DMARC, DKIM and SPF: Email Security Explained for Hertfordshire Businesses
Three acronyms — SPF, DKIM and DMARC — represent the foundation of modern email security. Together, they protect your business domain from being used by fraudsters to send fake emails impersonating your company, and they help ensure your legitimate emails actually reach your recipients’ inboxes. If you haven’t configured these for your Hertfordshire business, you have a significant security and deliverability gap.
Why Email Security Matters More Than Ever
Business email compromise (BEC) is one of the fastest-growing forms of cybercrime in the UK. Fraudsters send emails that appear to come from a trusted domain — your supplier, your solicitor, your own company — to trick recipients into making payments or sharing sensitive information. Without SPF, DKIM and DMARC correctly configured, your domain can be spoofed and your brand used as the vehicle for attacks on your clients and partners.
SPF — Sender Policy Framework
SPF is a DNS record that tells the world which mail servers are authorised to send email on behalf of your domain. When an email arrives claiming to be from yourcompany.co.uk, the receiving mail server checks your SPF record to see whether the sending server is on the approved list. If it isn’t, the email can be flagged as suspicious or rejected.
SPF is the first line of defence against domain spoofing. However, it has limitations — it only checks the envelope sender address, not the ‘from’ address the recipient sees. That’s where DKIM and DMARC come in.
DKIM — DomainKeys Identified Mail
DKIM adds a cryptographic signature to every email you send. The signature is generated using a private key held on your mail server, and verified by the receiving server using a public key published in your DNS. If the signature is valid, the receiver knows the email genuinely came from your domain and hasn’t been tampered with in transit.
DKIM protects against email tampering as well as spoofing. It also improves email deliverability — major email providers like Google and Microsoft give higher trust scores to emails with valid DKIM signatures, making it less likely Twin Technology Ltd — Blog Content Pack — For Web Development Team Page 21 your legitimate emails will end up in junk folders.
DMARC — Domain-based Message Authentication, Reporting and Conformance
DMARC ties SPF and DKIM together and tells receiving mail servers what to do with emails that fail authentication. A DMARC policy of ‘none’ means failed emails are allowed through but reported. A policy of ‘quarantine’ means they go to junk. A policy of ‘reject’ means they’re blocked entirely.
DMARC also generates reports showing you which mail servers are sending email on behalf of your domain — helping you identify if your domain is being abused for phishing campaigns. In 2024, Google and Yahoo made DMARC a requirement for bulk email senders — and this trend is spreading across the industry
What Happens If You Don't Have These Configured?
How to Implement SPF, DKIM and DMARC
Implementation involves making changes to your domain’s DNS records — the technical settings that control how your domain functions online. SPF and DMARC are relatively straightforward to configure if you know what you’re doing; DKIM requires access to your mail server configuration. The process should be handled carefully — an incorrectly configured SPF record can cause your legitimate emails to stop being delivered.
Twin Technology configures SPF, DKIM and DMARC for businesses across Hertfordshire as part of our professional services offering and as a standard element of our Microsoft 365 deployments. We also provide ongoing DMARC monitoring to alert you if your domain is being misused.
Is your business domain properly protected? Twin Technology can audit and configure your email security for your Hertfordshire business. Call 01923 228820 or email sales@twintechnology.co.uk.
