Author: Dr. Pritam Gajkumar Shah, SISTMR Australia
Category: Email Security | May 2025
๐จ What Happens Behind the Scenes When You Get an Email?
When you receive an email, your email provider (like Gmail or Outlook) doesn’t just deliver it directly. First, it checks if the email is real or pretending to be someone else. To do this, it uses three important rules: SPF, DKIM, and DMARC.
This article explains these in simple language — no jargon, just step-by-step logic your email provider follows to decide whether to put the message in your Inbox, Spam, or Block it completely.
โ Step 1: What Is SPF?
SPF (Sender Policy Framework) tells the email server:
“Only these computers (IP addresses) are allowed to send mail for my domain.”
Example:
If someone sends you an email from admin@cyberpritam.com, Gmail checks:
“Is the computer sending this email listed in the SPF record of cyberpritam.com?”
โ If yes → SPF passes
โ If no → SPF fails → might be fake
โ Step 2: What Is DKIM?
DKIM (DomainKeys Identified Mail) works like a digital signature.
It checks:
“Has this email been changed since the sender sent it?”
Genuine emails add a hidden signature. The receiving server checks if the content was changed using a public key.
โ If it’s still the same → DKIM passes
โ If something was changed → DKIM fails
โ Step 3: What Is DMARC?
DMARC (Domain-based Message Authentication Reporting & Conformance) is the rule-set manager of SPF and DKIM.
It tells email servers:
“If SPF or DKIM fails, what should you do?”
none → just monitor
quarantine → put email in Spam
reject → block email completely
๐งช Real-Life Example
Example 1: Spoofed Email Attempt
โ SPF: Fail
โ DKIM: Fail
โ DMARC: Fail (Policy = reject)
โก๏ธ Gmail blocks the email completely
Example 2: Legitimate Newsletter
โ SPF: Pass
โ DKIM: Pass
โ DMARC: Pass
โก๏ธ Email is delivered to Inbox
๐ Why Should Website Owners Care?
If you run a website, school, or business and send emails:
โ Without SPF/DKIM/DMARC → Your emails may go to Spam
โ Attackers can send fake emails using your domain
๐ซ Google AdSense and other tools may block your domain
๐ How to Fix It?
Set up the following in your domain’s DNS records:
1. SPF → Lists allowed sending servers
2. DKIM → Adds a digital signature
3. DMARC → Controls what to do when others fail
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com;
โ Conclusion
SPF, DKIM, and DMARC work like ID proof, a signature, and security policy for email. They help your messages reach inboxes safely and prevent others from faking your domain.
Whether you're running a business, a college portal, or just a newsletter — setting these records protects your reputation and email success.
Need help setting up email security?
Visit cyberpritam.com or contact SISTMR Australia today.