- 23
- June
SPF, DKIM and DMARC are three email authentication standards that work together to prove that "an email claiming to come from your domain really came from you." SPF declares which servers are authorized to send mail for your domain, DKIM applies a cryptographic signature to stop tampering, and DMARC is the policy that tells receivers what to do when a message fails — and sends a report back to the domain owner. Together they form the first layer of organizational data security that works hand in hand with two-factor authentication (2FA) and the e-Tax Invoice systems that deliver documents over email.
In short: Think of sending physical mail — SPF = the list of postal workers allowed to deliver on your behalf, DKIM = a wax seal that proves the letter wasn't opened or altered, DMARC = the standing instruction that says "if there's no name on the list and no seal, bounce it or bin it — and send me a report." Since Feb 2024, Gmail and Yahoo — and since May 2025, Microsoft Outlook — require bulk senders to have all three, or their email lands in spam or gets rejected.
Why Care "Now"? — Because It Became Mandatory
Many organizations once treated SPF/DKIM/DMARC as "nice to have." Since 2024, the world's largest email providers have flipped that to "don't have it = won't deliver," especially for organizations that send high volumes — ERP notifications, invoices, newsletters, or marketing email.
| Provider | Enforced from | Who's affected & what's required |
|---|---|---|
| Gmail + Yahoo | Feb 2024 | Senders of ~5,000+ messages/day to Gmail accounts must have SPF + DKIM + DMARC (at least p=none), one-click unsubscribe, and keep their spam complaint rate below 0.3% |
| Microsoft Outlook / Hotmail | May 2025 | Senders of 5,000+ messages/day must have SPF + DKIM + DMARC. Non-compliant mail goes to Junk and is later rejected with error "550 5.7.515 Access denied" |
| Other providers | Following suit | Apple Mail and most corporate spam filters use SPF/DKIM/DMARC signals to decide between inbox and spam |
The key point: the 5,000/day threshold doesn't mean small organizations are off the hook — even sending a few hundred a day, lacking DMARC lets attackers spoof your domain to deceive your customers, and your own legitimate email is more likely to land in spam.
What Is SPF? — "Who Is Allowed to Send for Me"
SPF (Sender Policy Framework) is a DNS TXT record listing which servers (IP addresses) are authorized to send email on behalf of your domain. When a receiving server gets a message, it checks whether the real sending IP is on the list your domain published. The standard is defined in RFC 7208.
An example SPF record that authorizes Google Workspace plus one organizational server IP to send:
example.com. IN TXT "v=spf1 include:_spf.google.com ip4:203.0.113.25 -all"
The most important part is the closing tag, which decides how servers "not on the list" are handled:
-all(Fail / strict) — servers not on the list are treated as "fail" → recommended for production~all(SoftFail / lenient) — not-listed is "suspicious" but still accepted → good for early testing+all— allows every server → never use this, it's the same as having no SPF
Limitation to note: SPF allows at most 10 DNS lookups per check. If you add include: entries for too many providers and exceed it, the record returns "PermError" and the whole SPF fails — a very common mistake when an organization runs multiple sending systems (ERP, CRM, newsletter platform) at once.
SPF's weaknesses that DKIM and DMARC fill in: SPF only checks the "envelope" address (the Return-Path), not the From: domain the user actually sees, and SPF "breaks" when mail is forwarded because the sending IP changes. That's why SPF alone is not enough.
What Is DKIM? — "A Wax Seal Against Tampering"
DKIM (DomainKeys Identified Mail) applies a cryptographic signature to an email using public-key cryptography (RFC 6376) — the same concept as an electronic signature. The sending server uses a private key to sign the headers and body, embedding the signature in a header, while the receiver fetches the public key from the domain's DNS record to verify it.
If it passes, two things are simultaneously true: (1) the email truly came from the claimed domain, and (2) the content was not altered in transit. An example DKIM-Signature header and the public-key DNS record:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1; h=from:to:subject:date; bh=...; b=... selector1._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ..."
The word selector1 is the "selector" — it lets one domain hold several keys (e.g. separate keys for the ERP, the newsletter platform, and Google Workspace) and rotate keys independently. A key advantage: DKIM survives forwarding, because the signature travels with the email and isn't tied to the sending IP.
What Is DMARC? — "The Policy and Reporting That Ties It All Together"
DMARC (Domain-based Message Authentication, Reporting & Conformance) is the policy layer that sits on top of SPF and DKIM (RFC 7489). It does three things:
- Alignment — requires the
From:domain the user sees to match the domain that passed SPF or DKIM. This is the core that closes the loophole SPF/DKIM leave open alone. - Policy — tells receivers what to do with mail that fails.
- Reporting — has receivers send aggregate reports back so the domain owner can see who is sending mail in their name.
An example DMARC record setting the strictest policy (reject) with reporting enabled:
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100; adkim=s; aspf=s"
The p= value is the policy level, which you should ramp up gradually so legitimate mail isn't blocked by accident:
| Policy | What receivers do with failing mail | Best for |
|---|---|---|
| p=none | Nothing — just send reports back (monitoring mode) | The start — learn who sends in your name |
| p=quarantine | Move failing mail to Junk / Spam | Once you're sure legitimate mail passes |
| p=reject | Reject failing mail outright (never reaches the recipient) | The end goal — actually stops domain spoofing |
The adkim=s and aspf=s set strict alignment that must match exactly, whereas the default r (relaxed) accepts a match at the organizational-domain level (e.g. mail.example.com counts as matching example.com). Most organizations start with relaxed.
