Understanding SPF, DKIM, and DMARC Results

Mailthentic checks three critical DNS authentication records for every domain. These records protect against email spoofing and are a key indicator of a domain's email infrastructure health.

SPF (Sender Policy Framework)

What it does: SPF specifies which mail servers are authorized to send email on behalf of a domain.

What Mailthentic checks: Whether a valid SPF TXT record exists in the domain's DNS.

If missing: The domain may be vulnerable to spoofing, and emails from this domain are more likely to land in spam. Mailthentic flags this as a risk factor.

DKIM (DomainKeys Identified Mail)

What it does: DKIM adds a cryptographic signature to outgoing emails, allowing recipients to verify the message wasn't altered in transit.

What Mailthentic checks: Whether DKIM selector records are present in DNS.

If missing: It doesn't necessarily mean the domain is insecure — DKIM selectors vary and may not always be discoverable. Mailthentic reports this as "present," "not found," or "unknown."

DMARC (Domain-based Message Authentication, Reporting & Conformance)

What it does: DMARC builds on SPF and DKIM by telling receiving servers what to do when authentication fails (none, quarantine, or reject).

What Mailthentic checks: Whether a DMARC TXT record exists and what policy it specifies.

DMARC policies:

• reject — Strictest. Unauthenticated messages are blocked.
• quarantine — Moderate. Unauthenticated messages go to spam.
• none — Monitoring only. No enforcement.

Why These Records Matter for Your List

Domains with strong SPF, DKIM, and DMARC configurations are better managed and more likely to have reliable mail servers. When sending to addresses on domains with missing authentication records, be aware that:

• Those domains may be more susceptible to spoofing (phishing risk).
• Replies from those domains may end up in your spam folder.
• It can indicate a less professionally managed email setup.