SPF and DMARC

SPF (Sender Policy Framework)

What is SPF?


SPF is an email authentication method designed to detect forging sender addresses during the delivery of emails. It allows domain owners to specify which mail servers are permitted to send email on behalf of their domain.

How does SPF work?


The domain owner publishes an SPF record in the DNS. This record contains a list of authorized IP addresses or hostnames that can send emails from that domain. When an email is sent, the receiving mail server queries the DNS for the SPF record of the sender's domain. The receiving server checks if the email was sent from an IP address listed in the SPF record. If it matches, the email passes the SPF check; otherwise, it fails.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

What is DMARC?


DMARC builds on SPF and DKIM (DomainKeys Identified Mail) to provide a comprehensive email authentication mechanism. It allows domain owners to specify how to handle emails that fail SPF or DKIM checks and to receive reports about such emails.

How does DMARC work?


The domain owner publishes a DMARC record in the DNS. This record specifies the domain's policy on handling emails that fail SPF or DKIM checks, such as quarantine or reject. DMARC checks if the domain in the "From" header aligns with the domain in the SPF or DKIM records. If an email fails the alignment check and the SPF/DKIM checks, the DMARC policy is applied (e.g., reject the email). DMARC provides feedback to domain owners through aggregate and forensic reports, helping them understand who is sending emails on their behalf and identifying any unauthorized use.

SPF and DMARC Records Setup

SPF Record


Add the following SPF record to your domain’s DNS settings:

"v=spf1 ip4:192.168.0.1 include:spf.thirdparty.com -all"

SPF Record Parameters:

  • v=spf1: Specifies the version of SPF being used.
  • ip4:192.168.0.1: Authorizes the IP address 192.168.0.1 to send emails on behalf of the domain.
  • include:spf.thirdparty.com: Permits the mail servers of thirdparty.com to send emails on behalf of the domain. Useful if you use a third-party email service.
  • -all: Indicates a hard fail. Emails not from the listed IP addresses should be rejected. Other possible values are ~all (soft fail) and ?all (neutral).

DMARC Record


Add the following DMARC record to your domain’s DNS settings:

"v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensic@example.com; pct=100; adkim=s; aspf=s"

DMARC Record Parameters:

  • v=DMARC1: Specifies the version of DMARC being used.
  • p=reject: Policy for emails that fail DMARC check. Possible values are none (no action), quarantine (mark the email), and reject (reject the email).
  • rua=mailto:dmarc-reports@example.com: Address to which aggregate reports should be sent.
  • ruf=mailto:dmarc-forensic@example.com: Address to which forensic reports should be sent.
  • pct=100: Percentage of emails to which the policy is applied. In this case, it’s 100%, meaning all emails are subject to the policy.
  • adkim=s: Alignment mode for DKIM. s stands for strict alignment.
  • aspf=s: Alignment mode for SPF. s stands for strict alignment.
To report a bug, please use this form. Please provide the URL of the page where you experienced the bug if possible.