All guides
Medium KVKK m.12 GDPR Art. 32 ISO 27001 A.5.14

Set up SPF, DKIM and DMARC to stop email spoofing

Without SPF, DKIM and an enforcing DMARC policy, anyone can send email that appears to come from your domain.

Why it matters

Email authentication is the single most abused gap for phishing and business-email-compromise. A domain with no DMARC (or p=none) lets attackers impersonate your brand to your own customers and staff, and hurts deliverability of your legitimate mail.

How to fix it

Publish an SPF TXT record listing your senders, sign outgoing mail with DKIM, then add a DMARC record and move it from p=none (monitor) to p=quarantine and finally p=reject once your reports are clean.

; SPF
@   TXT  "v=spf1 include:_spf.google.com -all"

; DMARC (start at none, then enforce)
_dmarc  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"

Is your domain affected?

Prove ownership and run a scan for a graded, verifiable report.

Related guides

Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.