Learning centre
SPF, DKIM, DMARC and MTA-STS explained
Email authentication is split across your sending platforms and your DNS. A platform usually gives you the records, but DNS is where those records are published.
Quick summary
SPF
Lists which mail servers are allowed to send email for your domain.
DKIM
Adds a cryptographic signature so recipients can verify the message was not altered and was signed by an authorised domain.
DMARC
Tells receivers what to do when SPF or DKIM does not align with the visible From domain.
SPF
SPF is a TXT record on the sending domain. It says which services are allowed to send email for that domain. For example, if Microsoft 365 and SendGrid send mail for your domain, SPF may need to include both.
DNS location: usually the root domain, for example example.com TXT.
Common fault: SPF passes for a third-party Return-Path domain, but DMARC still fails because the Return-Path domain does not align with the visible From domain.
DKIM
DKIM signs email using a private key in the sending platform and a public key in DNS. The receiving server uses the public DNS record to verify the signature.
DNS location: selector._domainkey.example.com. The selector is provider-specific. Microsoft 365 commonly uses selector1 and selector2; Google Workspace often uses google.
Common fault: DKIM passes, but the signing domain is the vendor domain rather than your visible From domain, so DMARC fails.
DMARC
DMARC checks whether SPF or DKIM passed and aligned with the visible From domain. Alignment is the key bit many basic tools miss.
DNS location: _dmarc.example.com TXT.
Policies:
p=none— monitor only, no enforcement.p=quarantine— ask receivers to treat failing mail suspiciously.p=reject— ask receivers to reject failing mail.
MTA-STS
MTA-STS helps protect inbound mail delivery by telling other mail servers to use TLS when sending email to your domain. It is about securing the transport path to your mail servers, not proving who sent an email.
DNS location: _mta-sts.example.com TXT.
Policy file location: https://mta-sts.example.com/.well-known/mta-sts.txt.
A valid MTA-STS setup needs both the DNS TXT record and the HTTPS policy file. The policy file declares a mode such as testing or enforce, the allowed MX hostnames, and a max_age value.
Why DNS and platform settings both matter
Most fixes start in the sending platform: Microsoft 365, Google Workspace, SendGrid, Mailchimp, Shopify, HubSpot, WordPress SMTP and so on. But the platform will usually ask you to add DNS records. Until those records are published correctly, the platform cannot authenticate as your domain.