DMARC, SPF & DKIM in plain English.

Three acronyms that sound scary and aren't. Here's what each one actually does, why you need all three, and how they fit together. No jargon, about two minutes.

Why email needs this at all

Email has an original sin: by default, anyone can write your domain in the From line. Nothing in the basic protocol stops a scammer from sending "billing@yourcompany.com" to your customers. SPF, DKIM, and DMARC are the three layers that fix this. They let a receiving mail server check whether a message claiming to be from you actually is.

SPF: who's allowed to send

Sender Policy Framework. You publish a list in DNS of the servers allowed to send mail for your domain. When a message arrives, the receiver checks: did this come from a server on the list? Pass or fail.

SPF's weak spot: it checks the hidden "envelope" sender, not the From address your reader sees, and it breaks when mail is forwarded, because forwarding changes the sending server. So SPF alone isn't enough.

DKIM: a tamper-proof signature

DomainKeys Identified Mail. Your sending system adds a cryptographic signature to each message; the receiver verifies it against a public key you publish in DNS. A valid signature proves two things: the message really came from someone holding your key, and it wasn't tampered with in transit.

Crucially, a DKIM signature survives forwarding, which is exactly why it matters so much, and why getting DKIM right on every sender is the key to enforcing without breaking forwarded mail.

Alignment: the part that matters most

Here's the piece everyone misses. It's not enough for SPF or DKIM to pass for some domain. A scammer can easily make them pass for a domain they own. What stops the spoof is alignment: the domain that passed SPF or DKIM has to match the domain in the From address your reader sees. Pass and align, and the message is genuinely yours.

DMARC: the policy that ties it together

Domain-based Message Authentication, Reporting & Conformance. DMARC sits on top of SPF and DKIM and adds the two things they're missing: a rule and a feedback loop. In one DNS record, you tell the world:

• "For my domain, require SPF or DKIM to pass and align."
• "If a message fails, here's what to do with it: p=none (just watch), quarantine (send to spam), or reject (block it)."
• "And send me reports on everything you saw."

That last part is the quiet superpower: even at p=none, DMARC makes mailbox providers mail you a daily summary of every source sending as your domain, which is how you discover what's really out there before you ever block anything.

So where does dmarcula come in?

Those reports arrive as dense XML, from dozens of providers, every day. dmarcula collects them, parses them, and turns them into a picture you can actually read (who's sending as you, what's passing, what isn't), then guides you safely up the policy ladder to full protection.

What's next

• Getting started: point your domain at dmarcula and start collecting reports.
• The enforcement journey: how the policy ladder works, step by safe step.
• Glossary: every acronym in one place.