Email spoofing remains one of the most common attack vectors for phishing and fraud. Attackers can easily send emails that appear to come from your domain, damaging your reputation and putting your customers at risk. SPF, DKIM, and DMARC work together to authenticate legitimate email and reject fraudulent messages.

The Email Spoofing Problem

By default, email protocols don't verify sender identity. Anyone can send an email claiming to be from your domain. This enables:

Phishing attacks: Fake emails impersonating your brand to steal credentials
Business Email Compromise: Fraudulent invoices and wire transfer requests
Reputation damage: Your domain gets blacklisted due to spam from spoofed emails
Malware distribution: Malicious attachments appear to come from trusted sources

SPF (Sender Policy Framework)

SPF specifies which mail servers are authorized to send email on behalf of your domain.

How SPF Works

You publish an SPF record in your domain's DNS
Receiving servers check if the sending server's IP matches your SPF record
If there's no match, the email fails SPF validation

SPF Record Syntax

v=spf1 [mechanisms] [qualifier]all

Common Mechanisms

ip4: Authorize an IPv4 address or range
ip6: Authorize an IPv6 address or range
include: Include another domain's SPF record
a: Authorize your domain's A record IP
mx: Authorize your domain's MX record IPs

The Critical Difference: -all vs ~all

-all (hard fail): Reject emails from unauthorized servers
~all (soft fail): Mark as suspicious but don't reject
?all (neutral): No policy, essentially useless

Recommendation: Use -all (hard fail) once you've confirmed all legitimate senders are included. Start with ~all during testing.

Example SPF Record

v=spf1 ip4:192.0.2.0/24 include:_spf.google.com include:sendgrid.net -all

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outgoing emails, proving they haven't been modified and originated from your domain.

How DKIM Works

Your mail server signs outgoing emails with a private key
You publish the corresponding public key in DNS
Receiving servers verify the signature using your public key
Invalid signatures indicate tampering or spoofing

DKIM DNS Record

DKIM records are published at selector._domainkey.yourdomain.com:

selector._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."

DKIM Setup Steps

Generate a public/private key pair (your email provider usually does this)
Configure your mail server to sign outgoing emails
Publish the public key in DNS
Test by sending an email and checking headers

DKIM Best Practices

Use 2048-bit keys (1024-bit is now considered weak)
Rotate keys periodically (annually at minimum)
Use unique selectors for different services
Sign all headers that affect message interpretation

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC builds on SPF and DKIM, telling receiving servers what to do with failed messages and providing reporting.

DMARC Policies

p=none: Monitor only, don't take action (good for initial deployment)
p=quarantine: Send failed messages to spam folder
p=reject: Reject failed messages entirely

DMARC Record Syntax

_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-forensic@example.com; pct=100"

DMARC Deployment Roadmap

Don't jump straight to p=reject. Follow this gradual deployment:

Phase 1: Monitor (2-4 weeks)

v=DMARC1; p=none; rua=mailto:dmarc@example.com

Collect reports, identify all legitimate email sources, fix SPF/DKIM issues.

Phase 2: Quarantine (2-4 weeks)

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com

Start with 25%, gradually increase to 100%. Monitor for legitimate email going to spam.

Phase 3: Reject

v=DMARC1; p=reject; rua=mailto:dmarc@example.com

Full protection. Unauthorized emails are rejected entirely.

How SPF, DKIM, and DMARC Work Together

These protocols complement each other:

SPF verifies the sending server is authorized
DKIM verifies the message content hasn't been tampered with
DMARC tells receivers what to do when checks fail and provides reporting

For DMARC to pass, at least one of SPF or DKIM must pass AND align with the From header domain.

Common Issues and Solutions

Third-Party Senders

Services like Mailchimp, SendGrid, or HubSpot need to be included in your SPF and configured for DKIM signing.

Email Forwarding

Forwarding often breaks SPF (different server) and sometimes DKIM (modified headers). DMARC's relaxed alignment helps, but some legitimate forwarded mail may fail.

SPF Lookup Limit

SPF has a 10 DNS lookup limit. Consolidate includes or use SPF flattening services if you hit this limit.

Testing Your Email Authentication

Use SecScanner to check your SPF, DKIM, and DMARC records
Send test emails and check headers for authentication results
Review DMARC aggregate reports regularly
Use online validators to check record syntax

Implementing SPF, DKIM, and DMARC is essential for protecting your domain reputation and your users from phishing attacks. Start monitoring today and work toward a reject policy.

The Email Spoofing Problem

By default, email protocols don't verify sender identity. Anyone can send an email claiming to be from your domain. This enables:

Phishing attacks: Fake emails impersonating your brand to steal credentials
Business Email Compromise: Fraudulent invoices and wire transfer requests
Reputation damage: Your domain gets blacklisted due to spam from spoofed emails
Malware distribution: Malicious attachments appear to come from trusted sources

SPF (Sender Policy Framework)

SPF specifies which mail servers are authorized to send email on behalf of your domain.

