DMARC, SPF, and DKIM: The Complete Guide for UK Businesses

Why email authentication matters in 2026

Your company domain is one of your most valuable assets. Without proper email authentication, anyone in the world can send email that appears to come from your domain. This is how business email compromise (BEC) attacks start — and they cost UK businesses hundreds of millions of pounds each year.

Three DNS records protect you: SPF, DKIM, and DMARC. They work as a stack. Miss one and the whole system weakens.

SPF — Sender Policy Framework

An SPF record is a TXT record published in your DNS that lists every server authorised to send email from your domain. When a receiving mail server gets a message claiming to be from you, it checks your SPF record. If the sending server is not on the list, the message can be marked as spam or rejected.

A typical SPF record looks like:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

The final ~all is a softfail — messages from unlisted servers are accepted but flagged. Use -all for a hard fail if you have confidence all your senders are listed.

Common SPF mistakes: too many DNS lookups (limit is 10), forgetting to include cloud mail providers, using +all (which allows anyone to send as you).

DKIM — DomainKeys Identified Mail

DKIM adds a cryptographic signature to outgoing messages. The private key lives on your mail server; the matching public key is published in DNS. Receiving servers verify the signature. If it matches, the message has not been tampered with in transit and genuinely originated from a server holding your private key.

DKIM selectors are published as: selector._domainkey.yourdomain.com

Most hosted mail providers (Google Workspace, Microsoft 365) configure DKIM automatically, but you must enable it in the admin console and complete the DNS verification step. Many organisations skip this step and run without DKIM for years.

DMARC — Domain-based Message Authentication, Reporting & Conformance

SPF and DKIM tell receiving servers how to check your mail. DMARC tells them what to do when the check fails and — critically — sends you reports so you know about it.

DMARC is published as a TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

The p= tag is the policy:

• p=none — monitor only, no action taken. Start here to understand your mail flows.
• p=quarantine — failing messages go to spam. Move here after reviewing reports.
• p=reject — failing messages are blocked entirely. The goal for all domains.

The rua= tag receives aggregate XML reports daily. These show which servers are sending mail as your domain — legitimate and illegitimate.

The DMARC alignment requirement

DMARC requires that the domain in the visible From: header aligns with either the SPF-authenticated domain or the DKIM-signed domain. This is what closes the spoofing loophole — an attacker cannot simply forge your From: address because the underlying authentication will not align.

Deployment order

1. Enable and verify DKIM in your mail provider admin console
2. Publish an SPF record listing all your sending sources
3. Publish a DMARC record with p=none and a reporting address
4. Review aggregate reports for 2–4 weeks to identify all legitimate senders
5. Move to p=quarantine, then p=reject
6. Add subdomain policy: sp=reject to cover parked subdomains

Check your current posture

VP Shield checks SPF, DKIM (where detectable), DMARC policy, and DMARC alignment for any domain in seconds — free, no login required. If your domain currently has no DMARC policy or a p=none policy, anyone can spoof your email address right now.