SPF and DMARC: stop email spoofing of your domain
SPF and DMARC are DNS records that tell receiving mail servers which servers may send email for your domain and what to do with messages that fail. Without them, anyone can spoof your domain in phishing emails.
What it is
SPF (Sender Policy Framework) is a TXT record listing authorized sending servers, e.g. v=spf1 include:_spf.google.com -all. The -all means 'reject everything else'.
DMARC builds on SPF and DKIM, published at _dmarc.yourdomain.com. Its policy (p=none, quarantine, or reject) tells receivers how to handle messages that fail authentication.
Why it matters
With no SPF/DMARC, attackers can send mail that appears to come from [email protected], making phishing against your customers and staff far more convincing.
A permissive SPF (+all) or a DMARC policy left at p=none provides little real protection — spoofed mail still gets delivered.
How to fix it
List your real senders and end with -all.
yourdomain.com. TXT "v=spf1 include:_spf.google.com -all"Start at p=none to monitor, then move to quarantine or reject once you've confirmed legitimate mail passes.
_dmarc.yourdomain.com. TXT "v=DMARC1; p=reject; rua=mailto:[email protected]"Publishing two SPF records is a permanent error that disables SPF. Merge all your includes into a single record.
FAQ
What's the difference between SPF, DKIM, and DMARC?
SPF authorizes sending servers, DKIM cryptographically signs messages, and DMARC ties them together and tells receivers how to act on failures.
Will enforcing DMARC block my legitimate email?
It can if a real sender isn't covered by SPF/DKIM. That's why you start at p=none, read the reports, then tighten.
Is your app affected?
AppSafe checks for this and dozens of other issues in one free scan.
Scan my app free