Is Someone Spoofing Your Domain? SPF, DKIM, and DMARC Explained

Email was designed in an era when everyone on the internet knew each other. There's no built-in mechanism to prevent someone from sending an email that claims to be from your domain. SPF, DKIM, and DMARC are the three DNS records that fix this — and most sites are missing at least one.

SPF: Who is allowed to send email for your domain

Sender Policy Framework (SPF) is a TXT record that lists which mail servers are authorised to send email on behalf of your domain. When a receiving server gets an email claiming to be from your domain, it checks this record.

v=spf1 include:_spf.google.com include:sendgrid.net -all

The -all at the end is critical — it means "reject anything not listed." Many sites use ~all (soft fail), which only marks suspicious emails rather than rejecting them. Use -all for real protection.

DKIM: Proving the email wasn't tampered with

DomainKeys Identified Mail (DKIM) adds a cryptographic signature to every email. The receiving server can verify this signature against a public key published in your DNS. This proves the email was actually sent by your servers and hasn't been modified in transit.

DMARC: What to do when checks fail

DMARC ties SPF and DKIM together and tells receiving servers what to do when an email fails both checks. The three policies are: none (monitor only), quarantine (send to spam), and reject (block entirely). Start with none and monitor reports, then move to reject once you're confident.

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100

Check your DNS security

KrakenProbe checks all three records — SPF, DKIM (across common selectors), and DMARC — and flags misconfigurations like soft fail policies or monitoring-only DMARC. Scan your domain to see where you stand.