April 28, 2026 · 8 min read · Email SecurityDMARCPhishing

SPF, DKIM, DMARC: A Real-World Setup Guide

If your domain can be spoofed, attackers can impersonate your team in minutes. SPF, DKIM, and DMARC are still the fastest way to reduce phishing risk — if configured correctly.

What each control actually does

SPF: tells receivers which servers may send email for your domain
DKIM: cryptographic signature proving message integrity
DMARC: policy that enforces alignment and reporting

Minimum viable setup

Publish SPF with all legitimate senders (Google, Microsoft, newsletter tools, etc.)
Enable DKIM signing for each platform that sends as your domain
Start DMARC at p=none for visibility, then move to quarantine and reject

v=DMARC1; p=none; rua=mailto:[email protected]; fo=1; adkim=s; aspf=s

Common mistakes that break delivery

Forgetting one sender in SPF (invoice tools, helpdesk, CRM automation)
Using DKIM on primary mailbox but not on transactional mail provider
Jumping to p=reject before monitoring alignment failures
Never reviewing DMARC aggregate reports

Rollout path that avoids drama

Week 1: DMARC p=none, collect reports
Week 2: fix unknown senders and alignment failures
Week 3: move to p=quarantine
Week 4+: move to p=reject when pass rate is stable

Need help validating your setup?

Run EdgeIQ email header analysis to spot SPF/DKIM/DMARC gaps before attackers abuse your domain.

Run a check →