zerotier.email
Blog · Email security

SPF, DKIM and DMARC explained

SPF, DKIM and DMARC are the three records that decide whether your email is trusted or treated as spam — and whether someone can spoof your domain to phish your users. They sound like alphabet soup, but each answers a simple, separate question. Here is what they do in plain English, how they fit together, and why they matter for anyone receiving or sending mail.

SPF

SPF — Sender Policy Framework — answers "is this server allowed to send mail for this domain?" The domain owner publishes a DNS TXT record listing the IP addresses and services permitted to send on its behalf. When a message arrives, the receiving server checks the sending server's IP against that list. If the sender is not authorised, SPF fails. It is a simple allowlist, and its one weakness is that it checks the envelope sender, not the From address your reader actually sees — which is where DMARC comes in.

DKIM

DKIM — DomainKeys Identified Mail — answers "was this message altered in transit, and does it really come from this domain?" The sending server signs each outgoing message with a private cryptographic key and publishes the matching public key in DNS. The receiver verifies the signature; if it checks out, the message is provably unchanged since signing and provably tied to the domain. Unlike SPF, DKIM survives forwarding, because the signature travels with the message rather than depending on the connecting IP.

DMARC

DMARC — Domain-based Message Authentication, Reporting and Conformance — ties the other two to the visible From address. It requires that SPF or DKIM not only pass, but pass for the same domain the reader sees, closing the spoofing gap SPF left open. The domain owner publishes a policy in DNS telling receivers what to do when a message fails: none (monitor only), quarantine (send to spam), or reject (refuse outright). DMARC also turns on aggregate reporting, so you get feedback on who is sending — and forging — mail in your name.

Why it matters for you

Together these three standards are what keep legitimate mail in the inbox and impostors out. Skip them and your messages drift into spam folders while attackers spoof your domain freely; enforce them and your mail is authenticated and your name is hard to forge. zerotier.email runs every incoming message through SPF, DKIM and DMARC checks as part of its security stack, so the mail that reaches your Telegram is verified before you ever see it. That is the same pipeline behind forwarding email to Telegram in real time — security first, then instant delivery.

Claim your free mailbox

← Back to the blog