Email Security

How to fix missing or weak SPF, DKIM, and DMARC

Quick fix guide with step-by-step instructions. Barrion detects this finding in your scans; use this page to remediate it.

What it is

SPF, DKIM, and DMARC are DNS-based mechanisms that help receiving mail servers verify that email claiming to be from your domain was actually sent by you (or an authorized server). SPF lists allowed senders; DKIM adds a cryptographic signature; DMARC tells receivers what to do when checks fail.

Why it matters

Without these records, anyone can send email that appears to come from your domain. That fuels phishing and brand abuse. Proper SPF, DKIM, and DMARC improve deliverability, protect your reputation, and are often required or expected by partners and compliance.

How it is exploited

An attacker rents a VPS, sets the From address to billing@yourdomain.com, and sends an invoice to your customers. With no SPF, DKIM, or DMARC the receiving servers have nothing to check against, so the mail lands in the inbox with your name on it. Customers wire payment to the attacker's account or click a credential-harvesting link, and your support team takes the brunt.

How to fix it

  1. Publish SPF. Add a TXT record for your domain (or the subdomain you send from) that lists the mail servers allowed to send for you. Use ~all or -all at the end to indicate soft or hard fail for non-listed servers. Keep under 10 lookups to avoid SPF limits.
  2. Enable DKIM. Generate a DKIM key pair and add the public key as a TXT record at the selector your mail provider specifies. Configure your mail server or provider to sign outbound messages with the private key. Receivers can then verify the signature.
  3. Add DMARC. Publish a DMARC TXT record that specifies your policy (p=none, quarantine, or reject) and where to send aggregate reports. Start with p=none to collect data without affecting delivery, then move to p=quarantine or p=reject once you're confident.
  4. Monitor and tighten. Review DMARC reports to see who's sending as your domain and whether they pass. Fix any legitimate senders that fail, then consider moving to a stricter policy. Use Barrion's email security test to confirm your records are valid and aligned.

Examples by platform

SPF (DNS TXT on apex)

example.com.  IN TXT "v=spf1 include:_spf.google.com include:mailgun.org -all"

DKIM (DNS TXT at provider selector)

selector1._domainkey.example.com.  IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ..."

DMARC (DNS TXT at _dmarc)

_dmarc.example.com.  IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; adkim=s; aspf=s; pct=100"

How to verify the fix

Inspect the SPF record on the apex domain:

dig +short TXT example.com

Inspect the DMARC record at _dmarc:

dig +short TXT _dmarc.example.com

Inspect the DKIM record at your provider's selector:

dig +short TXT selector._domainkey.example.com

References

Related reading

Check your site for this finding.

Run Barrion's free email security check to see if this applies to your app, with a full report and remediation steps.

Run free check →All fix guides