Quick Tech Tip: Check SPF, DKIM, And DMARC Before Email Spoofing Hurts Your Business

Quick answer: If your business sends email from its own domain, make sure SPF, DKIM, and DMARC are set up before spoofed messages damage your reputation or your real messages start landing in spam. This is one of the most useful small-business email checks because it protects customers, invoices, estimates, password resets, and normal day-to-day messages from being mistaken for fake mail.

Email authentication is not only for large companies. If your domain sends through Microsoft 365, Google Workspace, QuickBooks, Mailchimp, a website contact form, a CRM, a ticket system, or a copier/scanner, those sending sources need to be accounted for. Otherwise, legitimate mail can fail checks, and attackers may have an easier time pretending to be your business.

In This Article

• SPF, DKIM, and DMARC in plain English
• Why this matters during the workday
• The practical setup checklist
• Microsoft 365 notes
• Google Workspace notes
• What can go wrong
• When to call an IT professional

SPF, DKIM, And DMARC In Plain English

These three DNS records help receiving mail systems decide whether a message really belongs to your domain.

• SPF lists the mail servers allowed to send for your domain. For example, Microsoft 365, Google Workspace, a newsletter platform, or a website server may need to be included.
• DKIM adds a cryptographic signature to outgoing mail so the recipient can verify that the message was not altered and that the sending service is authorized for your domain.
• DMARC tells receiving systems what to do when mail claiming to be from your domain fails SPF or DKIM alignment. It can also send reports that show who is sending as your domain.

Google recommends setting up both SPF and DKIM, then adding DMARC. Microsoft also recommends configuring SPF, DKIM, and DMARC for custom Microsoft 365 domains. The order matters because DMARC depends on SPF and DKIM being correct first.

Why This Matters During The Workday

Small businesses are often impersonated because customers trust familiar names. A fake invoice, fake payment-change request, fake password reset, or fake “updated wiring instructions” email can do real damage even if the attacker never breaks into your mailbox.

Authentication also helps delivery. Google’s sender guidance says authenticated messages help protect recipients from spoofing and phishing, help protect your organization from being impersonated, and are less likely to be rejected or marked as spam. Google also requires all senders to use SPF or DKIM when sending to personal Gmail accounts, and bulk senders over 5,000 messages per day need SPF, DKIM, and DMARC.

Even if you are nowhere near bulk-sender volume, the same basics help normal business mail look legitimate to Gmail, Outlook, Yahoo, and customer mail systems.

The Practical Setup Checklist

Do this carefully. DNS changes affect real mail delivery, so the safest approach is to inventory first, turn on the right records, monitor, and only then tighten enforcement.

1. List every service that sends email as your domain. Include Microsoft 365 or Google Workspace, website forms, billing software, marketing platforms, CRM systems, ticket systems, copier scan-to-email, ecommerce stores, payroll tools, and appointment reminders.
2. Find your current DNS records. Check the domain’s DNS host for TXT and CNAME records related to SPF, DKIM, and DMARC. The DNS host might be your domain registrar, Cloudflare, GoDaddy, Squarespace, Wix, or another provider.
3. Fix SPF first. SPF should include all legitimate senders and should have only one SPF TXT record for each domain or subdomain. Microsoft specifically warns that each defined domain or subdomain needs its own SPF TXT record and that only one SPF record is allowed per domain or subdomain.
4. Enable DKIM in your mail platform. For Microsoft 365 and Google Workspace, DKIM is usually enabled from the admin portal after adding provider-specific DNS records. Third-party senders may provide their own DKIM records too.
5. Start DMARC in monitoring mode. A cautious first DMARC record usually uses p=none. That tells receivers to report results without rejecting mail yet.
6. Review reports and failures. Look for legitimate services failing SPF or DKIM. Fix those senders before moving to a stricter DMARC policy.
7. Tighten gradually. After legitimate senders pass, move from p=none to p=quarantine, then eventually p=reject if the domain is ready. Do not skip straight to reject on a business domain you have not audited.
8. Protect unused domains too. If your business owns domains that should never send email, publish records that make that clear. Unused domains are common spoofing targets because nobody notices until abuse starts.
9. Test from real workflows. Send an invoice, website form response, estimate, newsletter, scanner email, support ticket reply, and normal mailbox message. Confirm the messages arrive and pass authentication.

