The Email Authentication Stack
Email was designed in the 1980s without built-in authentication. Anyone could (and still can) send an email claiming to be from any address. Three protocols were developed to fix this: SPF, DKIM, and DMARC.
SPF (Sender Policy Framework)
SPF lets domain owners publish a DNS TXT record listing which servers are authorized to send email for their domain.
v=spf1 include:_spf.google.com include:sendgrid.net ip4:192.0.2.1 -allWhen a receiving server gets an email, it checks the sending IP against the sender's SPF record. If the IP isn't listed, the email fails SPF.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to email headers. The sending server signs the email with a private key, and publishes the corresponding public key in DNS. Receiving servers verify the signature to ensure the email wasn't tampered with in transit.
DMARC (Domain-based Message Authentication)
DMARC ties SPF and DKIM together with a policy that tells receivers what to do when authentication fails:
p=none— monitor only (good for initial deployment)p=quarantine— send failures to spamp=reject— block failures entirely
Checking Your Email Authentication via API
Use the DNS Toolkit API to audit your domain's email security in one call:
curl "https://api.dnstoolkit.io/dns/email-security?domain=yourdomain.com"This returns a comprehensive score checking SPF, DKIM, DMARC, MTA-STS, TLS-RPT, and BIMI records.
Generating Records
You can also generate correctly formatted records using the API:
curl "https://api.dnstoolkit.io/dns/generate?domain=yourdomain.com&type=DMARC&dmarc_policy=reject&dmarc_rua=reports@yourdomain.com"