Blog

Email Deliverability and Security: ELI5 Guide to SPF, DKIM and DMARC

David Pottrell

David Pottrell

Hi! I’m a web developer and Head of Digital at Nebula Design who loves all things tech. When I’m not surrounded by code, I’m probably reading up on the latest development trends or playing with AI.

I got my start in technology as a self-taught web freelancer, after studying at university and joining a small agency, Nebula Design was created. I specialise in both front-end and back-end development, typically around WordPress, I’ve also got a keen interest in Usability, Accessibility, AI and various emerging tech standards.

Published on February 5th, 2026

How SPF, DKIM and DMARC protect your website emails – without the jargon

No time! Just tell me what it is please! 🏃‍♂️‍➡️

Sending an email from your website should be simple. Someone fills in a form, clicks “submit”, and a message lands safely in your inbox. But behind the scenes, email is surprisingly easy to fake – and email providers are very suspicious because of it.

To protect people from spam and scams, inbox providers like Google and Microsoft ask one big question every time an email arrives:

“Can we trust this?”

63.3% the most popular domains on the internet remain vulnerable to unauthorized sending and/or delivery issues. 

John Wilson, Fortra

That’s where SPF, DKIM and DMARC come in. They’re the rules that prove your emails are genuine – and they’re essential if you want your website emails to actually arrive.

Think of Email Like Sending Letters

Imagine email works like sending letters in the post:

Letter example
  • Your domain (example.com) is the name written on the envelope
  • Your website is the person sending the letter
  • The email server is the postman
  • The recipient’s inbox is the letterbox

The problem? Anyone can write your name on an envelope – even if they’re not you.

So email systems need ways to check:

  1. Who is allowed to send letters for your domain?
  2. Has the letter been changed?
  3. What should we do if something looks wrong?

That’s exactly what SPF, DKIM and DMARC answer.

The average cost of a phishing-related breach was about $4.88 million in 2025.

PowerMarc

With this in mind, let’s run through a quick ELI5 to SPF, DKIM and DMARC.

SPF: “Who Is Allowed to Send Email for This Website?”

SPF in Plain English

SPF (Sender Policy Framework) is a public list that says:

“These are the computers allowed to send emails for my domain – and no others.”

If an email comes from a server not on that list, inbox providers get suspicious.

Imagine a school with a list of approved adults who are allowed to collect children.

  • If someone not on the list turns up
  • Even if they say the right name
  • The school doesn’t let them take the child

SPF works the same way for email.

How SPF Works (Simplified)

  1. You add an SPF record to your domain’s DNS (the internet’s address book)
  2. That record lists all services allowed to send email for you
    (your website, your email provider, your newsletter tool, etc.)
  3. When an email arrives, the receiving server checks the list
  4. If the sender isn’t listed, the email may be rejected or marked as spam

Why SPF Matters for Website Emails

Many website emails fail because:

  • The website sends email
  • But SPF doesn’t say it’s allowed to

The result? Contact form messages go to spam or disappear entirely.

DKIM: “Proving the Email Wasn’t Changed”

DKIM in Plain English

DKIM (DomainKeys Identified Mail) is like a digital signature added to every email.

It proves two things:

  • The email really came from your domain
  • The content hasn’t been altered on the way

Imagine sealing a letter with a wax stamp unique to your family.

  • If the seal is intact, the letter is genuine
  • If the seal is broken or missing, something’s wrong

DKIM is that wax seal – but digital.

How DKIM Works (Simplified)

  1. Your email system signs each message using a secret key
  2. A matching public key is published in your DNS
  3. The receiving server checks the signature
  4. If it matches, the email is trusted

If someone tries to fake your email, they can’t create a valid DKIM signature.

Why DKIM Matters

Even if SPF passes, emails without DKIM:

  • Look less trustworthy
  • Are more likely to be filtered
  • Can be altered without detection

Modern inbox providers strongly expect DKIM to be present.

DMARC: “What Should Happen If Something Fails?”

DMARC in Plain English

DMARC is the rulebook.

It tells inbox providers:

  • How to handle emails that fail SPF or DKIM
  • Whether to allow them, send them to spam, or block them completely
  • Where to send reports about what’s happening

A Simple Analogy

SPF and DKIM are checks.
DMARC is the instruction manual that says:

“If a letter fails these checks, here’s what to do.”

Without DMARC, inbox providers guess.
With DMARC, you decide.

How DMARC Works (Simplified)

  1. You publish a DMARC record in DNS
  2. It sets a policy:
    • none > just monitor
    • quarantine > send suspicious emails to spam
    • reject > block them completely
  3. You receive reports showing:
    • Who is sending email for your domain
    • What passes
    • What fails

Why DMARC Matters

DMARC:

  • Protects your domain from being used in phishing attacks
  • Improves email deliverability
  • Gives visibility into hidden or forgotten email senders
  • Is now required by many major inbox providers

Without DMARC, your domain is easier to abuse.

How These Three Work Together

Think of them as a team:

TechnologySimple Role
SPFWho is allowed to send
DKIMProves the email is genuine
DMARCDecides what happens if checks fail

You need all three for strong email security and reliable delivery.

Common Website Email Problems (And Why They Happen)

“Our contact form emails go to spam”

Often caused by:

  • Missing SPF entries for the web server
  • No DKIM signing
  • No DMARC policy

“Emails work sometimes, but not always”

Usually means:

  • Multiple sending services
  • SPF record missing one of them
  • Conflicting configurations

“We didn’t know our website sent email”

Many websites send email automatically:

  • Contact forms
  • Order confirmations
  • Password resets
  • System notifications

If they’re not authorised properly, inbox providers won’t trust them.

Let’s Get Started & Final Thoughts

  1. List everything that sends email for your domain
  2. Set up SPF to allow those senders
  3. Enable DKIM on each email service
  4. Publish a DMARC record in monitoring mode
  5. Review reports before tightening the policy

Rushing straight to strict blocking can break legitimate emails – so gradual setup is best. If you have an IT provider, they’re typically the best first line of support here.

Email deliverability isn’t about tricks or hacks. It’s about trust.

  • SPF says who can send.
  • DKIM proves what was sent hasn’t changed.
  • DMARC tells inbox providers how seriously to take failures.

When your website emails are properly authenticated:

  • Messages arrive reliably
  • Your domain is harder to abuse
  • Your brand looks professional and trustworthy

And once it’s set up correctly, it quietly does its job in the background – just like good infrastructure should.

Additional Resources