← Back to blog
DNS

How to Prevent Email Spoofing: SPF, DKIM, and DMARC Setup Guide

01 Apr 2026 6 min read

Email spoofing is when attackers send emails that appear to come from your domain. This is used in phishing attacks, business email compromise, and spam campaigns. The good news: it is entirely preventable with three DNS records. Use our DNS Security Checker to verify your setup.

SPF (Sender Policy Framework)

SPF specifies which mail servers are allowed to send email on behalf of your domain. Add a TXT record to your DNS:

# Basic SPF record
v=spf1 include:_spf.google.com -all

# If you use multiple providers
v=spf1 include:_spf.google.com include:sendgrid.net -all

The -all at the end is critical — it tells receiving servers to reject emails from unauthorized servers. Using ~all (soft fail) provides less protection.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to your outgoing emails, allowing recipients to verify the email was not altered in transit. Your email provider generates the keys — you add the public key as a DNS record.

# Example DKIM record (provided by your email service)
default._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0G..."

DMARC (Domain-based Message Authentication)

DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. Start with monitoring, then progress to enforcement:

# Step 1: Monitor only (start here)
_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"

# Step 2: Quarantine failures
_dmarc.yourdomain.com TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com"

# Step 3: Reject failures (maximum protection)
_dmarc.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com"

Implementation order

  1. Set up SPF first — it is the simplest and most impactful
  2. Configure DKIM through your email provider
  3. Add DMARC with p=none to monitor for 2-4 weeks
  4. Review DMARC reports, then tighten to p=quarantine and finally p=reject

Verify your configuration

Run a free security scan on your domain to check your SPF, DKIM, and DMARC configuration. Our DNS scanner validates all email authentication records.

Check your website now

Run a free security scan to see how your website scores on the topics covered in this article.

Free security scan →