SPF, DKIM, DMARC and the Battle Against Email Spoofing

Email spoofing is still one of the easiest ways attackers get people to click on things they should not. A message that looks like it comes from your finance team, your CEO, or a trusted vendor can slide straight past normal skepticism if the “From” line looks right. This Tuesday “Insights” feature from Bare Metal Cyber Magazine digs into how Sender Policy Framework (S P F), DomainKeys Identified Mail (D K I M), and Domain-based Message Authentication, Reporting and Conformance (D M A R C) email authentication help you push back on that problem in a systematic way. You will hear how these controls really work, where they sit in your stack, and what it looks like when they are doing real work for your organization.

The first thing to understand is that S P F, D K I M, and D M A R C are not content filters. They do not read links or attachments or decide whether a message “looks” like phishing. Instead, they give receiving mail systems a stronger identity and integrity signal about who is allowed to send in the name of your domain and whether a message has been altered in transit. They live in two main places: public D N S records that publish your policies and keys, and email headers that carry the results of those checks. Your secure email gateway, cloud mail provider, and any downstream tools can then use those signals when making delivery decisions.

S P F focuses on the path a message takes into the receiving system. When a mail server connects and says “I am sending mail for this domain,” the receiver can look up that domain’s S P F record in D N S. That record lists which servers or networks are allowed to send for the domain. The receiving system compares the connecting I P address with that list and decides whether the sender passes, soft fails, or hard fails S P F. This result becomes one important input to the overall decision about whether to accept the message, put it in spam, or block it outright.

D K I M looks at the message itself instead of just the sending server. When a sending system prepares an email, it uses a private key to generate a cryptographic signature over selected headers and the body. It then adds a D K I M signature header that tells receivers which selector and domain to use to find the matching public key in D N S. When the message arrives, the receiving server pulls that public key, validates the signature, and checks whether the message was changed in transit. If the signature verifies, the receiver gains confidence that a system in control of that key really sent and formed the message.

D M A R C sits on top of S P F and D K I M as a kind of policy and feedback layer. It looks at the visible “From” domain that users see and asks whether S P F and or D K I M passed for that same domain or an allowed subdomain. That alignment step matters, because an attacker should not be able to pass S P F or D K I M on a completely unrelated domain while showing your brand name in the “From” line. D M A R C also tells receivers what to do when checks fail, such as monitor only, send to spam, or reject, and where to send reports so that domain owners can see who is sending on their behalf and how often messages pass or fail authentication.

To picture how this works in real life, imagine someone sends an email that looks like it is from your C F O, asking for an urgent payment. When that message hits your environment, the receiving system checks the connecting I P against your S P F record and sees whether that source is allowed to send as your domain. It then checks for a valid D K I M signature associated with your domain. D M A R C pulls those results together and checks alignment with the visible “From” address. If none of the signals line up with what you have published in D N S, and your D M A R C policy tells receivers to quarantine or reject, that message is much more likely to be stopped before your users ever see it.

In everyday work, many teams start by using D M A R C in a monitoring mode with a “none” policy. They publish a D M A R C record that tells receivers to send them aggregated reports but not to block anything yet. Over days and weeks, those reports show which platforms are legitimately sending email as their domain, such as the primary mail service, marketing tools, ticketing systems, payroll platforms, and customer portals. With that visibility, they can gently tune S P F records, enable D K I M signing where it is missing, and slowly improve the percentage of messages that pass authentication without breaking ongoing business communication.

For smaller or resource constrained teams, a powerful first step is focusing on obvious spoofing paths. You might identify a few subdomains that should never send email, such as V P N portals or “secure” landing pages, and publish strict D M A R C policies for those names. When a receiver gets a message claiming to be from one of those subdomains, the D M A R C policy instructs them to reject it because there should never be legitimate email there. At the same time, you can make sure your main corporate domain and a short list of critical third party senders are correctly set up in S P F and sign with D K I M, so you do not accidentally block important traffic while you tighten things up.