How SPF Works

You publish an SPF record in your domain's DNS
Receiving servers check if the sending server's IP matches your SPF record
If there's no match, the email fails SPF validation

SPF Record Syntax

v=spf1 [mechanisms] [qualifier]all

Common Mechanisms

ip4: Authorize an IPv4 address or range
ip6: Authorize an IPv6 address or range
include: Include another domain's SPF record
a: Authorize your domain's A record IP
mx: Authorize your domain's MX record IPs

The Critical Difference: -all vs ~all

-all (hard fail): Reject emails from unauthorized servers
~all (soft fail): Mark as suspicious but don't reject
?all (neutral): No policy, essentially useless

Recommendation: Use -all (hard fail) once you've confirmed all legitimate senders are included. Start with ~all during testing.

Example SPF Record

v=spf1 ip4:192.0.2.0/24 include:_spf.google.com include:sendgrid.net -all

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outgoing emails, proving they haven't been modified and originated from your domain.

How DKIM Works

Your mail server signs outgoing emails with a private key
You publish the corresponding public key in DNS
Receiving servers verify the signature using your public key
Invalid signatures indicate tampering or spoofing

DKIM DNS Record

DKIM records are published at selector._domainkey.yourdomain.com:

selector._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."

DKIM Setup Steps

Generate a public/private key pair (your email provider usually does this)
Configure your mail server to sign outgoing emails
Publish the public key in DNS
Test by sending an email and checking headers

DKIM Best Practices

Use 2048-bit keys (1024-bit is now considered weak)
Rotate keys periodically (annually at minimum)
Use unique selectors for different services
Sign all headers that affect message interpretation

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC builds on SPF and DKIM, telling receiving servers what to do with failed messages and providing reporting.

DMARC Policies

p=none: Monitor only, don't take action (good for initial deployment)
p=quarantine: Send failed messages to spam folder
p=reject: Reject failed messages entirely

DMARC Record Syntax

_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-forensic@example.com; pct=100"

DMARC Deployment Roadmap

Don't jump straight to p=reject. Follow this gradual deployment:

Phase 1: Monitor (2-4 weeks)

v=DMARC1; p=none; rua=mailto:dmarc@example.com

Collect reports, identify all legitimate email sources, fix SPF/DKIM issues.

Phase 2: Quarantine (2-4 weeks)

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com

Start with 25%, gradually increase to 100%. Monitor for legitimate email going to spam.

Phase 3: Reject

v=DMARC1; p=reject; rua=mailto:dmarc@example.com

Full protection. Unauthorized emails are rejected entirely.

How SPF, DKIM, and DMARC Work Together

These protocols complement each other:

SPF verifies the sending server is authorized
DKIM verifies the message content hasn't been tampered with
DMARC tells receivers what to do when checks fail and provides reporting

For DMARC to pass, at least one of SPF or DKIM must pass AND align with the From header domain.

Common Issues and Solutions

Third-Party Senders

Services like Mailchimp, SendGrid, or HubSpot need to be included in your SPF and configured for DKIM signing.

Email Forwarding

Forwarding often breaks SPF (different server) and sometimes DKIM (modified headers). DMARC's relaxed alignment helps, but some legitimate forwarded mail may fail.

SPF Lookup Limit

SPF has a 10 DNS lookup limit. Consolidate includes or use SPF flattening services if you hit this limit.

Testing Your Email Authentication

Use SecScanner to check your SPF, DKIM, and DMARC records
Send test emails and check headers for authentication results
Review DMARC aggregate reports regularly
Use online validators to check record syntax

Implementing SPF, DKIM, and DMARC is essential for protecting your domain reputation and your users from phishing attacks. Start monitoring today and work toward a reject policy.

The Email Spoofing Problem

SPF (Sender Policy Framework)

How SPF Works

SPF Record Syntax

Common Mechanisms

The Critical Difference: -all vs ~all

Example SPF Record

DKIM (DomainKeys Identified Mail)

How DKIM Works

DKIM DNS Record

DKIM Setup Steps

DKIM Best Practices

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC Policies

DMARC Record Syntax

Key DMARC Tags

DMARC Deployment Roadmap

Phase 1: Monitor (2-4 weeks)

Phase 2: Quarantine (2-4 weeks)

Phase 3: Reject

How SPF, DKIM, and DMARC Work Together

Common Issues and Solutions

Third-Party Senders

Email Forwarding

SPF Lookup Limit

Testing Your Email Authentication

Related Articles

Subdomain Takeover: Detection, Prevention, and Remediation

Certificate Transparency: How It Protects Your Domain

TLS/HTTPS Security Essentials: Protecting Your Website in 2025

Check Your Website Security

The Email Spoofing Problem

SPF (Sender Policy Framework)

How SPF Works

SPF Record Syntax

Common Mechanisms

The Critical Difference: -all vs ~all

Example SPF Record

DKIM (DomainKeys Identified Mail)

How DKIM Works

DKIM DNS Record

DKIM Setup Steps

DKIM Best Practices

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC Policies

DMARC Record Syntax

Key DMARC Tags

DMARC Deployment Roadmap

Phase 1: Monitor (2-4 weeks)

Phase 2: Quarantine (2-4 weeks)

Phase 3: Reject

How SPF, DKIM, and DMARC Work Together

Common Issues and Solutions

Third-Party Senders

Email Forwarding

SPF Lookup Limit

Testing Your Email Authentication

Related Articles

Subdomain Takeover: Detection, Prevention, and Remediation

Certificate Transparency: How It Protects Your Domain

TLS/HTTPS Security Essentials: Protecting Your Website in 2025

Check Your Website Security