Email security explained: SPF, DKIM and DMARC in plain English

Three cryptic acronyms - SPF, DKIM and DMARC - decide whether your emails land in inboxes or spam, and whether criminals can send fake emails pretending to be you. Most UK businesses have heard of none of them, set up none of them, and only discover they matter when a fraudulent invoice goes out in their name. The good news: the concept is simple, and getting it right is one of the cheapest, highest-impact security wins available.

How the three checks layer up

The problem these three solve

Email was invented without any way to prove who actually sent a message. By default, anyone can put your company's address in the 'from' field, exactly as anyone can write any return address on an envelope. That is how scammers send convincing emails that appear to come from your finance team, your boss or your brand - a tactic close to the phishing attacks staff are trained to spot.

SPF, DKIM and DMARC are three checks that, together, let receiving mail systems verify that an email genuinely came from you - and let you tell them what to do with fakes. Think of them as a passport, a tamper-proof seal, and a border policy working in concert.

SPF: the guest list

SPF - Sender Policy Framework - is a published list of which servers are allowed to send email on your behalf. You list your email provider (Microsoft 365, Google Workspace), your marketing platform, your invoicing system, and anything else legitimately sending as you.

When an email arrives claiming to be from your domain, the receiving server checks: did this come from a server on the approved list? If not, that is a red flag. It is the bouncer checking the guest list at the door - a simple yes-or-no on whether the sending server is allowed.

DKIM: the tamper-proof seal

DKIM - DomainKeys Identified Mail - adds an invisible digital signature to every message you send, created with a private key only you hold. The receiving server uses your matching public key to confirm two things: the email really was signed by your domain, and nobody altered it in transit.

If SPF is the guest list, DKIM is a wax seal on the envelope. A broken or missing seal means the message was forged or tampered with. Crucially, DKIM survives some forwarding that can break SPF, which is one reason you want both rather than either alone.

How to roll out DMARC safely

DMARC: the policy that ties it together

SPF and DKIM each prove something, but on their own they do not tell receiving servers what to do when a check fails - and they do not stop a scammer faking your visible 'from' address while passing their own checks. DMARC closes both gaps.

DMARC - Domain-based Message Authentication, Reporting and Conformance - does two valuable things. First, it ties SPF and DKIM to the address your recipients actually see, and lets you set a policy: do nothing, send failures to spam (quarantine), or reject them outright. Second, it sends you reports showing who is sending email as your domain - legitimate or not - so you can see fraud and misconfiguration you would otherwise never know about.

•Start in 'monitor only' so you can see what is sending as you without blocking anything.
•Read the reports, add any legitimate senders you had forgotten to SPF and DKIM.
•Then tighten the policy to quarantine, and finally to reject, once you are confident.

Why this is worth doing now

Beyond stopping criminals impersonating your brand, there is a hard commercial reason: the big mailbox providers increasingly require proper email authentication, and messages from domains without it are quietly filtered to spam or rejected. Skipping this can mean your genuine invoices and quotes simply never arrive.

It is also a recognised baseline of good security hygiene that aligns with standards like Cyber Essentials, and it pairs naturally with the controls in our email security service. If your email lives in Microsoft 365, the records are quick to add once you know what to publish - and worth combining with the wider hardening in your Microsoft 365 plan and the MFA rollout every business should complete.

FAQs — Email security explained

The basics

Do I need all three, or is one enough?

You need all three working together. SPF lists your approved sending servers, DKIM proves a message is genuine and unaltered, and DMARC ties them to your visible address and decides what happens to fakes. Any one alone leaves a gap a scammer can exploit; together they close the loop and give you reporting too.

Will setting these up stop our emails going to spam?

It is one of the biggest factors. Major mailbox providers increasingly require proper authentication and filter or reject mail from domains without it. Correct SPF, DKIM and DMARC records tell those providers your mail is genuine, which significantly improves deliverability alongside good sending practices and a healthy domain reputation.

Getting it right

Is it risky to turn on DMARC enforcement?

It can be if you jump straight to reject, because any legitimate sender you forgot to authorise would be blocked. That is why you start in monitor-only mode, read the reports to find every genuine sender, fix SPF and DKIM for them, and only then tighten to quarantine and finally reject. Done in that order, it is safe.

We use Microsoft 365 - is this already handled?

Partly. Microsoft 365 makes DKIM and SPF straightforward to enable, but the records still need configuring correctly for your domain and every other service that sends as you, and DMARC is not switched on by default. It is quick to do once you know what to publish, but it is not automatic - check rather than assume.