SPF, DKIM, and DMARC — Why Your Business Email Is Probably Unprotected

July 10, 2026 · 3 min read

Right now, without any technical skill, someone can send an email that appears to come from your business domain. Not a lookalike domain. Your actual domain. To your clients, your bank, your vendors. This is not a hypothetical — it is how the majority of business email fraud works, and most small businesses have zero protection against it.

The three records that stop this are SPF, DKIM, and DMARC. They are free to set up, take about 15 minutes, and most businesses do not have all three configured.

What SPF does

SPF (Sender Policy Framework) is a DNS record that lists which mail servers are allowed to send email on behalf of your domain. When someone receives an email from you, their mail server checks your SPF record. If the sending server is not on the list, the email gets flagged or rejected.

Without SPF, any mail server in the world can claim to be sending email from your domain and nobody can tell the difference.

What DKIM does

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. The receiving mail server uses a public key published in your DNS to verify the signature. If the email was altered in transit or sent by someone who does not have your private key, verification fails.

Think of it as a digital wax seal on every email your business sends.

What DMARC does

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together and tells receiving mail servers what to do when an email fails authentication. Without DMARC, even if you have SPF and DKIM, the receiving server is guessing what to do with a suspicious email.

A DMARC policy set to "reject" means fraudulent emails using your domain get blocked outright. A policy set to "none" means you are monitoring but not enforcing — which is better than nothing but does not protect your customers.

The reality: We scan hundreds of small business websites every month. More than 80% are missing at least one of these three records. More than half have no DMARC record at all. Their domains can be freely spoofed for phishing, invoice fraud, and impersonation.

How to check your email security

SiteGrader checks all three records automatically as part of the Email Security category. Enter your URL and we query your DNS for SPF, DKIM (across 9 common selectors), and DMARC, then tell you exactly what is configured and what is missing. We also check your MX records to identify your email provider.

If you use Google Workspace, Microsoft 365, or any major email provider, setting up all three takes about 15 minutes. Your provider has step-by-step guides. The hardest part is knowing you need to do it — which is why we flag it on every scan.

Related

What are AEO and GEO? — Email security is one piece. AI search visibility is another. Most businesses are failing at both.

ADA website lawsuits — Another risk most small businesses do not know about until it is too late.

Check your email security in 60 seconds.

Scan your site free →