What is SPF, DKIM, and DMARC?
SPF, DKIM, and DMARC are three email authentication standards that work together to prevent email spoofing and phishing. Understanding them helps you protect your domain and explains why some emails fail spam checks.
SPF (Sender Policy Framework)
SPF is a DNS record that lists which mail servers are authorized to send email on behalf of your domain.
How it works
- You publish a TXT record in your DNS:
v=spf1 include:_spf.google.com ~all - When someone receives an email claiming to be from your domain, their mail server looks up your SPF record
- If the sending server IP matches one of the authorized servers, SPF passes
- If not, SPF fails — and the email is more likely to be flagged as spam
Common SPF syntax
| Mechanism | Meaning |
|---|---|
include:domain.com | Authorize all servers listed in that domain SPF |
ip4:203.0.113.0/24 | Authorize a specific IP range |
~all | Soft fail — unauthorized servers are suspicious but not outright rejected |
-all | Hard fail — unauthorized servers are rejected |
For Cleanbox users: If you connect a custom domain, add include:_spf.cleanbox.to to your SPF record so forwarded emails pass authentication at their final destination.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to every outgoing email, proving the message was not tampered with in transit.
How it works
- The sending server signs the email headers and body with a private key
- A corresponding public key is published as a DNS TXT record
- The receiving server retrieves the public key and verifies the signature
- If the signature is valid, DKIM passes — the email is authentic and unmodified
DKIM protects against man-in-the-middle attacks where someone intercepts and modifies an email in transit.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails.
How it works
- You publish a DMARC DNS record:
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com - When an email arrives, the receiving server checks both SPF and DKIM
- If both fail (or the domain in the From header does not align with SPF/DKIM), DMARC kicks in
- The
p=policy tells the server what to do:none(monitor),quarantine(spam folder), orreject(drop)
DMARC policies
| Policy | Action on failure |
|---|---|
p=none | Do nothing — just send reports (monitoring mode) |
p=quarantine | Move failing emails to spam/junk |
p=reject | Reject failing emails entirely |
How they work together
Email arrives at receiving server
|
+-- SPF check: Is the sending server authorized?
+-- DKIM check: Is the signature valid?
|
+-- DMARC check: Do SPF/DKIM align with the From domain?
| |
| +-- Both pass → Deliver normally
| +-- Fail → Apply DMARC policy (none/quarantine/reject)
|
v
Final delivery decision (+ spam score from other factors)What this means in Cleanbox
Cleanbox checks SPF, DKIM, and DMARC on every incoming email as part of the spam detection process. Failed authentication adds to the spam score. You can see the results in the spam report for each message:
- SPF pass/fail — Whether the sending server is authorized
- DKIM pass/fail — Whether the signature is valid
- DMARC pass/fail — Whether both align with the sender domain
For Relay users, Cleanbox adds an Authentication-Results header to every forwarded message so your mail server can see the authentication results without having to check again.
