Overview
SPF, DKIM, and DMARC are essential email authentication technologies that help prevent email spoofing, improve deliverability, and protect your domain’s reputation. ArchGriffin automatically configures SPF, DKIM, and basic DMARC records for all hosted domains, but it’s useful to understand what they do and why they matter.
What is SPF?
SPF (Sender Policy Framework) is like a guest list for your domain. It tells receiving mail servers which servers are allowed to send email on behalf of your domain.
How SPF Works
- You publish an SPF record in your domain’s DNS (a type of TXT record).
- When an email is received, the recipient server checks whether the sending server is listed in your SPF record.
- If the server is listed, the email passes SPF authentication. If not, it may be rejected or flagged as suspicious.
Example SPF Record
v=spf1 +a +mx include:spf.archgriffin.com -all
This means: Allow servers listed in your domain’s A and MX records, include ArchGriffin’s sending servers, and reject all others.
What is DKIM?
DKIM (DomainKeys Identified Mail) adds a digital signature to your email headers. This proves that the email has not been altered after it was sent and verifies that it came from your domain.
How DKIM Works
- When you send an email, your server attaches a private-key signature to the message.
- The recipient’s server checks your domain’s public DKIM record (another DNS TXT record) to verify the signature.
- If the signature matches, the email passes DKIM authentication.
Benefits of DKIM
- Helps your emails land in inboxes rather than spam folders
- Prevents attackers from forging your domain in phishing attacks
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM by setting a policy for how receiving servers should handle emails that fail authentication.
How DMARC Works
- You publish a DMARC policy in DNS.
- When an email fails SPF or DKIM checks, the recipient server consults your DMARC policy to decide what to do.
- You can specify that failed emails should be:
- None: Do nothing (monitor only)
- Quarantine: Send to spam
- Reject: Block the message
- DMARC also allows you to receive reports about authentication failures for your domain.
Example DMARC Record
v=DMARC1; p=quarantine; rua=mailto:[email protected]; sp=none; aspf=r;
This means: If SPF or DKIM fails, quarantine the email, and send reports to [email protected].
Why These Records Matter
- Improved Deliverability: Properly authenticated emails are less likely to land in spam folders.
- Brand Protection: Prevents scammers from forging your domain to send phishing emails.
- Trust Building: Helps your customers and partners trust your communications.
Good News: ArchGriffin Takes Care of This for You
All hosting plans at ArchGriffin automatically include:
- SPF records set to authorize ArchGriffin servers
- DKIM signing enabled by default
- Basic DMARC record to monitor and improve email security
If you are using third-party email services (like Microsoft 365 or Google Workspace) or sending emails through marketing platforms, you may need to update your SPF and DKIM settings accordingly. Contact our support team for assistance if needed.
Need Help?
If you have questions about your domain’s SPF, DKIM, or DMARC setup, or if you want to enforce stricter DMARC policies, please open a support ticket and we’ll help you customize your email authentication settings.
