StackShield

How to Fix Missing Email Security Records (SPF/DKIM/DMARC)

Missing SPF, DKIM, and DMARC records allow attackers to send spoofed emails from your domain. Configure email authentication now.

Medium severity Infrastructure Security Updated 2026-03-01

The Problem

Missing SPF, DKIM, and DMARC records mean anyone can send emails that appear to come from your domain. Attackers exploit this to send phishing emails to your users, impersonating your brand to steal credentials or distribute malware. Without these records, receiving mail servers have no way to verify that emails claiming to be from your domain are legitimate, and your own legitimate emails are more likely to land in spam.

How to Fix

  1. 1

    Add an SPF record

    SPF tells receiving servers which mail servers are authorized to send email for your domain. Add a TXT record to your DNS:
    Type: TXT
Host: @
Value: v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org ~all

    Replace the include statements with your actual email providers: - Gmail/Google Workspace: include:_spf.google.com - SendGrid: include:sendgrid.net - Mailgun: include:mailgun.org - Amazon SES: include:amazonses.com - Postmark: include:spf.mtasv.net

    Use ~all (soft fail) initially, then change to -all (hard fail) after testing.

  2. 2

    Configure DKIM signing

    DKIM adds a cryptographic signature to outgoing emails. Configuration depends on your email provider:

    For SendGrid: Go to Settings > Sender Authentication > Authenticate Your Domain. Add the CNAME records provided.

    For Mailgun: Go to Sending > Domains > DNS Records. Add the TXT records provided.

    For Amazon SES: Use the DKIM settings in your SES domain identity. Add the three CNAME records provided.

    Each provider generates unique DKIM keys. Add the DNS records they provide, which typically look like:

    Type: CNAME
Host: s1._domainkey
Value: s1.domainkey.u12345.wl.sendgrid.net
  3. 3

    Add a DMARC record

    DMARC tells receivers what to do with emails that fail SPF/DKIM checks. Start with monitoring mode:
    Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100
    This sends reports to your email without rejecting anything. After reviewing reports for 2-4 weeks and confirming legitimate emails pass, upgrade to quarantine:
    v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

    Then finally to reject:

    v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100
  4. 4

    Configure Laravel mail to use authenticated sending

    Ensure your Laravel application sends email through an authenticated provider. In .env:

    MAIL_MAILER=smtp
MAIL_HOST=smtp.sendgrid.net
MAIL_PORT=587
MAIL_USERNAME=apikey
MAIL_PASSWORD=your-sendgrid-api-key
MAIL_ENCRYPTION=tls
MAIL_FROM_ADDRESS=noreply@yourdomain.com
MAIL_FROM_NAME="Your App Name"
    Never use the mail driver (PHP mail()) in production as it bypasses SPF/DKIM authentication and emails are likely to be flagged as spam.

How to Verify

Check your DNS records:

dig +short TXT yourdomain.com | grep spf
dig +short TXT _dmarc.yourdomain.com
dig +short TXT default._domainkey.yourdomain.com

Use a verification tool like mail-tester.com: send an email to the address they provide and get a score. Aim for 10/10. You can also check at mxtoolbox.com/SuperTool.aspx.

Prevention

Configure SPF, DKIM, and DMARC as part of your domain setup process before sending any email. Document which services are authorized to send email for your domain. Use StackShield to continuously monitor your email authentication records and alert on changes.

Frequently Asked Questions

Will adding these records affect my existing email delivery?

Start with SPF using ~all (soft fail) and DMARC with p=none (monitor only). This collects data without blocking any email. Once you have confirmed all legitimate email sources pass checks (usually 2-4 weeks), tighten the policies. This staged approach prevents accidentally blocking your own email.

Do I need all three (SPF, DKIM, DMARC)?

Yes. SPF alone can be bypassed, and DKIM alone does not specify a policy. DMARC ties them together by telling receivers to check both SPF and DKIM and defining what to do when they fail. Major email providers like Gmail and Yahoo require all three for reliable delivery.

What if I use multiple email services?

Add all authorized senders to your SPF record using include: directives. Each service needs its own DKIM keys configured. DMARC covers all senders. Be careful not to exceed the 10 DNS lookup limit for SPF; use SPF flattening tools if needed.

Related Security Terms

Exploit SPF, DKIM, and DMARC Phishing

Related Guides

Medium

How to Fix DNS Security Issues and Misconfigurations

DNS misconfigurations like open zone transfers and missing DNSSEC expose your domain to hijacking and spoofing attacks. Fix them now.
High

How to Fix Subdomain Takeover Vulnerabilities

Dangling DNS records pointing to decommissioned services allow attackers to take over your subdomains. Learn how to find and fix them.
High

How to Fix Weak SSL/TLS Configuration in Laravel

Your SSL/TLS certificate is expired, misconfigured, or using weak protocols. Learn how to fix SSL issues for your Laravel app.

Detect This Automatically with StackShield

StackShield continuously monitors your Laravel application from the outside and alerts you when security issues are found. No installation required.

Start Free Trial