SPF vs DKIM vs DMARC in One Table
The three are not "alternatives" — they are a "team that must work together." A summary of each one's role:
| Topic | SPF | DKIM | DMARC |
|---|---|---|---|
| Checks what | Whether the sending IP is authorized | Digital signature + content untampered | From domain aligns with SPF/DKIM + policy |
| Looks at field | Return-Path (envelope) | DKIM-Signature header | From: (what the user sees) |
| Breaks on forward? | Breaks (IP changes) | Survives (signature travels with mail) | Passes if DKIM passes |
| Has reporting? | No | No | Yes (aggregate / forensic) |
| Standard | RFC 7208 | RFC 6376 | RFC 7489 |
The most dangerous misconception: "I have SPF and DKIM, so I'm safe" — wrong. Without DMARC, an attacker can still pass SPF/DKIM for their own domain and set the From: to your company name. The recipient sees your company name in full even though the mail didn't come from you. Only DMARC + alignment closes this gap, and you must reach p=quarantine or p=reject for it to actually protect you (staying at p=none is like installing CCTV but leaving the door unlocked).
Why This Matters for ERP Organizations
Modern ERP systems send email "on your behalf" constantly — quotations, invoices, purchase orders, electronic tax invoices, and approval notifications. Because this email "is about money," it becomes a direct target for fraudsters.
The most dangerous case is Business Email Compromise (BEC) — an attacker spoofs email in your company's name to your customers, attaching an "invoice" that looks exactly real but with a changed destination account number. If your domain lacks a DMARC reject policy, the customer has no way to know the email is fake. This is the same mechanism explained in our article on accounts payable and invoice-fraud prevention.
| Email from ERP | Without SPF/DKIM/DMARC | With all three + DMARC reject |
|---|---|---|
| Quotation / invoice | Risk of spam; customer never sees it / spoofed with a changed account | Reaches inbox + cannot be spoofed in your domain |
| Notification / approval OTP | Slow or undelivered, disrupting workflow | Arrives on time and trusted |
| Domain reputation | Degrades when abused for spam/phishing | Protects the brand + enables BIMI to show your logo in the inbox |
To be fully honest: SPF/DKIM/DMARC are configured at the domain and mail-server level of the organization, not a feature inside the ERP software itself. What the Grand Linux team can do is configure the ERP to send through an SMTP relay that signs DKIM correctly, and advise on placing matching SPF/DKIM/DMARC records on your domain's DNS — so that email leaving the ERP passes all three checks.
How to Roll It Out Correctly (Without Breaking Your Own Mail)
- First map who sends mail in your domain's name — ERP, staff email (Google Workspace / Microsoft 365), newsletter platform, CRM, and so on. Make a complete list.
- Build SPF to cover every source — add each provider's
include:, watching the 10 DNS-lookup ceiling. - Enable DKIM on every system that supports it — each system usually generates a selector + public key for you to publish in DNS.
- Start DMARC at p=none — to collect reports (rua) and see which sources don't yet pass alignment.
- Move up to quarantine, then reject — only once the reports are stable and 100% of legitimate mail passes do you tighten the policy.
- Review reports regularly — the DMARC report is your radar showing whether anyone is trying to spoof your domain.
Important advice: Don't jump straight to p=reject on day one before you've verified from DMARC reports that the legitimate mail of every system passes alignment — otherwise quotations or invoices from your ERP could be rejected unintentionally. Always go one step at a time.
Summary: Which Organization Should Do What
| Organization | Minimum to have | Target |
|---|---|---|
| SME sending general business email | SPF + DKIM + DMARC p=none | Ramp to p=quarantine |
| High-volume sender (5,000+/day) | All three + one-click unsubscribe | p=reject + spam rate < 0.3% |
| Organization sending financial/government documents | All three + strict alignment | p=reject + BIMI logo display |
Your email domain is your brand's digital signature — leaving SPF, DKIM and DMARC unset is like signing blank cheques for anyone to pick up and fill in. The work takes a few hours, but it protects a level of trust you cannot put a price on.
- The Saeree ERP Team
Want every ERP email to reach the inbox?
Talk to the Grand Linux Solution experts about configuring SPF/DKIM/DMARC for the domain that sends mail from Saeree ERP.
Request a Free ConsultationTel 02-347-7730 | sale@grandlinux.com
References
- RFC 7208 — Sender Policy Framework (SPF): datatracker.ietf.org/doc/html/rfc7208
- RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures: datatracker.ietf.org/doc/html/rfc6376
- RFC 7489 — Domain-based Message Authentication, Reporting & Conformance (DMARC): datatracker.ietf.org/doc/html/rfc7489
- Google — Email sender guidelines (bulk senders, Feb 2024): support.google.com/mail/answer/81126
- Yahoo — Sender Best Practices: senders.yahooinc.com/best-practices
- Microsoft — Strengthening Email Ecosystem: Outlook's New Requirements for High-Volume Senders (May 2025): techcommunity.microsoft.com
