Email authentication relies on DNS records to prevent spoofing and improve deliverability. SPF, DKIM, and DMARC work together to verify that emails are sent from authorized sources and haven't been tampered with.
SPF (Sender Policy Framework)
SPF records (stored as TXT) list the servers authorized to send email for your domain. Format: "v=spf1 include:_spf.google.com ~all". Recipients check SPF to verify the sending server is authorized. Misconfigured SPF causes emails to be marked as spam or rejected.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to emails, verified via a public key in DNS. The TXT record contains the public key at a selector subdomain (e.g., selector._domainkey.example.com). DKIM proves the email wasn't modified in transit and originated from your domain.
DMARC (Domain-based Message Authentication)
DMARC tells recipients what to do when SPF or DKIM fails. The TXT record at _dmarc.example.com specifies policy (none, quarantine, reject) and where to send reports. DMARC provides visibility into email authentication failures and protects against phishing.
Verifying Email DNS Configuration
Use DNS lookup APIs to verify email configuration: Query MX records to confirm mail servers, query TXT records for SPF, query selector._domainkey for DKIM, and query _dmarc for DMARC policy. Automate these checks to monitor email infrastructure health.