How to Set Up DMARC, DKIM and SPF for Your Domain

What Are DMARC, DKIM, and SPF?

Email authentication is a foundational element of any robust cybersecurity strategy. DMARC (Domain-based Message Authentication, Reporting, and Conformance), DKIM (DomainKeys Identified Mail), and SPF (Sender Policy Framework) are three DNS-based standards that work together to verify that email claiming to come from your domain was genuinely sent by an authorised source. Without these protocols in place, anyone on the internet can send email that appears to come from your domain — a technique used routinely in phishing and business email compromise attacks.

The scale of the phishing threat makes email authentication essential rather than optional. According to the DSIT Cyber Security Breaches Survey 2025, 85% of breaches experienced by UK businesses involved phishing (DSIT 2025), and 43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months (DSIT 2025). A significant proportion of these phishing attacks exploit domains that lack proper authentication, allowing attackers to impersonate trusted organisations with virtually no technical barrier.

How Each Standard Works

SPF (Sender Policy Framework)

SPF is a DNS TXT record that lists the IP addresses and mail servers authorised to send email on behalf of your domain. When a receiving mail server gets an email claiming to be from your domain, it checks the SPF record to verify whether the sending server is on the authorised list. If the sending server is not listed, the SPF check fails. SPF is the oldest of the three standards and the simplest to implement, but on its own it has significant limitations — it only checks the envelope sender address (used in the SMTP transaction), not the From address that recipients actually see in their email client.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic digital signature to every outgoing email using a private key held by your mail server or email service provider. The corresponding public key is published as a DNS record. When a receiving server gets the email, it retrieves the public key from DNS and uses it to verify the signature. A valid DKIM signature confirms two things: the email was genuinely sent from an authorised server, and the message has not been modified in transit. DKIM is more robust than SPF because it survives email forwarding — a common scenario where SPF fails because the forwarding server is not listed in the original domain's SPF record.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC ties SPF and DKIM together and adds a critical policy layer. Your DMARC record tells receiving servers what to do when both SPF and DKIM checks fail — do nothing (p=none, monitor only), quarantine the message (p=quarantine, move to spam), or reject it outright (p=reject, discard entirely). Crucially, DMARC also checks alignment — verifying that the domain used in SPF or DKIM matches the domain in the From address that the recipient sees. This closes the gap that allows attackers to pass SPF with a different domain whilst spoofing the visible From address.

DMARC also enables reporting. Aggregate reports are sent to an address you specify, showing which servers worldwide are sending email using your domain — including any unauthorised senders you may not have been aware of. These reports provide invaluable visibility into how your domain is being used, and by whom.

How the Three Standards Work Together

Each standard addresses a different aspect of email authentication, and all three are needed for comprehensive protection. SPF verifies that the sending server is authorised. DKIM verifies that the message is genuine and unmodified. DMARC enforces a policy when either check fails and ensures domain alignment. Implementing only one or two of the three leaves gaps that sophisticated attackers can exploit.

Consider a practical example: an attacker registers a lookalike domain and sends phishing email to your clients. Without DMARC, the attacker can set the From address to your genuine domain whilst sending from their own server. SPF would fail (their server is not in your SPF record), but without DMARC there is no instruction to reject the message. With DMARC at p=reject, the receiving server is instructed to discard the message entirely, preventing it from reaching the recipient.

Implementation Steps

Step 1: Audit Your Current Sending Infrastructure

Before implementing any authentication records, identify every service that sends email on behalf of your domain. This includes your primary email platform (typically Microsoft 365 or Google Workspace), but also CRM systems, marketing platforms, invoicing software, helpdesk tools, appointment booking systems, and any other service that sends email using your domain name. Missing a legitimate sender will cause their emails to fail authentication once enforcement is enabled.

Step 2: Publish SPF Records

Create an SPF TXT record in DNS that includes all legitimate sending sources identified in the audit. A critical limitation of SPF is the 10 DNS lookup limit — businesses using multiple third-party senders can easily exceed this, causing SPF to fail for all email. AMVIA optimises SPF records to stay within the lookup limit by using IP addresses directly where possible and consolidating include mechanisms.

Step 3: Configure DKIM Signing

Enable DKIM signing on your email platform. For businesses using Microsoft 365, AMVIA configures DKIM signing within Exchange Online, generating the key pair and publishing the public key in DNS. Third-party senders should also be configured to DKIM-sign email they send on your behalf, where the service supports it. Most modern email platforms and marketing tools support DKIM signing.

Step 4: Deploy DMARC in Monitoring Mode

Publish a DMARC record with a p=none policy initially. This collects aggregate reports without taking any action on unauthenticated email — allowing you to see what is happening without risking legitimate email being blocked. AMVIA uses a DMARC monitoring platform to parse and visualise these reports, making it straightforward to identify authorised senders that need to be added to SPF or configured for DKIM.

Step 5: Review Reports and Authenticate All Senders

Review DMARC aggregate reports over a period of 30 to 60 days to build a complete picture of all email sources. Any legitimate sender that is not passing SPF or DKIM needs to be authenticated before advancing to enforcement. This review period is essential — rushing to enforcement without completing it is the most common cause of legitimate email being blocked.

Step 6: Advance to Enforcement

Once all legitimate senders are authenticated, advance the DMARC policy to p=quarantine (failing messages moved to spam) and then to p=reject (failing messages discarded entirely). AMVIA typically advances through quarantine for two to four weeks before moving to reject, monitoring reports at each stage to confirm that no legitimate email is being caught.

Monitoring and Ongoing Management

DMARC is not a set-and-forget configuration. New third-party services may be introduced that send email on your behalf, requiring updates to SPF and DKIM configuration. Attackers may attempt to spoof your domain, generating failed authentication reports that need investigation. AMVIA monitors DMARC reports on an ongoing basis as part of its managed email security service, ensuring that authentication remains current and that any spoofing attempts are identified promptly.

The average cost of a data breach for UK organisations was £3.4 million (IBM 2024). Properly configured email authentication significantly reduces the risk of your domain being used as a weapon in phishing attacks — protecting not just your organisation but every person and business that receives email from your domain. With 55,995 Cyber Essentials certifications issued in 2025 (NCSC) and Cyber Essentials guidance now recommending DMARC, email authentication is firmly established as a baseline security control for UK businesses.

How AMVIA Implements Email Authentication

AMVIA configures SPF, DKIM, and DMARC for UK businesses as part of its managed email security service. The process begins with a full audit of your current sending infrastructure, followed by structured implementation through monitoring to enforcement over a defined timeline. For businesses using Microsoft 365, AMVIA configures DKIM signing within Exchange Online as standard. DMARC configuration is included in AMVIA's managed cybersecurity service and can be delivered as a standalone engagement for businesses that only need email authentication support. Only 14% of UK businesses have a formal incident response plan (DSIT 2025) — email authentication is one of the most impactful preventive controls you can implement to reduce the likelihood of needing that plan.