← Back to Blog

July 5, 2026 · 5 min read

SPF, DKIM, and DMARC Explained (Without the Jargon)

If you've ever looked into email security, you've probably run into three confusing acronyms: SPF, DKIM, and DMARC. They all work together to stop someone from sending an email that looks like it came from your domain when it didn't.

SPF — 'Who's Allowed to Send Mail for Me?'

SPF (Sender Policy Framework) is a DNS record listing which mail servers are authorized to send email on behalf of your domain. When an email arrives, the receiving server checks whether it came from one of the approved servers. If not, it's treated with suspicion.

DKIM — 'Proving the Email Wasn't Tampered With'

DKIM (DomainKeys Identified Mail) adds a digital signature to outgoing emails, generated using a private key only your mail server has. The receiving server checks this signature against a public key published in your DNS — confirming the email genuinely came from you and wasn't altered in transit.

DMARC — 'What To Do If a Check Fails'

DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together and tells receiving mail servers what to do if an email fails those checks — reject it, quarantine it, or just monitor and report it. Without a DMARC policy, even a failed SPF/DKIM check might not stop a spoofed email from reaching an inbox.

Why This Matters

Without these records properly configured, anyone can send an email that appears to come from 'yourcompany.com' — a common tactic in phishing attacks that target your customers, partners, or employees using your own brand's trust against them.

Check Your Domain's Setup

Nexora Shield's Email Security Checker looks up your domain's SPF and DMARC records and flags common misconfigurations in seconds.

Ready to check your own website?

Run a Free Scan