Email Security Guide: SPF, DKIM, DMARC, and Spoofing Protection

The Email Spoofing Problem

Email was designed in the 1970s with a trust model that assumed everyone on the network was trustworthy. The SMTP protocol allows anyone to put any email address in the From: header — there's no built-in verification that the sender actually controls that address. This makes email spoofing trivially easy and is the foundation of most phishing attacks.

Every day, billions of spoofed emails are sent worldwide. Attackers impersonate banks, payment processors, colleagues, and well-known brands to trick recipients into revealing credentials, transferring money, or installing malware. The consequences range from individual account compromise to massive data breaches and financial fraud.

To combat this, the email industry developed DNS-based authentication standards that let domain owners declare which mail servers are authorized to send email on their behalf. The three core standards — SPF, DKIM, and DMARC — work together to verify sender identity and give receiving servers a framework for deciding what to do with unauthenticated mail.

SPF: Sender Policy Framework

SPF is a DNS TXT record that lists the IP addresses and mail servers authorized to send email from your domain. When a receiving mail server gets a message, it checks the SPF record of the domain in the envelope sender address (MAIL FROM) and verifies that the message originated from an authorized server.

A basic SPF record looks like this:

v=spf1 include:_spf.google.com ~all

This record says: authorized senders include all IPs listed in Google's SPF record, and other servers should be treated with suspicion (~all). SPF mechanisms include:

SPF's main limitation is that it only checks the envelope sender, not the visible From: header that users see. An attacker can pass SPF while spoofing the display name and From: address. This is where DMARC comes in.

DKIM: DomainKeys Identified Mail

DKIM adds a cryptographic signature to outgoing emails. When your mail server sends a message, it generates a hash of selected headers and the body, signs it with a private key, and adds the signature as a DKIM-Signature header. The corresponding public key is published in a DNS TXT record under default._domainkey.yourdomain.com.

When a receiving server gets the message, it retrieves the public key from DNS, recomputes the hash, and verifies the signature. If it matches, the message hasn't been tampered with in transit and was indeed sent by a server that holds the private key.

Key aspects of DKIM:

DMARC: Putting It All Together

DMARC ties SPF and DKIM together with a policy that tells receiving servers what to do when authentication fails. It's published as a DNS TXT record at _dmarc.yourdomain.com and includes:

A recommended DMARC record: v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100

For a deeper walkthrough of setup and configuration, see our full SPF, DKIM & DMARC guide.

How to Check Your Email Security

To verify your domain's email authentication is properly configured, you can check several things:

Use our MX Validator to check your mail exchange records and our detailed email authentication guide for step-by-step DMARC deployment instructions.

Validate your MX records →