SPF\/DKIM\/DMARC: the setup that every company should have<\/h1>\n\n
Your emails end up in spam. Or worse: scammers send phishing emails in your name and your customers fall for them. Sounds like a nightmare? It’s a bitter reality for many SMEs – and often avoidable. <\/p>\n\n
The solution is called SPF, DKIM and DMARC. Three technical abbreviations that sound like IT jargon but actually protect your digital business card. Since 2025, they are no longer optional: Google, Microsoft and Yahoo require these standards for anyone who sends more than 5,000 emails per day. If you ignore them, your emails will end up in spam – or won’t arrive at all. <\/p>\n\n
In this article, you will find out what SPF, DKIM and DMARC really mean, why they are also indispensable for smaller companies and how you can set them up step by step – without studying IT and without expensive consultants.<\/p>\n\n
\n\n
Spoofing & business email compromise explained in 3 minutes<\/h2>\n\n
Before we get into the technology: Why is this important at all?<\/p>\n\n
The problem: email spoofing<\/h3>\n\n
Imagine this:<\/strong> A scammer sends an email that looks like it’s from your company. Sender: rechnung@deine-firma.de<\/code>. Subject: “Important: New bank details”. The recipient – perhaps a long-standing customer – unsuspectingly changes the bank transfer details. <\/p>\n\n
The money ends up in the fraudster’s account. Your customer is angry. Your reputation is ruined. <\/p>\n\n
The bitter truth:<\/strong> email spoofing is technically child’s play. Without any protective measures, anyone on the Internet can pretend to write in your name. Email technology was developed in the 1970s – nobody thought about security back then. <\/p>\n\n
Business Email Compromise (BEC): The 26 billion dollar scam<\/h3>\n\n
According to the FBI, BEC attacks cause over 26 billion dollars worth of damage worldwide every year. The scam: <\/p>\n\n
\n
Fraudsters research your company (website, LinkedIn, social media)<\/li>\n\n\n\n
You falsify an e-mail from the management or accounting department<\/li>\n\n\n\n
Urgent referral is requested (“Please process immediately, I’m in a meeting”)<\/li>\n\n\n\n
Employees or business partners pay – directly to the criminals<\/li>\n<\/ol>\n\n
Practical example:<\/strong> A medium-sized craft business from Bavaria received a supposed invoice from a long-standing supplier in 2024 – same email address, same logo, only the IBAN had changed. 47,000 was transferred before the fraud was discovered. The money: gone. The supplier: frustrated. The trust: damaged. <\/p>\n\n
The solution: SPF, DKIM, DMARC<\/h3>\n\n
These three technologies work together like a three-stage security lock:<\/p>\n\n
\n
SPF<\/strong> (Sender Policy Framework): “These servers are allowed to send emails on my behalf”<\/li>\n\n\n\n
DKIM<\/strong> (DomainKeys Identified Mail): “This email is genuine and has not been tampered with”<\/li>\n\n\n\n
DMARC<\/strong> (Domain-based Message Authentication, Reporting, and Conformance): “If SPF or DKIM fail, throw the email away”<\/li>\n<\/ul>\n\n<\/figure>\n\n
Together they ensure that:<\/p>\n\n
\n
Fraudsters can no longer forge your domain<\/li>\n\n\n\n
Your real emails don’t end up in spam<\/li>\n\n\n\n
You receive reports on who is trying to abuse your domain<\/li>\n<\/ul>\n\n
Important to know:<\/strong> Since May 2025, Google, Microsoft and Yahoo require these standards for bulk senders (5,000+ emails\/day). Even if you send less: The recipient systems are becoming increasingly strict. If you are still without SPF\/DKIM\/DMARC in 2026, you risk massively poorer delivery rates. <\/p>\n\n\n\n
Google Admin Toolbox:<\/strong> https:\/\/toolbox.googleapps.com\/apps\/checkmx\/<\/li>\n<\/ol>\n\n
Send yourself a test email and check the headers (for Gmail: “Show original”, for Outlook: “Message options”).<\/p>\n\n
You should see:<\/p>\n\n
Received-SPF: pass\n<\/code><\/pre>\n\n\n\n
DKIM: Signatures, keys, rotation<\/h2>\n\n
DKIM is the second component. While SPF checks WHERE a mail comes from, DKIM ensures that the mail has not been tampered with UNDERWAY. <\/p>\n\n
How DKIM works<\/h3>\n\n
DKIM works with cryptography (similar to SSL certificates):<\/p>\n\n
\n
Sending:<\/strong> Your mail server signs every outgoing mail with a private key (like a digital signature)<\/li>\n\n\n\n
Receive:<\/strong> The recipient server fetches the public key from your DNS<\/li>\n\n\n\n
Check:<\/strong> Does the signature match? Then the mail is genuine and unchanged <\/li>\n<\/ol>\n\n
Analogy:<\/strong> DKIM is like a seal on a letter. If the seal is intact, the recipient knows that the letter has not been opened or altered. <\/p>\n\n
Set up DKIM: Step by step<\/h3>\n\n
1. generate DKIM key<\/strong><\/p>\n\n
Most e-mail providers do this automatically:<\/p>\n\n
Important:<\/strong> The value is very long (several hundred characters). Some DNS providers automatically split this into several strings – that’s OK. <\/p>\n\n
3. activate DKIM<\/strong><\/p>\n\n
Most providers require you to explicitly activate DKIM after the DNS entry:<\/p>\n\n
\n
Google Workspace: Check the box “Enable DKIM signing for this domain”<\/li>\n\n\n\n
Microsoft 365: Toggle to “Activated”<\/li>\n\n\n\n
Own server: Start OpenDKIM service<\/li>\n<\/ul>\n\n
DKIM key rotation: Why and how?<\/h3>\n\n
Why rotate?<\/strong><\/p>\n\n
Imagine your private DKIM key is compromised (server hack, insider threat). Then someone can forge emails in your name – even if SPF and DMARC are active. <\/p>\n\n
Best practice:<\/strong> Change the key every 6-12 months.<\/p>\n\n
How to rotate?<\/strong><\/p>\n\n\n
Generate new key<\/strong> (other selector, e.g. mail2024._domainkey<\/code>)<\/li>\n\n\n\n
Store both keys in parallel in the DNS<\/strong> (old + new)<\/li>\n\n\n\n
Change mail server to new key<\/strong><\/li>\n\n\n\n
Remove old key from DNS after 48 hours<\/strong><\/li>\n<\/ol>\n\n
Practical tip:<\/strong> With Google Workspace and Microsoft 365, this happens automatically for the most part. You only have to enter new DNS entries occasionally if the provider requires this. <\/p>\n\n
![\"\"](\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\")
<\/figure>\n\n![\"\"](\"https:\/\/itsupport.online\/wp-content\/uploads\/2026\/02\/Risiko-Bewertung-visual-selection-1-1.png\")
<\/figure>\n\n