Korur
Back to Blog
Security

DKIM, DMARC and SPF: Complete Email Security Setup Guide

May 16, 20259 minKorur Security Team
DKIM, DMARC and SPF: Complete Email Security Setup Guide

Email was never designed with authentication in mind, which is why spoofing remains so common. SPF, DKIM, and DMARC are three DNS-based standards that, used together, let receiving servers verify that mail claiming to be from your domain really is. They also dramatically improve deliverability. Here is how each works and how to deploy them.

SPF: which servers may send for you

Sender Policy Framework is a TXT record listing the servers and services authorized to send mail for your domain. A typical record for a Microsoft 365 tenant looks like v=spf1 include:spf.protection.outlook.com -all. The -all at the end tells receivers to reject anything from a server not on the list.

DKIM: cryptographic signing

DomainKeys Identified Mail adds a digital signature to every outgoing message using a private key, with the matching public key published in DNS. Receivers verify the signature to confirm the message was not altered in transit and genuinely came from your infrastructure. In Microsoft 365, enable DKIM per domain in the Defender portal and publish the two CNAME records it generates.

DMARC: the policy that ties it together

DMARC tells receivers what to do when SPF or DKIM fails, and asks them to send you reports. Start in monitoring mode with v=DMARC1; p=none; rua=mailto:[email protected]. The reports reveal every source sending as your domain, including shadow-IT services you forgot about.

Step-by-step rollout

  1. Publish your SPF record and verify it resolves correctly.
  2. Enable DKIM and confirm signatures appear in message headers.
  3. Publish DMARC with p=none and collect reports for two to four weeks.
  4. Fix any legitimate senders failing alignment.
  5. Move the policy to p=quarantine, then finally p=reject.

Common mistakes to avoid

Do not exceed the SPF 10-DNS-lookup limit by chaining too many includes. Do not jump straight to p=reject before reviewing reports, or you will bounce your own newsletters and invoices. And remember DMARC alignment requires the visible From domain to match the authenticated domain.

Once all three are at enforcement, spoofing your domain becomes impractical, and your legitimate mail lands in inboxes instead of spam folders.

Korur Security Team

Korur Security Team