How to fix missing or weak SPF, DKIM, and DMARC
Quick fix guide with step-by-step instructions. Barrion detects this finding in your scans; use this page to remediate it.
What it is
SPF, DKIM, and DMARC are DNS-based mechanisms that help receiving mail servers verify that email claiming to be from your domain was actually sent by you (or an authorized server). SPF lists allowed senders; DKIM adds a cryptographic signature; DMARC tells receivers what to do when checks fail.
Why it matters
Without these records, anyone can send email that appears to come from your domain. That fuels phishing and brand abuse. Proper SPF, DKIM, and DMARC improve deliverability, protect your reputation, and are often required or expected by partners and compliance.
How to fix it
- 1
Publish SPF
Add a TXT record for your domain (or the subdomain you send from) that lists the mail servers allowed to send for you. Use ~all or -all at the end to indicate soft or hard fail for non-listed servers. Keep under 10 lookups to avoid SPF limits.
- 2
Enable DKIM
Generate a DKIM key pair and add the public key as a TXT record at the selector your mail provider specifies. Configure your mail server or provider to sign outbound messages with the private key. Receivers can then verify the signature.
- 3
Add DMARC
Publish a DMARC TXT record that specifies your policy (p=none, quarantine, or reject) and where to send aggregate reports. Start with p=none to collect data without affecting delivery, then move to p=quarantine or p=reject once you're confident.
- 4
Monitor and tighten
Review DMARC reports to see who's sending as your domain and whether they pass. Fix any legitimate senders that fail, then consider moving to a stricter policy. Use Barrion's email security test to confirm your records are valid and aligned.
Check your site
Run Barrion's free email security check to see if this finding applies to your app and get a full report.
Run free check →
