Pyalm Guard
Jul 7, 2026

SPF, DKIM, and DMARC Explained: How to Stop Email Spoofing on Your Domain

SPF says who can send, DKIM proves nothing was tampered with, and DMARC ties them together and tells receivers what to do. Here's how the three work — and how to check yours are set up right.

Anyone can put your domain in the "From" field of an email. Without the right DNS records, receiving mail servers have no way to tell your real mail from a spoof — which is why email authentication exists. Three records do the work: SPF, DKIM, and DMARC. They're easy to confuse, so here's what each actually does.

SPF — who is allowed to send

Sender Policy Framework is a DNS TXT record listing the servers permitted to send mail for your domain:

v=spf1 include:_spf.google.com include:sendgrid.net -all

When a server receives mail claiming to be from you, it checks whether the sending IP is in that list. The ending matters: -all (hard fail) says "reject anything not listed," while ~all (soft fail) says "accept but mark suspicious." SPF's main limit is that it validates the envelope sender, not the "From" header a human sees — which is where DMARC comes in.

DKIM — proof it wasn't tampered with

DomainKeys Identified Mail adds a cryptographic signature to your outgoing messages. Your mail server signs each message with a private key; the matching public key lives in a DNS TXT record at a selector (e.g. selector1._domainkey.example.com). The receiver verifies the signature, proving two things: the message really came through your infrastructure, and its signed content wasn't altered in transit. Because it's keyed to a selector, you can run multiple selectors for different providers and rotate keys without downtime.

DMARC — the policy that ties it together

SPF and DKIM authenticate. DMARC decides what to do about failures — and closes the "From" header gap. A DMARC record specifies a policy and where to send reports:

v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s

DMARC requires alignment: the domain that passed SPF or DKIM must match the visible "From" domain. Then p= tells receivers how to treat mail that fails: none (monitor only), quarantine (send to spam), or reject (block outright). The rua address receives aggregate reports so you can see who's sending as you before you tighten the policy.

The order to roll it out

  1. Publish SPF listing every legitimate sender — don't forget your CRM, invoicing, and support tools.
  2. Enable DKIM with your provider and publish the selector's public key.
  3. Start DMARC at p=none with a rua address, read the reports, fix any legitimate source that's failing alignment.
  4. Move to quarantine, then reject once the reports are clean.

DNSSEC — the layer underneath

All three records live in DNS, and DNS answers can themselves be forged. DNSSEC cryptographically signs your DNS zone so resolvers can detect tampering — worth enabling so the records above can be trusted in the first place.

Check what you actually have

The gap between "we set up SPF once" and "our email authentication is correct today" is where spoofing lives — a missing DMARC policy, a soft ~all nobody tightened, an expired DKIM selector. Pyalm Guard inspects SPF, DKIM across multiple selectors, DMARC, and DNSSEC in one pass and flags spoofing risk. Check your domain.

Assess your domain with Pyalm Guard | Introducing Pyalm Guard | Subdomain takeover explained | HTTP security headers guide

Keep reading

More from Pyalm

Jul 7, 2026

Introducing Pyalm Guard: An Authorized Security Posture Assessment Tool

Point Pyalm Guard at a domain you own and it runs a full, non-destructive checkup — DNS, subdomains, email authentication, TLS, headers, ports, threat intelligence, and breach exposure — scored into one clear risk grade.

Jul 7, 2026

Subdomain Takeover: How Dangling DNS Records Get Hijacked — and How to Find Them

A subdomain takeover happens when a DNS record still points at a service you no longer own. Here's how dangling CNAMEs get hijacked, what an attacker can do with one, and how to detect and close them.

Jul 7, 2026

HTTP Security Headers: A Practical Guide to HSTS, CSP, and the Rest

A handful of response headers quietly decide whether your site can be framed, downgraded, or injected into. Here's what HSTS, CSP, X-Frame-Options and friends do, and how to tell if yours are set right.

Jul 10, 2026

Pyalm Books Is a Full Accounting, POS & Inventory Platform — Not Just E-Invoicing

UAE e-invoicing is why many businesses find Pyalm Books, but it's a fraction of what's inside. Here's the full picture: double-entry accounting, a built-in POS, inventory, purchases, banking, and projects.

Jul 10, 2026

Beyond Broadcasts: Tenreply's Shared Inbox, AI Support and WhatsApp CRM

Broadcasts get attention, but the day-to-day value of Tenreply is everything around them — a shared team inbox, an AI support agent, no-code flows, and a built-in CRM that turns chats into tracked leads.

Jul 10, 2026

More Than Courses: Assignments, Learner Q&A and a Job Board in Pyalm Learn

A course library is table stakes. Pyalm Learn adds the things that make learning stick and pay off — assignments and quizzes, in-context learner Q&A, analytics, and a built-in job board — all under your brand.

Check Your Security Posture in Minutes

Pyalm Guard runs an authorized, non-destructive checkup on a domain you own — DNS, subdomains, email auth, TLS, headers, ports, and threat intel — scored into one clear risk grade. No account, nothing stored on our servers.

Open Pyalm Guard About Pyalm Guard