Most business owners assume their email is protected because they pay for a reputable email provider. Google Workspace. Microsoft 365. A hosted platform with a padlock in the browser.
What they don't realise is that none of those providers protect your domain from being impersonated. An attacker can send email that appears to come from your domain — right now, today — without ever touching your accounts or systems. All they need is for your domain to be missing three DNS records.
Those records are SPF, DKIM, and DMARC. Here's what they are, what happens without them, and how to check yours.
The Problem: Your Domain Is an Open Door Without Authentication
When someone receives an email claiming to be from yourcompany.com, their mail server has no built-in way to verify that claim — unless you've published the records that make verification possible.
Without SPF, DKIM, and DMARC:
- Anyone can forge the "From" address in an email and make it look like it came from your domain
- Receiving mail servers have no policy from you telling them what to do with suspicious mail
- Phishing emails and fraud attempts land in inboxes with your brand attached to them
This isn't a theoretical risk. According to FBI data, business email compromise — fraud that typically relies on domain spoofing — costs SMBs an average of $137,000+ per incident. And 94% of cyberattacks start with email.
SPF: Your Authorised Sender List
What it is: SPF (Sender Policy Framework) is a DNS record that lists every server and service authorised to send email from your domain.
Think of it as a guest list. When an email arrives claiming to be from yourcompany.com, the receiving server checks your SPF record: is this sender on the list?
If yes — the email passes SPF. If no — it fails, and receivers treat it with suspicion.
What your SPF record looks like:
v=spf1 include:_spf.google.com ~all
This example authorises Google Workspace to send on your behalf. Every service you use to send email — your CRM, marketing platform, billing system — needs to be included here.
What happens without it: Any server on the internet can send email claiming to be from your domain, and receiving servers have no way to identify it as illegitimate.
How to check yours: A free SPF checker will look up your domain's DNS, find the TXT record (if one exists), and validate its syntax and lookup count.
DKIM: Proof the Email Wasn't Tampered With
What it is: DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The signature is generated using a private key that only your mail server holds. Receiving servers use a matching public key (published in your DNS) to verify the signature.
Think of it as a wax seal on a letter. If the seal is intact, the letter hasn't been opened or altered since it left your office. If the seal is broken — or there's no seal at all — the letter can't be trusted.
What happens without it: There's no way to verify that an email claiming to be from you wasn't forged or modified in transit. DKIM failures are a common reason legitimate email gets filtered to spam.
How DKIM appears in your DNS: A TXT record at a subdomain like google._domainkey.yourdomain.com, containing the public key your sending domain uses to sign outbound mail.
How to check yours: A DKIM validator probes your domain for active DKIM selectors. If you're on Google Workspace, DKIM needs to be manually enabled in the Google Admin Console — it doesn't activate automatically.
DMARC: The Policy That Enforces Both
What it is: DMARC (Domain-based Message Authentication, Reporting and Conformance) is the policy layer that sits on top of SPF and DKIM. It tells receiving servers what to do when an email fails authentication.
Three options:
- p=none — monitor only; deliver the email regardless and send reports
- p=quarantine — send failing email to the spam folder
- p=reject — block failing email entirely
DMARC also introduces a reporting mechanism. When you set up DMARC with a reporting email address, major mail providers send you daily aggregate reports showing who is sending email from your domain and whether each sender is passing authentication.
What happens without it: Even if SPF and DKIM are configured correctly, receivers don't have a policy from you. They make their own decisions about what to do with suspicious mail — and those decisions vary. DMARC removes that ambiguity.
What happens with p=reject: Spoofed emails that fail authentication are blocked before they reach anyone's inbox. Domain impersonation becomes impossible for correctly enforced domains.
For a detailed guide on DMARC policy levels and how to progress through them safely, see our DMARC policy explainer.
Why You Need All Three — Not Just One or Two
This is where many businesses fall short. They have one or two records in place and assume they're covered.
Here's why partial coverage still leaves you exposed:
SPF alone doesn't stop display-name spoofing (where an attacker puts your name in the "From" display while using a different sending address). It also doesn't protect against spoofing via DKIM-signing domains.
DKIM alone doesn't tell receivers what to do when the signature fails or is absent. A missing DKIM signature isn't automatically blocked.
DMARC without SPF and DKIM is useless. DMARC checks whether an email passed SPF or DKIM. If neither is set up, everything fails — including your own legitimate email.
All three together create a complete authentication layer: SPF controls who can send, DKIM proves integrity, and DMARC enforces the policy and provides visibility.
The Risk of Doing Nothing
Without authentication:
- Your domain can be spoofed to send phishing emails to your customers
- Receiving servers score your email lower, meaning more of it lands in spam
- You have no visibility into who is sending email from your domain
- You're vulnerable to business email compromise attacks that target your suppliers, clients, and staff
The real cost of email spoofing goes well beyond the direct fraud loss. Blacklisting, reputation damage, and incident response costs compound quickly.
How to Check Your Current Status
You can check whether your domain has SPF, DKIM, and DMARC configured — and whether they're set up correctly — in about 30 seconds.
A free Full Audit checks all three records, validates their syntax and configuration, scores each one, and shows you exactly what's missing or misconfigured. No account or signup required.
If you're on Google Workspace, see the DMARC setup guide for Google Workspace. For Microsoft 365, see the Microsoft 365 authentication setup guide.
If your emails are already going to spam, start with the email spam diagnosis guide to identify the root cause.
Run a free Full Audit — see whether your SPF, DKIM, and DMARC are correctly configured at EmailAudit.io
Results in seconds. No account required. Includes a security score, letter grade, and a list of what to fix.