What are SPF, DKIM and DMARC records?
What is SPF?
To put it simply, SPF (Sender Policy Framework) is a way to stop hackers and spammers from sending out emails using your email address.
Don't they need my email password to do that? Nope. A password is only needed to see what emails an email address has received. Think about your mailbox (with a lock and key hopefully). Only a person with the right key or password can access your mailbox and read the letters inside. But anyone can send a letter, write your address in the return field and sign your name. Email is exactly the same in this regard.
So how does SPF stop that? Think of SPF as your secretary. Whenever someone gets an email with your name on it, they call your secretary and ask them if that email came from you. If not, whoever receives the email will throw it in the junk.
In more technical terms, SPF is a DNS record that lists IP addresses and domain names of the servers allowed to send email with your email address. Hackers need a password both to edit your SPF and to send email from servers you've authorised, so that can't be spoofed. When an email is sent, the receiving server records what IP address the email came from. It checks If that IP matches one in the SPF record, and rejects the email if the IP that email came from doesn't mach one in the SPF record. Just note that often SPF records include things like spf.mailcluster.com.au, these are records that commonly have multiple IP addresses. Companies with large email clusters use these, as it means having one SPF record rather than dozens for every IP address in the email cluster.
What is DKIM?
DKIM is a unique signature that makes sure your emails aren't modified by hackers or spammers after you've sent them. If, between the time that your email is sent and received, it's changed, the signature will change. The email server receiving your email can check the signature in the email against your real one, and reject it if it doesn't contain exactly the right signature.
How does it work? The signature in this case, is a hash key that uses public and private keys. If you're unsure what that is, imagine you're sending a letter containing your will to your lawyer. You're worried that the postman will open the letter and change part of that will before it gets to the lawyer. So you fold and scrunch up the letter in a way that will produce a very specific pattern of creases that's impossible to recreate exactly. You tell your lawyer what that pattern is, describing its finest details. If the postman were to open the letter, when he puts it back in the envelope, there's no way he could fold and crease it in exactly the same pattern. So when your lawyer gets that email, he checks to see that the pattern perfectly matches your description, and rejects the letter if it doesn't.
Do I really need it? Unlike SPF, DKIM doesn't seem that useful except for the 0.01% of the most important and private emails you send. However, it's important in the global fight against spam and junk mail. Nothing ever 100% guarantees that your email will reach its destination. By having DKIM enabled, the receiving server has one more method to verify that your email isn't spam, and will more likely let it into the users inbox rather than their junk folder. Plus, it's easy to set up and once set you can forget about it.
What is DMARC?
While it's a complex tool, the basic feature of DMARC is to answer the question, what happens if emails I send out fail an SPF or DKIM check? DMARC tells a server whether to accept or reject emails that fail SPF/DKIM, and if anyone at the domain who sent those emails should be notified of those failures.
Do I need it? While not as important as SPF and DKIM, DMARC is still a very useful tool for 2 reasons. The first, when a hacker spoofs your email they typically do this for a number of days/weeks, and the server will send you bouncebacks of every spam email sent. These come through as legitimate emails which can fill up your mailbox. DMARC can prevent this. Secondly, if you're sending important emails out, a DMARC record can let you know if the email didn't reach one of its intended recipients.