Skip to content
Remote support Client portal Français (514) 534-0236
ADN-TI — Solutions sur mesure
CybersecurityMicrosoft 365Email

SPF, DKIM, DMARC: protect your email (and your reputation)

·The ADN-TI team

A supplier receives a fake invoice “from you,” complete with your logo and address. Your clients start seeing your email flagged as junk. In both cases, the cause is often the same: your domain isn’t properly authenticated. Now that Microsoft and Google are tightening their rules for senders, this has become unavoidable — even for a small organization.

The problem: anyone can write “on your behalf”

Email was designed in the 1980s with no built-in way to verify the sender. Without protection, nothing stops a fraudster from sending a message that displays billing@yourcompany.ca — this is domain spoofing, the foundation of phishing and wire-transfer fraud.

Three records, added to your domain name, close that door. They work together.

SPF — who is allowed to send

SPF (Sender Policy Framework) is a public list of the servers authorized to send email for your domain (Microsoft 365, your payroll software, your newsletter platform…). The receiving server checks: “did this message come from a source on the list?”

DKIM — a tamper-proof signature

DKIM (DomainKeys Identified Mail) adds a digital signature to every message. The receiving server confirms the content wasn’t altered in transit and genuinely came from your domain.

DMARC — the rule that decides

DMARC (Domain-based Message Authentication) ties the two together and tells the world what to do with a message that fails: let it through, quarantine it, or reject it. The essential bonus: DMARC sends you reports that reveal who is sending email in your name — often an eye-opener.

The mistakes we see most often

  1. Having SPF only. It’s a start, but without DMARC you block nothing and see nothing. The three belong together.
  2. Jumping to “reject” too fast. Turning DMARC to strict mode without watching the reports risks blocking your own newsletters or billing system. You start in monitoring, fix issues, then tighten.
  3. Forgetting third-party services. Your accounting software, CRM or booking platform also send on your behalf — they must be included, or their email fails.

Where to start

Setup usually takes one to two weeks: we map everything that sends email for you, publish SPF and DKIM, then turn on DMARC in monitoring mode. After a few weeks of reports, we tighten to reject with full confidence. It’s a low-cost, high-return project — exactly the kind of work we run for our clients.

Key takeaway: SPF, DKIM and DMARC don’t just protect your recipients from fraud — they protect the deliverability of your real email. A well-authenticated domain means less junk filtering and more trust.

All articles

Ready when you are

Ready to take control of your IT?

Book a free 30-minute discovery call. No commitment, no jargon.

Write to us Discuss your project