Learn

Email domain security (SPF, DKIM, DMARC) monitoring

Spoofing your own domain is depressingly easy without SPF, DKIM, and DMARC. Here is what each record actually does and how Barrion verifies the whole chain.

What it is

SPF, DKIM, and DMARC are DNS records that help prevent email spoofing and phishing. SPF and DKIM authenticate senders; DMARC tells receivers what to do with failing messages. Monitoring checks that these records exist and are correctly configured.

Why it matters

Missing or weak SPF/DKIM/DMARC makes it easier for attackers to send email that appears to come from your domain (phishing, BEC). Proper configuration protects your brand and recipients. Monitoring catches misconfigurations and expiry.

How Barrion checks it

Barrion performs DNS lookups for your domain's SPF, DKIM (selector), and DMARC records. We validate syntax, alignment, and policy strength. We report missing records, syntax errors, and overly permissive policies. Checks are read-only DNS queries.

Configuration examples

SPF TXT record (example.com)
"v=spf1 include:_spf.google.com -all"
DMARC TXT record (_dmarc.example.com)
"v=DMARC1; p=reject; rua=mailto:dmarc@example.com"

Verify it

dig +short TXT _dmarc.example.com
Run this check →Fix guide

References

Related

FAQ

Common questions.

Should I set up SPF or DKIM first?
SPF first. It is a single DNS TXT record that authorizes specific sending IPs and is what most receivers check before they even look at the body. DKIM follows because it survives forwarding (SPF does not) and is required for DMARC alignment to pass on mailing lists and aliases.
What is a soft DMARC rollout?
Start with p=none and rua reporting for one to two weeks to see which legitimate senders fail alignment. Move to p=quarantine with pct=25, then ramp pct over a few weeks while watching the aggregate reports, and only switch to p=reject once the failure rate for legitimate mail is at zero.
Do I need MTA-STS?
If you handle anything sensitive over email, yes. MTA-STS publishes a TLS policy so sending servers refuse to deliver over plaintext or to a mismatched certificate, which closes the downgrade gap that opportunistic STARTTLS leaves open. Pair it with TLS-RPT to get failure reports.
Why do receivers still accept my mail when SPF says fail?
SPF on its own only suggests an action, the receiver decides. Without a DMARC policy of quarantine or reject, most providers downgrade a hard fail to a spam-folder delivery rather than blocking outright. DMARC is what gives SPF and DKIM real enforcement.