logo

Email Security Tools

Email security for small business: stop spoofing with SPF, DKIM, and DMARC

DMARC, DKIM, and SPF stop criminals from sending fake email that looks like it came from your business. Use the free tools on this page to check and fix your email security records.

Understanding DMARC, DKIM, and SPF

Use this page to check and tune your email security records so criminals have a harder time pretending to be you.

Email security tools

Start with the overview, then run a free check or generate the records you need.

Need help with your records?
Contact Us
[email protected]
Schedule 15 minutes
DMARC, DKIM, and SPF email security illustration

What DMARC, DKIM, and SPF do for your business

Every day, criminals send fake emails that appear to come from real businesses. They use your domain name to trick your customers into clicking malicious links, wiring money, or handing over login credentials. DMARC, DKIM, and SPF are the three email authentication standards that make this much harder to pull off.

Think of SPF and DKIM as ID checks for your outgoing email. SPF tells the internet which mail servers are allowed to send on behalf of your domain. DKIM attaches a digital signature to each message so the receiving server can confirm the email was not tampered with in transit. DMARC is the policy on top. It tells receiving servers what to do when a message fails those checks, whether that means sending it to spam or blocking it outright.

Without these records properly configured, your emails are more likely to land in spam folders and it becomes easier for attackers to impersonate your business.

Why SPF and DKIM matter

SPF lists which mail servers are allowed to send mail for your domain. DKIM signs each message with a cryptographic key so the receiver can verify it was not changed in transit.

If either one is missing or misconfigured, your messages are more likely to land in spam or get rejected entirely.

What DMARC adds

DMARC tells receiving mail servers how strictly to enforce SPF and DKIM when the From address does not line up with what those checks expect.

  • none: monitor only, take no action
  • quarantine: send failures to spam
  • reject: block failures outright

What to do if your records are failing

If a report or vendor portal shows failing SPF, DKIM, or DMARC records, it usually means one of three things:

  • A new system sending email on your behalf, such as a newsletter tool or invoicing app, was never added to your SPF or DKIM records.
  • Your domain moved mail providers but old records were left behind and are now conflicting.
  • Someone is actively trying to spoof your domain and DMARC is flagging the traffic.

Use the tools in the sidebar to see what is published for your domain right now. If you want someone to map it all out and keep it aligned with your broader security setup, Wolferdawg IT Consulting can roll that into an ongoing support relationship through our cybersecurity services or managed IT services.

How this fits with the rest of your email security

If your business uses Microsoft 365 Business Premium, your SPF, DKIM, and DMARC records need to be aligned with how Microsoft routes your mail. Getting this right is one of the first things Wolferdawg IT Consulting addresses when onboarding a new client, because misconfigured records cause deliverability problems that are easy to fix but disruptive to live with.

Not sure what your records are telling you?
Wolferdawg IT Consulting can review your DMARC results, fix broken records, and help you move toward a reject policy without disrupting legitimate email.
Schedule 15 Minutes

Common email security questions

What is SPF?

SPF, or Sender Policy Framework, is a record you publish in your domain's DNS that lists which mail servers are allowed to send email for your domain. When a receiving server gets a message from you, it checks your SPF record to confirm the sending server is on the approved list. If it is not, the message looks suspicious and is more likely to land in spam or get rejected. SPF is one of the three core email authentication records every small business should have in place.

What is DKIM?

DKIM, or DomainKeys Identified Mail, adds a cryptographic signature to every email your domain sends. The receiving server uses a public key in your DNS to confirm the message really came from you and was not altered in transit. Where SPF checks the sending server, DKIM verifies the message itself. Together they give receiving servers two independent ways to trust your mail.

What is DMARC?

DMARC, or Domain-based Message Authentication, Reporting and Conformance, is the policy that sits on top of SPF and DKIM. It tells receiving servers what to do when a message fails those checks, whether to allow it, send it to spam, or reject it outright. DMARC also sends you reports showing who is sending email using your domain, which is how you spot both misconfigured services and outright spoofing.

What is the difference between SPF, DKIM, and DMARC?

SPF, DKIM, and DMARC work as a team, and each one does a different job. SPF says which servers may send mail for your domain. DKIM signs each message so the receiver can confirm it was not changed. DMARC sets the policy for what happens when a message fails SPF or DKIM, and it reports back on attempts to spoof you. You need all three working together, because any one of them on its own leaves a gap a deliverability problem or an attacker can slip through.

How do I set up SPF, DKIM, and DMARC?

You set up SPF, DKIM, and DMARC by publishing the right records in your domain's DNS, then tightening the DMARC policy over time. Start by building each record with the free SPF generator, DKIM generator, and DMARC generator on this page, then publish them with your domain host. Run the email security checker to confirm they pass. If you would rather not touch DNS yourself, Wolferdawg IT Consulting sets these up for small businesses across Lawton, Duncan, and Southwest Oklahoma.

How do I check if my SPF, DKIM, or DMARC records are set up correctly?

Run your domain through the free email security checker on this page. It looks up your SPF, DKIM, and DMARC records at once and shows you which ones pass, which ones fail, and what is missing. A passing result means receiving servers can verify your mail. A failing or missing result means your messages are at higher risk of being spoofed or sent to spam, and it is worth fixing right away.

What email security does a small business actually need?

At a minimum, a small business needs SPF, DKIM, and DMARC configured correctly, multi-factor authentication on every mailbox, and email filtering that blocks phishing and spoofed senders. These controls stop the most common attacks, which almost always start with email, and they are already included or inexpensive on most Microsoft 365 plans. Wolferdawg IT Consulting sets up and manages this layer for small businesses across Southwest Oklahoma so owners do not have to think about it.

Why are my emails going to spam?

Business email usually lands in spam for one of a few reasons. Your SPF, DKIM, or DMARC records may be missing, incomplete, or misconfigured, so receiving servers cannot verify your mail. A new sending service like a newsletter or invoicing tool may never have been added to your records. Or your domain may have a weak sending reputation from past issues. Run the free email security checker to see which records are failing, then fix them with the generators on this page.

Free email security tools

Run a one-click check on your domain or generate the records you need.

Email Security Checker
Check SPF, DKIM, and DMARC at once
SPF Generator
Build a new SPF record
DKIM Generator
Build a new DKIM record
DMARC Generator
Build a new DMARC record

New to these terms? The domain security glossary explains SPF, DKIM, DMARC, and every other record in plain English.