Microsoft 365 Notes

For Microsoft 365 custom domains, check SPF, DKIM, and DMARC in that order. Microsoft’s SPF guidance says SPF alone is not enough and that DKIM and DMARC should be part of the overall authentication strategy. Microsoft also notes that there is no SPF TXT record configuration inside Microsoft 365 itself; the SPF record lives in your domain’s DNS.

• If you only use Microsoft 365 to send mail, your SPF record normally includes Microsoft 365.
• If your website, CRM, invoicing platform, or marketing tool also sends as your domain, those services may need SPF and DKIM entries too.
• Subdomains matter. A marketing subdomain such as news.example.com may need its own authentication records.
• Be careful with SPF lookup limits. A long chain of included services can cause SPF failures even when the record looks reasonable at first glance.

Google Workspace Notes

Google’s Workspace guidance says all senders to personal Gmail accounts must set up SPF or DKIM, while bulk senders over 5,000 messages per day need SPF, DKIM, and DMARC. Google also recommends setting up DMARC reports so you can monitor mail sent from your domain or mail that only appears to be from your domain.

• If Google Workspace is your only sender, Google provides the standard SPF include record in its setup guide.
• Turn on DKIM from the Google Admin console and add the generated DNS record at your DNS provider.
• Do not ignore third-party senders. A newsletter or billing platform can pass or fail independently of Gmail.
• If your business sends marketing mail, review Google’s sender guidelines before customers start reporting delivery problems.

What Can Go Wrong

• Two SPF records: This is a common mistake. Two separate SPF TXT records can make SPF fail. Combine authorized senders into one valid SPF record.
• Missing third-party senders: If your accounting, marketing, CRM, or website platform is not included or signed correctly, legitimate mail may fail authentication.
• Going straight to reject: A strict DMARC policy before testing can break real business mail. Start with monitoring unless the domain is already fully audited.
• Forwarded mail confusion: Forwarding and mailing lists can affect SPF and DKIM behavior. This is one reason DMARC reports and DKIM alignment are important.
• DNS propagation delay: Some changes appear quickly; others take longer depending on DNS TTL and provider behavior. Test more than once.
• Parked domains left open: Domains you own but do not use for email should still have protective records so attackers cannot easily impersonate them.

When To Call An IT Professional

Call for help before changing DNS if your business depends on email for invoices, estimates, medical/legal/customer records, support tickets, ecommerce orders, or appointment reminders. Also call if you use several sending services, if you see SPF lookup-limit warnings, if DMARC reports show unknown senders, or if customers say your messages are landing in spam.

The IT Guys can inventory your legitimate senders, clean up SPF, enable DKIM, start DMARC monitoring, protect unused domains, and tighten the policy without interrupting the mail your business actually needs.

Helpful Official Links

• Google Workspace Admin Help: About authentication methods
• Google Workspace Admin Help: Email sender guidelines
• Google Workspace Admin Help: Set up SPF
• Microsoft Learn: Set up SPF for your Microsoft 365 domain
• Microsoft Learn: Set up DKIM in Microsoft 365
• Microsoft Learn: Set up DMARC in Microsoft 365

Related Reading

• Check Email Forwarding Rules Before They Leak Your Messages
• Kali365 Microsoft 365 Phishing Kit Bypasses MFA Protection
• Stop Sharing Passwords by Text and Use a Shared Vault Instead

FAQ

Do home users need SPF, DKIM, and DMARC?

If you only use a normal Gmail, Outlook.com, Yahoo, or iCloud address, your provider handles most of this. If you own a custom domain such as yourname.com or yourbusiness.com, you should check authentication records.

Will DMARC stop every phishing email?

No. DMARC helps stop direct domain spoofing, but attackers can still use lookalike domains, compromised accounts, fake display names, and social engineering. Keep MFA, mailbox-rule checks, staff training, and payment-change verification in place.

How strict should my DMARC policy be?

Start with monitoring if you have not audited your senders. Move toward quarantine or reject only after legitimate mail passes consistently. A strict policy is useful, but only when the setup is correct.

Need help securing business email without breaking delivery? Contact The IT Guys for practical local support.