Email Security

SPF, DKIM and DMARC Explained: Email Security in Plain English

Jake · June 10, 2026 · 7 min read
SPF, DKIM and DMARC Explained: Email Security in Plain English

Email is still one of the main ways small businesses communicate with customers, suppliers and staff. It is also one of the easiest ways for scammers to pretend to be someone they are not.

If a criminal can send an email that looks like it came from your business, they may trick a customer into paying the wrong bank account, convince a staff member to open a dangerous attachment, or damage your reputation.

That is where SPF, DKIM and DMARC come in. They are email security settings that help prove your emails are genuine and help stop others from sending fake emails using your domain name.

Why this matters for small businesses

Your domain name is the part after the @ symbol in your email address, such as yourbusiness.com.au. If your domain is not properly protected, scammers may be able to send emails that appear to come from it.

This is called email spoofing. The email might not come from your mail account, but it can still look convincing to the person receiving it.

For a small business, the impact can be serious:

  • Customers may receive fake invoices or payment requests.
  • Staff may be tricked into sharing passwords or sensitive information.
  • Your real emails may be marked as junk or not delivered.
  • Your business reputation may be damaged.
  • You may lose time and money dealing with the fallout.

SPF, DKIM and DMARC do not stop every email scam, but they are important building blocks for safer email.

What is SPF?

SPF stands for Sender Policy Framework. In plain English, it is a list of the mail services that are allowed to send email on behalf of your domain.

Think of it like giving your building receptionist a list of approved couriers. If someone turns up claiming to deliver for your business but they are not on the list, the receptionist can treat them with suspicion.

For example, your business may send emails through Microsoft 365, Google Workspace, Xero, Mailchimp or a booking system. SPF tells receiving mail servers which of those services are allowed to send for your domain.

What SPF helps with

  • Helps receiving mail systems check whether an email came from an approved sender.
  • Reduces the chance of scammers successfully pretending to send from your domain.
  • Can improve email delivery when set up correctly.

Where SPF can go wrong

SPF needs to be kept up to date. If you start using a new invoicing system or marketing platform and it is not added to SPF, your legitimate emails may be treated as suspicious.

It is also common for SPF records to become messy over time, especially if several IT providers or software vendors have made changes. A broken SPF record can cause real delivery problems.

What is DKIM?

DKIM stands for DomainKeys Identified Mail. It adds a digital signature to outgoing emails from your domain.

A simple way to think about DKIM is a tamper seal on a package. When the email arrives, the receiving mail system checks the seal to confirm the message has not been changed and that it was signed by an approved mail service.

DKIM works quietly in the background. Your customers do not see it, and your staff usually do not need to do anything differently once it is set up.

What DKIM helps with

  • Helps prove an email is genuinely connected to your domain.
  • Helps confirm the message was not altered on the way.
  • Supports better email trust and delivery.

DKIM is especially important if your business uses services that send emails for you, such as email marketing tools, accounting platforms or customer management systems.

What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It builds on SPF and DKIM and tells mail systems what to do when an email fails the checks.

In plain English, DMARC is the rulebook. It says, “If an email claims to be from us but does not pass the right checks, here is how you should handle it.”

DMARC can be set to different levels:

  • Monitor: collect reports without blocking anything.
  • Quarantine: send suspicious emails to junk or spam.
  • Reject: block suspicious emails from being delivered.

Many businesses start with monitoring so they can see who is sending email on behalf of their domain. Once everything legitimate is accounted for, the policy can be tightened.

Why DMARC reports are useful

DMARC can provide reports showing which services are sending email using your domain. This helps identify approved services, forgotten systems and possible abuse.

For example, you might discover that your website, accounting software or old marketing platform is still sending emails. You might also see suspicious attempts from systems you do not recognise.

How SPF, DKIM and DMARC work together

These three settings are strongest when they work together.

  • SPF checks whether the sending service is allowed to send for your domain.
  • DKIM checks whether the email has a valid digital signature.
  • DMARC tells receiving mail systems what to do if the checks fail.

Using only one of them is better than nothing, but it leaves gaps. For proper protection, your domain should have all three set up correctly.

Will this stop all scam emails?

No. It is important to be realistic. SPF, DKIM and DMARC help protect your domain from being impersonated, but they do not stop every phishing email or every scam.

A scammer could still register a lookalike domain, such as a slightly misspelled version of your business name. They could also send emails from a free email account pretending to be a supplier or manager.

That is why email security should also include staff awareness, strong passwords, multi-factor authentication and careful handling of payment changes.

Common signs your email security needs attention

You may need to review your SPF, DKIM and DMARC settings if:

  • Customers say your emails are going to junk.
  • You receive bounce-back messages you do not understand.
  • Someone reports a fake email that appears to come from your business.
  • You use several systems to send email, such as Microsoft 365, Xero and Mailchimp.
  • You are not sure who last checked your domain settings.
  • You recently changed website, email or IT providers.

Even if email appears to be working, these settings can still be incomplete or too weak. Many businesses only discover the problem after something goes wrong.

What business owners should do next

You do not need to become an email security expert. But you should make sure someone trustworthy has checked your domain and confirmed that SPF, DKIM and DMARC are properly configured.

A practical review should include:

  1. Checking which services are allowed to send email for your domain.
  2. Confirming DKIM is enabled for your main email platform and other sending tools.
  3. Setting up DMARC in a safe, staged way.
  4. Reviewing DMARC reports before moving to stricter protection.
  5. Documenting what has been set up so it can be maintained over time.

The goal is simple: protect your business name, improve trust in your emails and reduce the chance of scammers using your domain against you.

Need help checking your email security?

SPF, DKIM and DMARC can sound complicated, but the business outcome is straightforward. They help prove your emails are legitimate and make it harder for criminals to impersonate your business.

If you are not sure whether your domain is protected, JCPIT Support can help. We offer a free security check for Australian small businesses, including a review of key email security settings and practical advice on what to fix first.

Contact JCPIT Support to book your free security check and make sure your business email is working for you, not against you.

Jake
JCPIT Support — Keeping IT Simple.
← Previous Article
Cyber Insurance Requirements in Australia: What Small Businesses Need to Know
← All Articles