Skip to content
Intro
5 min

SPF DKIM DMARC In Plain English

Last updated: January 26, 2026

Pro-Owner perspective: This document frames your systems as a technical estate — an asset to be stewarded, documented, and bequeathed. Treat these steps as craftsmanship: protect the continuity, auditability, and transferability of your digital legacy.

SPF, DKIM, and DMARC in Plain English

The 60-second version

SPF, DKIM, and DMARC are email authentication standards that prevent spoofing and phishing. SPF verifies senders, DKIM signs emails, and DMARC tells receivers what to do with unauthenticated emails. Together, they protect your domain’s reputation and stop fraud.

What this solves (in real business terms)

  • Stop spoofing: Prevent attackers from sending emails pretending to be you.
  • Improve deliverability: Ensure your emails reach inboxes, not spam folders.
  • Protect brand: Avoid damage from phishing scams using your domain.
  • Compliance: Meet email security requirements (e.g., GDPR, PCI DSS).

What it costs (honest ranges)

  • Basic setup: $0 (DIY using free tools like MXToolbox).
  • Monitoring tools: $10–$50/month for DMARC reporting.
  • Consulting: $1,000–$5,000 for expert configuration.
  • Recovery costs: $5,000–$50,000+ if misconfigured and emails are blocked.

What can go wrong

  • Misconfiguration: Blocking legitimate emails or failing to stop spoofing.
  • Overly strict policies: Rejecting valid emails from partners.
  • Ignoring reports: Missing signs of spoofing attempts.
  • No enforcement: Setting DMARC to "none" instead of "reject."

Vendor questions (copy/paste)

  1. "Do you provide SPF/DKIM/DMARC setup assistance?"
  2. "Can you monitor DMARC reports for spoofing attempts?"
  3. "What’s your false-positive rate for legitimate emails?"
  4. "Do you support DMARC enforcement (p=reject)?"
  5. "How do you handle subdomain alignment for DKIM/SPF?"

Minimum viable implementation

  1. Publish SPF record: List authorized email systems for your domain.
  2. Enable DKIM: Sign emails with a digital signature.
  3. Set DMARC policy: Start with "p=none" to monitor, then enforce "p=reject."
  4. Monitor reports: Review DMARC reports for spoofing attempts.
  5. Test thoroughly: Verify emails are delivered correctly.

When to hire help

  • Complex domains: Multiple subdomains or email providers.
  • Compliance audits: Ensure settings meet industry standards.
  • Troubleshooting: Resolve delivery issues or misconfigurations.
  • Advanced policies: Configure strict DMARC enforcement.

Related Reading

5 minIntro

Business Email Compromise Bec Explained

5 minIntro

How Email Impersonation Actually Works

5 minIntro

How To Move From Free Gmail To Your Domain

5 minIntro

How To Secure Your Domain Registrar

5 minIntro

Why A Branded Email Address Matters

Need Help Implementing This?

If you'd like guidance tailored to your specific infrastructure, we offer focused consultations. No sales pressure, just practical next steps.

Get in Touch