If your business sends invoices or quotes by email, someone else can probably send them too — pretending to be you. SPF, DKIM, and DMARC are the three DNS records that stop that, and they're also, increasingly, the reason your own emails do or don't reach your customers' inboxes.
SPF: who's allowed to send for you
SPF (Sender Policy Framework) is a public list, published in your domain's DNS, of every mail server allowed to send email as you — your Microsoft 365 tenant, your invoicing software, your email marketing tool. When a message arrives claiming to be from your domain, the receiving server checks whether it actually came from one of those approved servers. If it didn't, that's a strong signal it's a fake.
DKIM: a signature that can't be forged
DKIM (DomainKeys Identified Mail) attaches a digital signature to every email you send, generated using a private key only your mail server holds. The receiving server checks that signature against a public key published in your DNS. If the message was altered in transit, or wasn't signed with your key at all, the signature fails — proof the email isn't genuinely yours.
DMARC: the policy that ties it together
SPF and DKIM on their own just produce pass/fail results — they don't tell receiving servers what to actually do about a failure. DMARC is the policy layer: it tells the world what to do with mail that fails both checks (ignore it, quarantine it, or reject it outright), and — just as usefully — sends you reports showing every server that's been sending email claiming to be from your domain. That reporting is often the first time a business discovers someone's been impersonating them.
Because a badly configured DMARC policy can block legitimate mail, it's normally rolled out in stages — starting in monitoring mode, then tightening to full enforcement once you've confirmed every legitimate sender is properly covered by SPF and DKIM.
What happens if you skip all three
Two things, both bad. First, invoice fraud and business email compromise overwhelmingly target small businesses precisely because their domains aren't protected — an attacker can send a customer a fake invoice with your logo and your domain, and nothing stops it. Second, Google and Yahoo now require sender authentication for bulk mail, and increasingly treat unauthenticated mail from any domain with more suspicion — so a misconfigured domain can mean your own quotes and follow-ups quietly start landing in spam.
Checking where you stand
All three are just DNS records, so there's nothing to install — but getting them right (especially DMARC's staged rollout, and making sure every legitimate sender is covered before tightening enforcement) is easy to get wrong in ways that silently break mail delivery. That's the part worth getting a second opinion on before you flip the switch.
