DMARC / DKIM / SPF
DMARC, DKIM and SPF are the authentication stack that proves an email genuinely came from the domain it claims — and tells receiving servers what to do when it does not.
Overview: The Three Protocols
Three email authentication protocols work in layers to verify email origin and protect domain reputation:
| Protocol | What it does | Implemented via |
|---|---|---|
| SPF | Specifies authorised sending mail servers for a domain | DNS TXT record listing permitted IP ranges and mail services |
| DKIM | Cryptographically signs outgoing email to prove it was not tampered with | Private key signs email headers; public key published in DNS for verification |
| DMARC | Defines policy for emails that fail SPF/DKIM and enables abuse reporting | DNS TXT record specifying policy (none/quarantine/reject) and reporting email |
SPF: Sender Policy Framework
SPF allows a domain owner to publish a list of mail servers authorised to send email on behalf of that domain. The record is a DNS TXT entry at the sending domain. When a receiving mail server receives an email claiming to be from @yourdomain.com, it checks the SPF record for yourdomain.com and verifies that the sending server's IP address is in the authorised list.
SPF prevents email spoofing at the envelope level — the server-to-server transmission. It does not protect the From: header that users see in their email client; DMARC alignment is needed to ensure both are consistent.
DKIM: DomainKeys Identified Mail
DKIM adds a cryptographic signature to outgoing emails. When the ESP sends an email, it signs specific email headers and the body with a private key. The corresponding public key is published in DNS. The receiving mail server fetches the public key, verifies the signature, and confirms that the email was not modified in transit.
DKIM proves integrity (the email was not tampered with) and partial origin authentication (the email was signed by a server that controls the private key for the signing domain). It is more robust than SPF because it protects content integrity, not just sending server identity.
DMARC: Policy and Reporting
DMARC builds on SPF and DKIM by adding:
- Policy enforcement. DMARC specifies what receiving mail servers should do with emails that fail SPF and DKIM alignment:
none(monitor only),quarantine(move to spam), orreject(block delivery). - Alignment. DMARC requires that the domain in the
From:header aligns with the domain that passed SPF or DKIM — ensuring the authenticated domain is the one the recipient actually sees as the sender. - Reporting. DMARC reports (aggregate and forensic) are sent to the email addresses specified in the DMARC record, giving domain owners visibility into who is sending email claiming to be from their domain — including unauthorised senders and authentication failures.
Relationship to Short Links and Branded Domains
DMARC, DKIM and SPF authenticate the email sending domain — the domain in the From: address. They operate at the email protocol level, not on the content of the email body or the domains used in links.
Short links are governed by their own domain's reputation — independently of the email's authentication status. An email that passes DMARC authentication perfectly can still contain links to a poor-reputation shared shortener domain. An email with clean branded short links on the sender's domain can still fail DMARC if email authentication is misconfigured.
The two layers are complementary, not substitutes:
- DMARC/DKIM/SPF prove: this email genuinely came from the claimed sending domain.
- Branded short links prove: the links in this email also belong to the same organisation.
When both are correctly implemented, every component of the email — sender identity, email content, and every link within the email body — is consistently attributable to the same domain and organisation. This is the comprehensive email trust posture that reduces phishing impersonation risk and maximises deliverability.
Custom Branded Short Link Domains and DNS
Configuring a custom branded short link domain (adding an A record and TXT record for Cuttly) is done in the same DNS management interface where SPF, DKIM and DMARC records live. This is a natural point of integration for organisations setting up both email authentication and branded link domains simultaneously — all configured in DNS, all contributing to a consistent branded domain posture across email sending and link management.
Related Terms
FAQ
What are DMARC, DKIM and SPF?
Three layered email authentication protocols. SPF: authorised sending servers listed in DNS. DKIM: cryptographic signature proving email integrity. DMARC: policy for handling failures + alignment requirement + abuse reporting. Together they prove an email genuinely originated from the domain it claims.
How do DMARC, DKIM and SPF relate to short links?
They operate at different layers. DMARC/DKIM/SPF authenticate the email's sending domain. Short link domains carry their own reputation independent of email authentication. Both are needed: authentication proves who sent the email; branded links prove the links within it belong to the same organisation.
- ← Encyclopedia Index
- Compliance & Safety
- Email Deliverability & Links
- Spam Protection
- Phishing Detection
- Related
- Branded Links
- Custom Domain
- In Cuttly
- Custom Domain Setup
- Short Links for Email
- Plans & Pricing
URL Shortener
Cuttly simplifies link management by offering a user-friendly URL shortener that includes branded short links. Boost your brand’s growth with short, memorable, and engaging links, while seamlessly managing and tracking your links using Cuttly's versatile platform. Generate branded short links, create customizable QR codes, build link-in-bio pages, and run interactive surveys—all in one place.
Cuttly More Than Just a URL Shortener
Cuttly is a comprehensive, ever-evolving platform for link shortening that combines innovation and user-friendliness to deliver a seamless experience in managing and shortening URLs.
