SPF, DKIM, and DMARC are the three email authentication standards that together prevent your domain from being spoofed by attackers. Hamilton365 provides this plain-language explanation for business owners who've been told they need these things but want to understand what they actually do.
Email was designed without sender verification. Anyone can send an email claiming to be from any address. SPF, DKIM, and DMARC add the verification layer email was never born with, think of them as three security guards each checking a different credential.
A DNS record listing the mail servers authorised to send email for your domain. Like a guest list at the door, if the sending server isn't on the list, it fails the check. For M365, must include Microsoft's mail servers and any other platforms sending email on your behalf.
A cryptographic signature added to every outgoing email, like a wax seal on a letter. Proves the email came from where it claims and hasn't been tampered with in transit. Many M365 organisations have never enabled DKIM, meaning every email they send is unsigned.
Builds on SPF and DKIM by adding a policy (what to do with failing emails) and reporting (daily reports on email authentication activity for your domain). Three policies: none (monitor), quarantine (send failures to spam), reject (block failures). None is a starting point. Reject is the goal.
Check your current status using MXToolbox, SPF, DKIM, and DMARC lookups for your domain are free and take under a minute.
Email Authentication Setup