CIVRA Get Started
How it works

SPF, DKIM, and DMARC Explained in Plain English for Business

April 14, 2026 4 min read The CIVRA Team
The short answer

SPF, DKIM, and DMARC are three email authentication standards that work together to stop attackers from forging your domain. SPF lists approved senders, DKIM adds a tamper-proof signature, and DMARC sets the policy and sends you reports. Together they block domain spoofing, but not look-alike domains.

SPF, DKIM, and DMARC are three email authentication standards that work together to prove an email genuinely came from your domain. SPF says which servers can send for you, DKIM adds a cryptographic signature, and DMARC ties them together with a policy and reporting. Set up correctly, they stop criminals from forging your domain in the "From" line.

If that already sounds like alphabet soup, stay with us. Each one has a simple job, and the analogy of sending a letter makes them click.

SPF — The Guest List

SPF (Sender Policy Framework) is a guest list of servers allowed to send email for your domain.

When a mail server receives a message claiming to be from your domain, it checks the sending server's address against your published SPF record. If the sender is on the list, it passes. If not, it fails.

You publish SPF as a TXT record in your DNS. A generic example:

v=spf1 include:_spf.yourprovider.com -all

The -all at the end means "reject anything not on this list." SPF is simple, but it has a weakness. It breaks when email is forwarded, because the forwarding server is not on your original guest list.

DKIM — The Tamper-Proof Seal

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every message, like a wax seal on an envelope.

Your mail server signs outgoing email with a private key. The matching public key lives in your DNS. The receiving server checks the signature, and if it matches, two things are proven:

  • The message really came from your domain.
  • Nobody altered it in transit.

Unlike SPF, DKIM survives forwarding because the signature travels with the message. Both Microsoft 365 and Google Workspace can generate DKIM keys for you in the admin console.

DMARC — The Policy and the Paper Trail

DMARC (Domain-based Message Authentication, Reporting and Conformance) decides what happens when SPF or DKIM fails, and sends you reports.

DMARC does three things:

  1. Sets a policy — monitor, quarantine, or reject failing mail.
  2. Requires alignment — the domain in the "From" header must match the domain that passed SPF or DKIM, which closes a loophole attackers used to exploit.
  3. Sends reports — so you can see who is sending mail using your domain.

A DMARC record uses policy levels:

  • p=none — monitor only, change nothing. Start here.
  • p=quarantine — send failing mail to spam.
  • p=reject — block failing mail entirely. Full protection.

If you want the full walkthrough, see our guide on how to set up DMARC for a small business.

How the Three Work Together

Think of an email as a letter:

  • SPF checks the return address against an approved list.
  • DKIM is the wax seal proving the contents are untouched.
  • DMARC is the instruction telling the mailroom what to do with a letter that fails either check, plus a log of every delivery attempt.

You need all three. SPF alone breaks on forwarding. DKIM alone has no policy. DMARC alone has nothing to enforce. Together they make it very hard for someone to forge your exact domain.

The Gap These Standards Leave Open

Here is the catch that trips up small businesses. SPF, DKIM, and DMARC only protect your own domain. They prove a message came from yourbusiness.com. They say nothing about messages from anywhere else.

An attacker does not need to forge your domain. They can:

  • Register a look-alike domain such as yourbusiness-billing.com.
  • Use a display name that reads "CEO Name" from a free email account.
  • Send a perfectly authenticated message from a domain they actually control.

Every one of these passes authentication, because the attacker is not spoofing you. They are imitating you. This is the most common form of business email compromise, and authentication cannot see it.

That is the layer CIVRA adds. It analyzes sender identity and behavior, flags look-alike domains, scans attachments, and reads the intent of a message, working alongside Microsoft 365 and Google Workspace to catch what authentication cannot.

Quick Reference

  • SPF — which servers may send for you. A guest list.
  • DKIM — a signature proving the message is genuine and unaltered. A seal.
  • DMARC — the policy and reporting that enforce both. The mailroom rule.
  • CIVRA — behavioral analysis for look-alikes and impersonation. The gap-filler.

FAQ

Do I need all three of SPF, DKIM, and DMARC?

Yes. Each one covers a weakness in the others. SPF breaks on forwarding, DKIM has no enforcement policy, and DMARC needs SPF or DKIM to work. Together they protect your domain effectively.

Are SPF, DKIM, and DMARC hard to set up?

They are moderate. Each is a DNS record, and Microsoft 365 and Google Workspace provide most of the values. The tricky part is rolling DMARC out safely, which means monitoring before you enforce.

Will these standards stop all phishing?

No. They stop attackers from forging your exact domain. They do not stop look-alike domains, display-name impersonation, or attacks sent from accounts the criminal legitimately controls.

What is the difference between SPF and DKIM?

SPF checks whether the sending server is approved to send for your domain. DKIM checks a cryptographic signature proving the message is genuine and was not altered. They verify different things.

Curious how behavioral analysis catches what authentication misses? Explore CIVRA pricing or get started at app.civra.ai.

Stop the email that gets through.

CIVRA catches the targeted phishing and business email compromise your filter misses — built for small teams without a security department.

Start free →

← All posts