If your emails are going to spam, or if someone is sending spam pretending to be you, email authentication records are the fix. SPF, DKIM, and DMARC are three DNS records that together tell the world which servers are authorised to send email for your domain.
Here's what each one does.
SPF: Specifying Authorised Senders
SPF (Sender Policy Framework) is a TXT record on your domain that lists which mail servers are allowed to send email claiming to be from your domain.
An example SPF record:
v=spf1 include:mail.truecorehosting.com ~allThis says: email from this domain may come from TrueCore's mail servers, and anything else should be treated with suspicion (~all = soft fail; -all = hard fail).
When a receiving mail server gets a message claiming to be from you@yourdomain.com, it checks your SPF record and verifies whether the sending server's IP address is listed. If it isn't, the message is likely spam.
SPF alone doesn't prevent someone from faking the From address in the email header (as opposed to the envelope sender). That's where DKIM comes in.
DKIM: Cryptographic Signing
DKIM (DomainKeys Identified Mail) signs every outgoing email with a private key. The corresponding public key is published as a DNS record. Receiving mail servers verify the signature against the public key.
If the signature is valid, the email definitely came from a server that has your private key — which should only be your mail server. If the signature is invalid or missing, the email may have been forged or tampered with in transit.
DKIM signs the email body and selected headers (From, Subject, Date). A forged email cannot produce a valid DKIM signature without access to your private key.
DMARC: Policy and Reporting
DMARC (Domain-based Message Authentication, Reporting and Conformance) builds on SPF and DKIM by defining what to do when they fail, and by sending you reports about authentication results.
A DMARC record looks like:
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.comThe p= field sets the policy:
none: monitor only, take no actionquarantine: send failing messages to spamreject: refuse failing messages outright
The rua= field tells mail servers where to send aggregate reports — daily XML files showing you which servers are sending mail as your domain and whether authentication is passing.
What We Configure Automatically
When you add email hosting to your TrueCore account, we configure SPF and DKIM automatically. Your DKIM keys are generated when your mailbox is created and the public key is added to your DNS zone.
We recommend starting DMARC with p=none to monitor authentication for a few weeks before moving to quarantine or reject. This lets you catch any legitimate email sources (marketing platforms, CRMs) that need to be added to your SPF record before you start enforcing strict rejection.