What is the difference between SPF and DKIM?

* SPF checks who is allowed to send email for your domain by verifying the sending server. * DKIM checks that the message itself hasn’t been tampered with by using a digital signature. They solve different problems, so you need both (and DMARC) on top for a complete defense.

How do email servers check authentication?

When a mail server receives a message, it looks up the sender’s SPF, DKIM, and DMARC records. It records the results (like spf=pass or dkim=fail) in a hidden header called Authentication-Results. Your email provider then uses that info, along with many other signals, to decide whether to deliver the message to your inbox, mark it as spam, or block it.

How long does it take for DMARC to work?

The DNS record is usually active within a few hours. But rolling out DMARC safely takes time: you start with a monitoring-only policy (p=none), analyze the reports, fix any legitimate senders that fail, then gradually move to stricter policies (p=quarantine or p=reject). This process often takes several weeks or months.

What if scammers spoof my email?

DMARC includes a reporting feature that tells you if someone is trying to impersonate your domain. If you discover this, you should alert your staff, inform your customers, and report the scam to law enforcement and anti-phishing organizations like the FTC or the Anti-Phishing Working Group.

Can this stop all phishing attacks?

No single tool stops everything. SPF, DKIM, and DMARC are excellent at blocking direct domain spoofing. But attackers also use tricks like look-alike domains or compromised accounts. That’s why authentication should be part of a layered defense, alongside user training and advanced protection features like Proton’s PhishGuard.

Understanding email authentication and domain spoofing: SPF, DKIM, and DMARC

Your business is a target for phishing and spoofing attacks. If your email isn't authenticated, attackers can easily impersonate your domain. Without authentication, anyone on the internet can send an email pretending to be you.

Try Proton Mail free for 14 days Request a demo

What does email authentication mean?

Email authentication is a set of technical standards that verify an email's sender is who they claim to be. It was developed because the original email protocol (Simple Mail Transfer Protocol, or SMTP) has no built-in feature to prevent a forged sender address.

To understand authentication, it's helpful to know that an email has two sender addresses:

1. The envelope sender (RFC 5321)

Also known as the MAIL FROM address, P1 sender, or return-path, this is the technical address used by mail servers behind the scenes for routing and delivery.

Purpose: It tells the receiving server where to send automated messages, such as bounce notifications or non-delivery reports (NDRs).
Visibility: Recipients typically never see this address in their email client; it is part of the hidden message "envelope".
Security Role: This is the address verified by SPF.

2. The header sender (RFC 5322)

Also known as the From: address or P2 sender, this is the visible address in your inbox (e.g., From: your-bank@example.com).

Purpose: This is the "friendly" address designed for human interaction, informing the recipient who the message appears to be from.
Visibility: This is the only address most users see when they open their inbox.
Security Role: This address is the one attackers most commonly spoof, and it is the primary focus of DMARC alignment checks.

This design makes email spoofing (faking the From: address) simple. An attacker can use a valid envelope sender that they control to pass basic server checks while using a fraudulent header sender to trick the recipient. Email authentication protocols like DMARC solve this by requiring the domains of these two senders to align.

Why is email authentication essential for businesses?

For businesses, implementing email authentication is a non-negotiable defense. It:

Stops spoofing and phishing: Prevents attackers from sending fraudulent emails from your domain.

Protects your brand reputation: Keeps your brand from being associated with spam and phishing scams.

Improves email deliverability: Signals to other mail providers that you are a legitimate sender, which keeps your emails out of the spam folder.

The 3 core email authentication methods

A strong defense relies on three standards working together: SPF, DKIM, and DMARC. Each one builds on the last to create a multilayered defense.

1. Sender Policy Framework (SPF)

Sender Policy Framework (SPF) is a public list of all the servers (by IP address) that are allowed to send email for your domain.

How it works

You publish the list as a DNS TXT record for your domain. When a receiving mail server gets a message, it checks the sending server’s IP against that list. If the IP is on the list, the message passes the SPF check; if not, it fails.

The weakness

SPF only verifies the technical sending address used by mail servers, not the visible From: address that people see in their inbox. This gap allows spoofers to pass SPF checks. Because SPF is a path-based protocol, it also often fails when an email is forwarded through a mailing list or partner server. Since the forwarding server isn’t on your authorized list, the check fails.

2. DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) adds a unique, tamper-proof digital signature to the message content, including the From: header.

How it works

This signature is created using a private key that only your server knows. The corresponding public key is published in your DNS. Receiving servers use this public key to verify the signature. If it's valid, it proves the email came from your domain and its content hasn't been altered in transit.

The weakness

Like SPF, DKIM doesn't inherently stop spoofing. The signature proves the message is authentic for the domain that sent it, not necessarily the domain shown in the From: address.

3. Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is the policy that ties SPF and DKIM together. DMARC is the rule that tells mail servers to only trust emails if the From: address you see matches the authentication checks behind the scenes. It closes the loophole attackers exploit with SPF or DKIM alone.

How it works

DMARC requires that the domain in the visible From: address must match the domain used in the passing SPF or DKIM check. This vital step connects the visible sender address to the technical verification.

