SPF, DKIM, and DMARC are email authentication settings for your domain. They help receiving mail systems decide whether a message that claims to come from your domain should be trusted.
These settings do not replace good passwords or careful email habits. They help protect your domain from spoofing, reduce confusion for receiving mail systems, and support better email delivery when set up correctly.
The Short Version
Think of the three records as related checks:
- SPF lists which services are allowed to send email for your domain.
- DKIM adds a digital signature to outgoing messages.
- DMARC tells receiving mail systems what to do when SPF or DKIM checks fail.
They work together, but each one does a different job.
What SPF Does
SPF stands for Sender Policy Framework.
It is usually added as a TXT record in DNS. The record lists the mail systems that are approved to send messages for your domain.
For example, if you use Microsoft 365 for regular email and an email marketing tool for newsletters, both may need to be included in your SPF setup.
Most domains should have only one SPF TXT record at the root domain. If you add several SPF records, receiving mail systems may treat the setup as invalid. When multiple services need permission to send, their instructions usually need to be combined into a single SPF record.
What DKIM Does
DKIM stands for DomainKeys Identified Mail.
DKIM uses a digital signature to help prove that a message was authorized by the sending service and was not altered in transit. In many setups, DKIM requires DNS records plus a setting inside the email service.
For Microsoft 365 and many other providers, DKIM setup often involves CNAME records or TXT records that connect your domain to signing keys controlled by the email service.
DKIM is especially useful when your email passes through different systems before reaching the recipient. It gives receiving mail systems another way to check whether the message is legitimate.
What DMARC Does
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance.
DMARC builds on SPF and DKIM. It tells receiving mail systems how to handle messages that fail authentication checks. A DMARC policy can be set to monitor, quarantine, or reject.
The common policy stages are:
p=none: Monitor results without asking receivers to block mail.p=quarantine: Ask receivers to treat failing mail with suspicion.p=reject: Ask receivers to reject failing mail.
Many businesses start with p=none while they check which services send email for the domain. Moving too quickly to a stricter policy can block legitimate mail if all sending services are not configured correctly.
How These Records Help a Small Business
Your domain can be abused even if nobody has your mailbox password. A scammer can try to send messages that appear to come from your domain. SPF, DKIM, and DMARC make that harder and give receiving mail systems more information.
They also help with normal sending. If your domain sends invoices, quotes, password resets, appointment reminders, or newsletters, proper authentication helps receiving systems understand that your mail is authorized.
Authentication does not guarantee inbox placement. Spam filters also look at sender reputation, message content, recipient engagement, complaint rates, links, attachments, and past behavior.
Common SPF, DKIM, and DMARC Mistakes
Common mistakes include:
- Adding more than one SPF record
- Forgetting that email marketing tools may also need authentication
- Enabling DMARC before SPF and DKIM are ready
- Using
p=rejecttoo early - Removing old records without knowing what service uses them
- Adding records at the wrong DNS provider
- Leaving DKIM disabled inside the email service after adding DNS records
- Assuming a website host controls email authentication
If your domain has several tools that send email, list them before changing authentication records. Include your business email provider, website forms, booking system, invoicing tool, CRM, ecommerce platform, and newsletter platform.
Where to Add These Records
SPF, DKIM, and DMARC records are added wherever your active DNS is managed.
If your domain uses Tech Help Canada Hosting DNS, start in the Tech Help Canada Hosting portal and open the domain’s DNS records. If your domain uses another DNS provider, add the records there instead.
Always use the values supplied by your email or sending platform. Do not copy values from another website unless that service specifically generated them for your domain.
A Safer Setup Order
For most small businesses, a safer order is:
- List every service that sends email for your domain.
- Confirm the active DNS provider.
- Add or correct SPF.
- Enable DKIM for your main email provider.
- Authenticate email marketing or automation tools.
- Add DMARC in monitoring mode.
- Review results before moving to stricter DMARC policies.
If you use your domain for both regular business email and marketing campaigns, do not assume one setup covers both. Each sending service may need its own authentication steps.
When to Ask for Help
Ask for help before changing these records if your domain receives customer inquiries, invoices, booking requests, or staff email all day. Email authentication is manageable, but it is easy to break delivery by editing the wrong record.
For ordinary business email using your domain, you can explore Microsoft 365 through Tech Help Canada Hosting.
I can suggest related Tech Help Canada articles based on the topic you’re reading now.
We empower people to succeed through practical business information and essential services. If you’re looking for help with SEO, copywriting, or getting your online presence set up properly, you’re in the right place. If this piece helped, feel free to share it with someone who’d get value from it. Do you need help with something? Contact Us
Want a heads-up once a week whenever a new article drops?
