How to Fix Missing Email Security Records (SPF/DKIM/DMARC)

Missing SPF, DKIM, and DMARC records allow attackers to send spoofed emails from your domain. Configure email authentication now.

Medium severity Infrastructure Security Updated 2026-03-01

The Problem

Missing SPF, DKIM, and DMARC records mean anyone can send emails that appear to come from your domain. Attackers exploit this to send phishing emails to your users, impersonating your brand to steal credentials or distribute malware. Without these records, receiving mail servers have no way to verify that emails claiming to be from your domain are legitimate, and your own legitimate emails are more likely to land in spam.

How to Fix

1
Add an SPF record
```
{{ trim($paragraph)); ?>
```
```
{{ trim($paragraph)); ?>
```
Replace the include statements with your actual email providers: - Gmail/Google Workspace: include:_spf.google.com - SendGrid: include:sendgrid.net - Mailgun: include:mailgun.org - Amazon SES: include:amazonses.com - Postmark: include:spf.mtasv.net

Use ~all (soft fail) initially, then change to -all (hard fail) after testing.
2
Configure DKIM signing
DKIM adds a cryptographic signature to outgoing emails. Configuration depends on your email provider:

For SendGrid: Go to Settings > Sender Authentication > Authenticate Your Domain. Add the CNAME records provided.

For Mailgun: Go to Sending > Domains > DNS Records. Add the TXT records provided.

For Amazon SES: Use the DKIM settings in your SES domain identity. Add the three CNAME records provided.

Each provider generates unique DKIM keys. Add the DNS records they provide, which typically look like:
```
{{ trim($paragraph)); ?>
```

Add a DMARC record

{{ trim($paragraph)); ?>

{{ trim($paragraph)); ?>

{{ trim($paragraph)); ?>

{{ trim($paragraph)); ?>

Then finally to reject:

{{ trim($paragraph)); ?>

4
Configure Laravel mail to use authenticated sending
Ensure your Laravel application sends email through an authenticated provider. In .env:
```
{{ trim($paragraph)); ?>
```
```
{{ trim($paragraph)); ?>
```

How to Verify

Check your DNS records:

dig +short TXT yourdomain.com | grep spf
dig +short TXT _dmarc.yourdomain.com
dig +short TXT default._domainkey.yourdomain.com

Use a verification tool like mail-tester.com: send an email to the address they provide and get a score. Aim for 10/10. You can also check at mxtoolbox.com/SuperTool.aspx.

Prevention

Configure SPF, DKIM, and DMARC as part of your domain setup process before sending any email. Document which services are authorized to send email for your domain. Use StackShield to continuously monitor your email authentication records and alert on changes.

Frequently Asked Questions

Will adding these records affect my existing email delivery?

Start with SPF using ~all (soft fail) and DMARC with p=none (monitor only). This collects data without blocking any email. Once you have confirmed all legitimate email sources pass checks (usually 2-4 weeks), tighten the policies. This staged approach prevents accidentally blocking your own email.

Do I need all three (SPF, DKIM, DMARC)?

Yes. SPF alone can be bypassed, and DKIM alone does not specify a policy. DMARC ties them together by telling receivers to check both SPF and DKIM and defining what to do when they fail. Major email providers like Gmail and Yahoo require all three for reliable delivery.

What if I use multiple email services?

Add all authorized senders to your SPF record using include: directives. Each service needs its own DKIM keys configured. DMARC covers all senders. Be careful not to exceed the 10 DNS lookup limit for SPF; use SPF flattening tools if needed.

Related Security Terms

Exploit SPF, DKIM, and DMARC Phishing

Related Guides

Medium

Detect This Automatically with StackShield

StackShield continuously monitors your Laravel application from the outside and alerts you when security issues are found. No installation required.

Start Free Trial

How to Fix Missing Email Security Records (SPF/DKIM/DMARC)

The Problem

How to Fix

Add an SPF record

Configure DKIM signing