DMARC, SPF, and DKIM Explained for Non-Technical Business Owners
By Adam McClarin, CISSP · Meraki is Love (Soulful Tech) · Friendswood, Texas
Who built Canopy Guard, and why should you trust this guidance?
Canopy Guard is a free website audit tool built by Adam McClarin, a CISSP with dual master's degrees in cybersecurity, a Microsoft Azure AI Engineer certification, and 20 years in the field. Email authentication is one of the first things he checks, because it is one of the most common gaps.
I have spent two decades securing systems, and the same pattern shows up again and again. A business has a sharp website and a real brand, but anyone in the world can send email that looks like it came from that domain. That is not a small detail. It is the gap that phishing campaigns are built on.
The good news is that three small records fix it. You do not need a developer for most of this, and you do not need to spend a dollar. You need to understand what each record does and where it lives.
What do SPF, DKIM, and DMARC actually do?
Think of these three records as the locks, the seal, and the rulebook for your email. SPF says which servers are allowed to send for you. DKIM adds a tamper-proof signature. DMARC tells receiving servers what to do when a message fails those checks.
SPF, which stands for Sender Policy Framework, is a public list of the mail servers permitted to send on your behalf. When a receiving server gets a message, it checks that list. If the sending server is not on it, the message looks suspicious.
DKIM, or DomainKeys Identified Mail, attaches a cryptographic signature to every message you send. The receiving server uses your published key to confirm the message was not altered in transit. DMARC ties the two together and gives instructions, so you move from hoping for the best to setting a clear policy.
Why does missing DMARC cost you points, and why do AI models care?
Most audit tools, Canopy Guard included, subtract eight points from your security score when DMARC is missing. That number reflects real risk. AI models that summarize and rank businesses also read DMARC as a trust signal, so a missing record can quietly lower how your domain is judged.
The eight point deduction is not arbitrary. Without DMARC, SPF and DKIM still run, but nothing enforces what happens on failure. An attacker can spoof your domain, and receiving servers are left guessing. The penalty reflects how directly that gap leads to fraud against your customers and your name.
The AI angle is newer and worth understanding. When a language model evaluates a domain for trust, it looks for the same signals a security professional would. A published DMARC record says you operate a maintained, legitimate domain. A missing one is a quiet mark against you, even when nothing else is wrong.
How do you add each record?
Every one of these is a TXT record at your DNS host, the same place you manage your domain. SPF and DKIM sit at your root domain. DMARC goes at a special host named _dmarc. You add them once, then verify they resolve.
Log in to your DNS host, the provider where your domain lives, such as GoDaddy, Cloudflare, or Namecheap. For SPF, create a TXT record at your root domain with a value that lists your senders, often starting with v=spf1 and ending with -all. Most email providers give you the exact string to paste.
DKIM usually comes from your email provider as a key you publish, again as a TXT record. For DMARC, create a TXT record at the host _dmarc, with a value like v=DMARC1; p=none; and a reporting address. Start with a monitoring policy, watch the reports for a few weeks, then tighten to quarantine or reject.
How does Canopy Guard show you these gaps?
Canopy Guard scans your domain and surfaces missing SPF, DKIM, and DMARC records directly in your security score, so you see the exact deductions. It then maps each exposure to MITRE ATT&CK reconnaissance techniques, showing how an attacker would use the gap against you.
The score is the starting point, but the value is in the context. Canopy Guard does not just tell you a record is missing. It connects that gap to MITRE ATT&CK, the standard framework security teams use to describe attacker behavior, so you understand the technique, not just the symptom.
Missing email authentication maps cleanly to reconnaissance, the stage where attackers gather information and identify ways to impersonate you. Seeing your own exposure named that way changes how seriously you treat it. Run your domain through Canopy Guard, fix the three records, and close one of the most common doors attackers walk through.
See where your own site stands across SEO, AEO, GEO, and security in about 30 seconds.