Domain Security Basics: SPF, DKIM, DMARC, and Why They Matter

Why your domain can be abused even if your mailbox is fine

Your domain is part of your business identity. It supports your website, email, customer trust, password resets, vendor relationships, and sometimes access to the systems that keep work moving.

FTC small-business guidance warns that without email authentication protections, scammers can use your domain to send phishing emails that look like they came from your business. That can damage trust even if the attacker never logged in to your actual mailbox.

What SPF does

SPF stands for Sender Policy Framework. In plain English, it is a DNS record that lists which mail systems are allowed to send email for your domain.

If your business uses Microsoft 365, Google Workspace, a CRM, an invoicing platform, a help desk, or a marketing tool, those senders may need to be represented correctly. SPF can become messy when old vendors stay in the record or too many services are added without review.

What DKIM does

DKIM stands for DomainKeys Identified Mail. It uses a digital signature to help receiving mail systems verify that a message was authorized by the sending domain and was not changed in transit.

For business owners, the key point is simple: major email platforms can usually enable DKIM, and it is worth confirming that DKIM is active for the services sending email on your behalf.

What DMARC does

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It builds on SPF and DKIM by giving receiving mail systems instructions for what to do when a message claiming to be from your domain does not pass authentication checks.

DMARC can also produce reports that help you understand who is sending mail using your domain. That visibility is useful before moving toward stricter policies. The research brief is careful on this point: do not say DMARC stops all phishing. It mainly addresses domain spoofing and improves receiving-server decisions.

Why alignment, reporting, and cautious rollout matter

A rushed DMARC rollout can break legitimate email if the business has not identified all authorized senders. Start by mapping every platform that sends email from your domain, confirming DNS control, enabling SPF and DKIM where appropriate, and using reporting to see what is happening.

• Identify all legitimate email senders, including CRM, billing, support, marketing, and website tools.
• Confirm who controls DNS and the domain registrar account.
• Publish or clean up SPF.
• Enable DKIM signing for core email and major sending platforms.
• Add DMARC in a cautious monitoring mode before enforcement.
• Review failures, fix alignment, then move toward stronger policy when ready.

What email authentication cannot do by itself

SPF, DKIM, and DMARC do not fix account compromise, lookalike domains, weak recovery settings, bad payment-change procedures, or social engineering. They are part of the foundation, not the whole house.

A practical domain review should also include registrar MFA, DNS hosting access, recovery emails, exposed services, abandoned subdomains, website signals, and the business process around who can change records. Domain security is both technical and operational.