block 2 · online
osint/lab
Log inSign up
DNS / MX / SPF / DMARC Inspector · dev-docs

Reading SPF, DKIM and DMARC

A practical guide to what SPF, DKIM and DMARC actually tell you about a domain.

status
Published
slug
email-authentication
published
Apr 20, 2026
DNS / MX / SPF / DMARC Inspector

Reading SPF, DKIM and DMARC

SPF, DKIM and DMARC are three independent mechanisms that together determine how much a receiving mail server trusts email that claims to come from a domain.

SPF

Lists the hosts allowed to send mail on behalf of the domain. Verifies the envelope sender only — not the From: header the user sees.

DKIM

Cryptographic signature added by the sending infrastructure. Proves that the message was signed by a specific domain and that it hasn't been modified in transit.

DMARC

A policy built on top of SPF and DKIM: the domain owner tells receivers what to do when a message fails alignment (none, quarantine, reject) and where to send aggregate reports.

Common patterns

  • p=none with reporting is a monitoring posture — good for a migration, weak as a long-term steady state.
  • A missing DKIM selector isn't proof of absence — the Inspector only checks a small set of common selectors.
  • A -all SPF record is strict; ~all is soft-fail; ?all is advisory only.
last published Apr 20, 2026