when you are just starting out and want to monitor)
• quarantine — place failing emails in the spam/junk folder
• reject — block failing emails entirely

A basic DMARC record looks like this:

_dmarc.yourdomain.com.au IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com.au"

The rua tag tells receiving servers where to send aggregate reports. These reports show you which mail servers are sending email using your domain — helping you spot both legitimate services you may have forgotten to add to your SPF record and criminal impersonation attempts.

How to Set Them Up: A Practical Approach

The setup process requires access to your domain's DNS settings — typically through your domain registrar (GoDaddy, Crazy Domains, VentraIP, etc.) or your web hosting control panel.

Step 1: Set up SPF

Create a TXT record on your domain with the approved sending servers. Your email provider (Microsoft 365, Google Workspace, etc.) will have instructions for the correct SPF record to add. If you use multiple services to send email (e.g. a marketing platform like Mailchimp as well as your main email), make sure all of them are included.

Step 2: Enable DKIM

Enable DKIM signing through your email provider's admin console. Add the CNAME or TXT records they provide to your DNS. Allow up to 48 hours for DNS changes to propagate globally.

Step 3: Start DMARC with a monitoring policy

Create a DMARC TXT record at _dmarc.yourdomain.com.au with p=none initially. This lets you monitor what is happening without risking disruption to your legitimate email. Review the reports for a few weeks to make sure all your legitimate email sources are authenticating correctly.

Step 4: Move to enforcement

Once you are confident your legitimate email is passing DMARC, change the policy to p=quarantine and eventually p=reject. This blocks fraudulent emails from reaching your recipients.

Tools to help

Several free tools can check your current configuration: MXToolbox (mxtoolbox.com) and DMARC Analyser provide easy-to-read reports on your SPF, DKIM and DMARC status. Google Postmaster Tools and Microsoft DMARC Reporting also provide valuable insights if you use those platforms.

Common Mistakes to Avoid

• Having too many DNS lookups in your SPF record (the limit is 10) — use a tool to check your SPF lookup count
• Forgetting to include all email sending services in your SPF record (marketing platforms, helpdesk software, invoicing tools)
• Setting DMARC to "reject" before verifying all your legitimate email is passing — this can cause your own emails to be blocked
• Ignoring DMARC reports — they contain valuable intelligence about your email landscape

Key Takeaways

• SPF, DKIM and DMARC are three DNS records that together prevent criminals from sending emails that impersonate your domain
• SPF lists which mail servers can send email for you; DKIM adds a verifiable signature to your emails; DMARC sets the policy for what to do when checks fail
• Start with a DMARC monitoring policy (p=none) before moving to quarantine or reject
• Use free tools like MXToolbox to check your current configuration
• Setting up all three records also helps your legitimate emails avoid spam folders
• If you use multiple email services (marketing platforms, helpdesk tools), include them all in your SPF record

Proper email authentication is just one piece of a strong cyber security posture. Flagged is a free tool that helps Australian small businesses assess their overall cyber risk — including email security — in minutes. Visit flagged.com.au to get your free assessment today.