Is Your Business Email Secure? Understanding SPF, DKIM, and DMARC

Running a business means relying on email every day- quotes, invoices, customer communication, internal updates. But most businesses don’t realize how easy it is for email to be misconfigured, spoofed, or flagged as spam. We regularly work with companies that assume everything is “working fine”… until emails start going missing or customers receive suspicious messages that appear to come from them. 

This usually comes down to three important settings:

  • SPF
  • DKIM
  • DMARC 

Let’s break down what they are, why they matter, and how to check your setup. 

 

What Is Email Spoofing (and Why It Matters) 

Before diving into the technical pieces, it helps to understand the problem they solve. 

Email spoofing is when someone sends an email that appears to come from your domain- but doesn’t. 

For example: 

  • An attacker sends an invoice from you@yourbusiness.com
  • A customer receives a phishing email that looks like it came from your company  

Without proper protections in place, email systems may not be able to tell the difference. 

That leads to: 

  • Lost trust
  • Security risks
  • Damaged reputation  

 

The 3 Core Email Security Settings 

✅ SPF 

What it stands for: Sender Policy Framework 

What it does: 
SPF tells receiving mail servers which systems are allowed to send email on behalf of your domain. 

Think of it like a “members list” for your domain. 

If a server isn’t on the list, it may be flagged or rejected. Without this, your email will not be delivered. Most domains have this setup, but you could have too many entries in the SPF members list. 

 

✅ DKIM 

What it stands for: DomainKeys Identified Mail 

What it does: 
DKIM adds a digital signature to your emails, providing authentication of the source. 

This signature: 

  • Confirms the message hasn’t been altered
  • Verifies it was sent from an authorized source 

It’s essentially a tamper-proof seal for your email, telling the recipient mail server that this email was definitely sent by you, or an authorized agent. 

 

✅ DMARC 

What it stands for: Domain-based Message Authentication, Reporting & Conformance 

What it does: 
DMARC builds on SPF and DKIM and tells receiving servers what to do if authentication fails. 

This is the enforcement layer that ensures emails that were not sent by you (or one of your agents), will not be accepted by recipients. 

DMARC policies typically look like: 

  • p=none → Monitor only (no protection. Spoofed emails could be allowed through)
  • p=quarantine → Suspicious emails go to spam
  • p=reject → Unauthorized emails are blocked

Without DMARC, SPF and DKIM don’t fully protect your domain. 

 

Common Issues We See 

Many businesses are missing one or more of these: 

  • No DKIM configured
  • DMARC set to “none” (no enforcement)
  • Misconfigured SPF records
  • Using personal email (like Gmail) for business communication  

Even when email “works,” these gaps can lead to: 

  • Emails landing in spam
  • Increased phishing risk
  • Customers not receiving important messages  

 

How to Check Your Email Setup 

You can run a quick check using free tools: 

Check SPF & DKIM: 

https://dkimvalidator.com/ 

Steps: 

  1. Copy the email address shown
  2. Send a message from your business email
  3. Wait a minute or two
  4. Click “View Results”  

Look for: 

  • result = pass (DKIM)
  • Result core: pass (SPF) 

 

Check DMARC: 

https://mxtoolbox.com/dmarc.aspx 

Steps: 

  1. Enter your domain name
  2. Click “DMARC Lookup”  

Look for: 

  • p=quarantine or p=reject
  • p=none ⚠️ (not enforced)  

 

What About Using Gmail for Business? 

Many small businesses use a Gmail address- and while it’s secure and reliable, it has limitations: 

  • Doesn’t reflect your brand
  • Tied to an individual account
  • Harder to manage as your business grows  

The good news: 

  • Most businesses already own a domain for their website
  • Email can often be added to that domain easily 

Using a domain-based email (like you@yourbusiness.com) helps build trust and presents a more professional image. 

 

Why This All Matters 

Properly configured email isn’t just a technical detail- it directly impacts your business: 

  • Your emails actually reach customers
  • Your domain is protected from impersonation
  • Your communication looks professional and trustworthy  

 

Not Sure If Your Setup Is Correct? 

That’s where we can help. 

At Northfield Tech Solutions, we work with businesses to: 

  • Review and fix email configuration
  • Improve deliverability
  • Protect against spoofing and phishing
  • Set up email the right way from the start  

📩 Have questions or want us to take a look? 
Email: info@northfield.tech 
📞 (413) 419-0599 

Or request a free checkup: 
👉 https://northfield.tech/free-it-checkup/ 

View All

 

Jeroen