Three DNS records decide whether mail claiming to be from your domain is trustworthy. Here's what each one actually does, how they fit together, and the one DMARC setting people most often get wrong.
Email has no built-in sender verification. Without these records, anyone can put your domain in the 'From' field of an email. Mailbox providers (Gmail, Outlook, etc.) look at SPF, DKIM, and DMARC to decide whether to trust that claim, flag the message as suspicious, or reject it outright.
Sender Policy Framework is a TXT record at your domain's apex that lists the mail servers authorized to send on your behalf.
DomainKeys Identified Mail signs outgoing mail with a private key; the matching public key is published in DNS so receivers can verify the signature wasn't tampered with.
Domain-based Message Authentication, Reporting & Conformance is a TXT record at _dmarc.<yourdomain> that tells receivers what to do when a message fails SPF and DKIM alignment, and where to send reports about it.
The standard rollout path is p=none first (watch the reports, confirm your legitimate senders all pass) and then tighten to p=quarantine and eventually p=reject once you're confident nothing legitimate will be blocked.
Grounded in the scanner's actual detection logic (src/lib/scanner/dns.ts), not a general description of DMARC.
Our free scanner checks SPF, DMARC, CAA, and DNSSEC for any public domain, and can check a DKIM selector too if you know it. Passive only — the same DNS lookups anyone can run, nothing sent to the target site itself.
Get a guided demo, or start by scanning any domain for free.