It also tells servers what to do: Your DMARC policy (p) is what instructs receiving servers how to handle failures:

p=none (Monitor): Take no action. Just send reports back to you about who is sending email from your domain.
p=quarantine (Quarantine): Send failing emails to the spam folder.
p=reject (Reject): Block the failing emails entirely.

Secure your business from phishing and domain spoofing

Over 90% of all data breaches begin with a phishing or spoofing attack. Implementing SPF, DKIM, and DMARC is your first line of defense, but it must be paired with an email provider that is secure by default.

Proton Mail for Business is designed to block these threats before they ever reach your team. Our advanced anti-spoofing detection, PhishGuard technology, and end-to-end encryption provide a comprehensive defense that's simple to manage.

Try Proton Mail free for 14 days Request a demo

How to set up email authentication (step-by-step)

Securing your domain involves adding a few records to your Domain Name System (DNS) settings, which is managed by your domain registrar (like GoDaddy, Namecheap, or Cloudflare).

Step 1

Create your SPF record

First, identify all the services you use to send email (e.g., your email provider, a newsletter service like Mailchimp, a CRM). Your SPF record must include all of them. For example, Proton Mail's SPF record is v=spf1 include:_spf.proton.me mx ~all. You would add this as a TXT record in your DNS settings.

Step 2

Configure your DKIM signature

In your Proton Mail (or other provider's) admin panel, navigate to the domain settings. The system will generate a unique DKIM key for you. The setup process for DKIM in Microsoft 365, Google Workspace, or Proton is similar: you copy the generated key and create a new TXT record in your DNS as instructed.

Step 3

Implement your DMARC policy

Adding the DMARC policy (p) is the final step. It should be rolled out in stages to avoid blocking your own legitimate emails:

Start with p=none: Create a DMARC record with a policy of p=none. This monitoring mode lets you receive reports on email failures without affecting your mail delivery.
Analyze reports: Use the DMARC reports to find any legitimate services that are failing checks and add them to your SPF and DKIM records.
Move to p=quarantine: Once you are confident, change your policy to p=quarantine. This will send failing emails to the spam folder.
Move to p=reject: After more monitoring, move to p=reject to block all fraudulent emails from being delivered.

For detailed setup instructions, including screenshots and record values, see Proton’s support guide.

Beyond the basics: ARC and BIMI

Once your SPF, DKIM, and DMARC are in place, there are two optional standards that can add extra value:

Authenticated received chain (ARC)

Keeps your authentication results intact when emails are forwarded (like through mailing lists), which often break SPF or DKIM.

Brand indicators for message identification (BIMI)

Lets your official company logo show up beside your emails in supported inboxes. Think of it as a “verified checkmark” for email. To qualify, you need a strong DMARC policy (quarantine or reject).

How Proton Mail secures your business email

Setting up email authentication is essential, but it’s only one part of a complete security strategy. Proton Mail adds further layers of protection to keep your business safe from advanced threats.

Advanced anti-spoofing detection

Proton Mail automatically checks SPF, DKIM, and DMARC on all incoming messages. Emails that fail these checks are clearly marked, reducing the risk of impersonation.

PhishGuard

PhishGuard identifies suspicious links, patterns, and other warning signs that basic filters often miss, helping to block phishing attempts before they reach employees.

End-to-end and zero-access encryption

Emails between Proton users are automatically end-to-end encrypted. All your data is stored with zero-access encryption, meaning not even we can read your emails.

Link confirmation

When users click a link in an email, Proton Mail displays a full preview of the destination URL, helping prevent accidental clicks on malicious sites.

Try Proton Mail free for 14 days Request a demo

Secure your business communications

Protect your company from phishing, spoofing, and data breaches with the email service that puts security and privacy first. Implement strong email authentication and benefit from end-to-end encryption and advanced phishing protection, all in one simple, secure solution.

Try Proton Mail for Business Request a demo

Frequently asked questions

What is the difference between SPF and DKIM?: SPF checks who is allowed to send email for your domain by verifying the sending server.
DKIM checks that the message itself hasn’t been tampered with by using a digital signature.
They solve different problems, so you need both (and DMARC) on top for a complete defense.
How do email servers check authentication?: When a mail server receives a message, it looks up the sender’s SPF, DKIM, and DMARC records. It records the results (like spf=pass or dkim=fail) in a hidden header called Authentication-Results. Your email provider then uses that info, along with many other signals, to decide whether to deliver the message to your inbox, mark it as spam, or block it.
How long does it take for DMARC to work?: The DNS record is usually active within a few hours. But rolling out DMARC safely takes time: you start with a monitoring-only policy (p=none), analyze the reports, fix any legitimate senders that fail, then gradually move to stricter policies (p=quarantine or p=reject). This process often takes several weeks or months.
What if scammers spoof my email?: DMARC includes a reporting feature that tells you if someone is trying to impersonate your domain. If you discover this, you should alert your staff, inform your customers, and report the scam to law enforcement and anti-phishing organizations like the FTC or the Anti-Phishing Working Group.
Can this stop all phishing attacks?: No single tool stops everything. SPF, DKIM, and DMARC are excellent at blocking direct domain spoofing. But attackers also use tricks like look-alike domains or compromised accounts. That’s why authentication should be part of a layered defense, alongside user training and advanced protection features like Proton’s PhishGuard.