How to Set Up DMARC, DKIM and SPF for Your Domain

What Is SPF, DKIM, and DMARC?

SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are three DNS-based standards that work together to authenticate email sent from your domain. Without them, anyone can send email that appears to come from your domain — a technique used routinely in phishing attacks targeting businesses and their contacts.

SPF is a DNS record that lists the IP addresses and mail servers authorised to send email on behalf of your domain. When a receiving mail server gets an email claiming to be from your domain, it checks whether the sending server is on your SPF list. DKIM adds a cryptographic digital signature to outgoing messages using a private key held by your mail server. The corresponding public key is published in DNS. Receiving servers use this to verify the signature — confirming the email was genuinely sent from an authorised server and has not been modified in transit.

DMARC ties both standards together and adds a policy layer. Your DMARC record tells receiving servers what to do when SPF or DKIM checks fail — either do nothing (monitor only), quarantine the message, or reject it outright. DMARC also enables reporting: aggregate reports showing which servers are sending email using your domain, including any unauthorised senders.

Why UK Businesses Need Email Authentication

Domain spoofing is one of the most common techniques used in business email compromise and phishing attacks. An attacker sends an email appearing to come from your domain — your suppliers, staff, or customers see a familiar sender name and address, making the message more credible. Without DMARC in enforcement mode, there is nothing to prevent this.

43% of UK businesses experienced a cybersecurity breach in 2025, with 85% of breaches involving phishing (DSIT 2025). Many of these attacks use spoofed domains. A business that has not deployed DMARC is providing no protection to its own brand and name being weaponised against others.

From a practical standpoint, DMARC is now increasingly required. Google and Microsoft both require DMARC records for bulk email senders. Many cyber insurance policies ask specifically whether DMARC is deployed. Cyber Essentials guidance recommends email authentication as a baseline control.

How DMARC Works in Practice

A DMARC policy is published as a DNS TXT record on your domain. A basic monitoring policy (p=none) collects reports without taking action on unauthenticated email. A quarantine policy (p=quarantine) moves failing messages to recipients' spam folders. A reject policy (p=reject) instructs receiving servers to discard unauthenticated email entirely — the most protective setting.

Most organisations should progress to p=reject over time. However, moving to reject too quickly can inadvertently block legitimate email — for example, from third-party senders like email marketing platforms, helpdesk systems, or accounting software that send email using your domain but are not yet authenticated. AMVIA takes a staged approach: deploy a monitoring policy first, review aggregate reports to identify all legitimate sending sources, authenticate each one, then advance to quarantine and finally reject.

Common Implementation Problems

The most common mistake in DMARC implementation is deploying SPF and DMARC records without auditing all third-party senders first. Any service that sends email on behalf of your domain — CRM systems, marketing platforms, invoicing software, helpdesk tools — must be included in your SPF record and ideally DKIM-signed before DMARC enforcement is enabled, or those messages will fail authentication and be rejected.

SPF records also have a 10 DNS lookup limit. Businesses using multiple third-party senders can exceed this limit, causing SPF failures. AMVIA audits your current sending infrastructure and optimises SPF records to stay within the lookup limit whilst including all legitimate senders.

Key Considerations for UK SMEs

• Start with a p=none DMARC policy and review aggregate reports for 30 days before enforcing
• Identify all third-party services sending email on your domain before moving to quarantine or reject
• Check your SPF record does not exceed 10 DNS lookups — a common cause of SPF failures
• Monitor DMARC aggregate reports regularly to detect new unauthorised senders
• Apply DMARC to all your domains, including inactive ones that could be spoofed

How AMVIA Can Help

AMVIA configures SPF, DKIM, and DMARC for UK businesses as part of its managed email security service. We audit your current sending infrastructure, implement authentication records, and use a DMARC monitoring platform to review aggregate reports and advance your policy to enforcement over a structured timeline. For businesses using Microsoft 365, AMVIA configures DKIM signing for your domain within Exchange Online as standard. DMARC configuration is included in AMVIA's managed cybersecurity service and can be delivered as a standalone engagement for businesses that only need email authentication support.