More mature organizations tend to treat S P F, D K I M, and D M A R C as part of brand and risk management rather than just an email admin task. They monitor D M A R C reports on an ongoing basis to track which platforms use their domains and from where. When a new marketing tool or shadow I T service starts sending messages as the corporate domain, it shows up in those reports and prompts a conversation. Some teams feed D M A R C data into their security operations dashboards so that analysts can see, during an investigation, whether a suspicious message even has permission to speak for the domain. They also watch for patterns where attackers register lookalike domains and test whether their policies are strong enough to keep those attempts from blending in.

When these controls are configured thoughtfully, you can expect a noticeable drop in simple domain spoofing. Messages that pretend to come from your organization but do not match your published policies are more likely to be flagged or rejected before anyone has to hover over a link. At the same time, legitimate messages become more predictable for receiving systems, which often improves deliverability and reduces the frustration of important emails disappearing into spam. From a security operations point of view, your logs and headers start to carry clearer signals about which messages are likely to be trustworthy.

The trade-offs are mostly about coordination and ownership. Because S P F lives in D N S and relates to many different sending platforms, it can be fragile when you have lots of third party vendors or complex forwarding paths. D K I M involves key generation, key rotation, and configuration on each sending platform. D M A R C asks someone to decide how strict the policies should be and who will review the ongoing reports. None of these steps are especially hard on their own, but they require security, infrastructure, and business owners to agree on who sends what, from where, and on behalf of which domains.

It is also important to stay realistic about the limits. S P F, D K I M, and D M A R C cannot stop attacks that use clever lookalike domains with small character changes or different top level domains. They do not know whether the content of a message is malicious, and they cannot tell you whether the human behind a valid account has been tricked or compromised. In some forwarding and mailing list scenarios, the original authentication results can be broken or stripped, which makes reliable enforcement harder. That is why email authentication should sit alongside, not instead of, user awareness, secure email gateways, and good incident response processes.

Common failure modes start with a “set it and forget it” approach. A team might add a simple S P F record, turn on D K I M for the main mail platform, copy a D M A R C policy they found online, and then move on. Over time, new tools, services, and vendors start sending email as the domain without being added to S P F or configured for D K I M. Authentication breaks in subtle ways, some messages start landing in spam or disappearing, and users complain. To quiet the noise, people may loosen filters or disable checks, which undermines much of the security value they were trying to create.

Another failure pattern involves moving too quickly to strict D M A R C policies on the primary domain. If you jump straight from monitoring to a full reject policy without understanding who sends mail for you, legitimate services such as H R portals, customer relationship tools, and partner platforms may suddenly stop delivering messages. The fallout from that disruption can make business owners deeply skeptical of email authentication changes in the future. Technical mistakes, such as overlong S P F records that hit lookup limits or misaligned domains in D K I M and D M A R C, can also create brittle setups that fail unpredictably and are hard to debug under pressure.

Healthy adoption tends to look like gradual tightening backed by clear ownership. Someone in your organization can explain, in plain language, which systems send on behalf of each domain and why they are configured the way they are. S P F records stay tidy, within lookup limits, and are updated through a simple, repeatable process when a new sender comes online. New platforms are onboarded through a small checklist: add them to S P F if needed, enable D K I M signing, and watch D M A R C reports for a while to be sure they behave correctly. Over time, more domains and subdomains move from monitoring only to quarantine and then to reject, especially those that should not be sending user facing email at all.

At its heart, S P F, D K I M, and D M A R C email authentication are about giving receiving systems a reliable way to tell which mail truly speaks for your domain and which does not. They operate quietly in D N S and headers, but they shape which messages ever reach a user’s screen and how your brand appears in inboxes around the world. For you, that translates into fewer low effort spoofs to chase, cleaner logs to analyze during incidents, and a stronger foundation for all the other defenses you rely on.

If you treat email authentication as an ongoing practice rather than a one time project, it becomes a powerful lever for protecting your organization. As you look at recent phishing incidents or review your domain portfolio, notice where S P F, D K I M, and D M A R C are strong, where they are patchy, and where a few carefully planned changes could move more of your traffic into the clearly “known good” category. Each step makes it harder for attackers to borrow your name and easier for your users to trust the messages that truly come from you. This Insight was developed by Bare Metal Cyber as part of the Tuesday “Insights” feature in Bare Metal Cyber Magazine.

SPF, DKIM, DMARC and the Battle Against Email Spoofing
Broadcast by