Every day, billions of fraudulent emails are sent by impersonating legitimate brands. If your domain isn't properly configured, anyone can send emails pretending to be you — and your recipients won't be able to tell the difference.

The Problem: SMTP Is Vulnerable by Design

Email is a protocol over 40 years old, designed at a time when trust between servers was the norm. The "From:" field in an email is not verified by default — it's a simple declaration that any server can forge.

That's why three complementary mechanisms were created to close this gap: SPF, DKIM, and DMARC.

SPF (Sender Policy Framework)

SPF is a DNS TXT record that lists the servers authorized to send emails for your domain. When a server receives an email claiming to come from your domain, it queries your SPF record to check whether the sending IP is authorized.

A missing or misconfigured SPF leaves the door open to spoofing. An overly permissive SPF (with +all) is just as dangerous as having no SPF at all.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to each outgoing email. This signature, generated with a private key on the sending server, can be verified by any recipient server using the public key published in your DNS.

Even if an attacker intercepts or copies one of your emails, they cannot forge the DKIM signature without your private key.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC is the governance layer that coordinates SPF and DKIM. It defines what recipient servers should do with emails that fail both checks: let them through (none), put them in spam (quarantine), or reject them outright (reject).

DMARC also lets you receive daily reports showing which servers are sending emails on your behalf — legitimate or otherwise.

The Consequences of Poor Configuration

Beyond the phishing risk to your customers, a domain without SPF/DKIM/DMARC will be progressively downgraded by spam filters at major providers (Gmail, Outlook). Since February 2024, Google and Yahoo require these three records for bulk senders.

SiteCheck checks for the presence and validity of these three records in the DNS category of every full audit.