Your Business Email Is Probably Failing SPF, DKIM, and DMARC. You Just Don't Know It Yet.

A customer just got an email from yourbusiness.com. It told them their invoice was overdue and asked them to wire money to a new bank account. You did not send it. Whoever did was sitting in a basement somewhere using your domain, because nothing on the internet was telling the receiving server to stop them.

That is what SPF, DKIM, and DMARC are for. Three boring DNS records that sit on your domain and tell the rest of the internet which servers are allowed to send mail as you. When they are set up right, fakes get blocked. When they are missing or broken, anyone can send anything from your domain, and there is a decent chance it lands in your customer's inbox like nothing is wrong.

Most small business domains have at least one of these broken. A lot of them are missing all three.

The 60-second check

Open mxtoolbox.com. Type your domain into the SPF lookup. Then run the DMARC lookup on the same domain. That covers two of the three.

For DKIM, you need to know your selector, which depends on who actually sends your email. For Google Workspace, it is usually google._domainkey.yourdomain.com. For Microsoft 365, it is selector1._domainkey.yourdomain.com and selector2._domainkey.yourdomain.com. Run those through the DKIM lookup.

If you are technical and prefer the terminal, dig TXT yourdomain.com and dig TXT _dmarc.yourdomain.com get you the same answers in two commands. Google's Admin Toolbox works too if you live in Workspace.

Three lookups. About a minute. You will know immediately whether you have a problem.

What each one actually does

SPF is a list of servers allowed to send email from your domain. Think of it as the guest list for the bouncer. If a server tries to send an email as you and it is not on the list, the receiving server can reject the message or dump it in spam. No SPF record? Anyone can show up and pretend to be you.

DKIM is a cryptographic signature on every email you send. Your mail server signs the message with a private key. The receiving server checks your DNS for the matching public key. If the signature checks out, the email is genuinely from you and was not tampered with in transit. No DKIM, no signature, no proof.

DMARC is the policy that specifies what receiving servers should do when SPF or DKIM fails. Reject the message. Send it to spam. Or just monitor and email you a report. Without DMARC, every receiver makes its own call, and most of them get it wrong in your favor by letting suspicious email through.

You need all three. SPF without DKIM is half a setup. DKIM without DMARC is a signature nobody is checking. DMARC without the other two is a policy on nothing.

What happens when these are wrong

Two things, neither of them good.

First, your real emails start landing in spam. Or worse, they get rejected entirely. You send a quote to a new client, and they never see it. You blame their email. It was yours.

Second, somebody else can spoof your domain. They send phishing emails that look like they came from you. Your customers click. They get scammed. Your name is on it. Your reputation takes the hit, and there is no easy way to undo it once it's happened.

Google and Yahoo started outright rejecting email last year if SPF and DMARC are missing or broken for bulk senders. Not flagging. Not filtering to spam. Rejecting. If you sent a newsletter recently and the open rate looked off, this is the first thing to check.

Why is this broken on most small business domains

Because nobody set it up. Or somebody set it up five years ago, you switched email providers, and the old SPF record still points to servers you no longer use.

Or a marketing platform like Mailchimp or HubSpot got added, and the DNS records were never wired up. Or the freelancer who set up your email left, and nobody has touched it since. Or your domain registrar and your email provider are different companies, and each one assumed the other was handling it.

The same agencies that build $3,000 WordPress sites and call it done are the ones who skip email security entirely. It is invisible. It does not break loudly. Until it does, and by then a customer has already been phished using your name.

The boring stuff a real IT person handles

This is exactly the kind of thing nobody notices when it works. We check SPF, DKIM, and DMARC on every client domain we manage. Not because it is exciting. Because it is the difference between your emails landing and your domain ending up on a list of spoofed senders nobody trusts.

If you want to see where your site stands, our free website audit checks email DNS records along with the rest of your site. Or just get in touch, and we will pull it up for you.

Either way, sixty seconds of looking will tell you a lot more than ignoring it for another year.