Email Authentication: SPF, DKIM, DMARC
Email was designed with no way to verify the sender, so anyone can put ceo@meridian.example in the From field — the technical root of spoofing and much phishing. Three stacked standards fix this: SPF says which servers may send for a domain, DKIM cryptographically signs messages, and DMARC ties them together, tells receivers what to do with failures, and reports back.
This topic makes the trio concrete: how to configure them for meridian.example so attackers cannot spoof the company's own domain — and why the rollout order matters as much as the records themselves.
Why Email Spoofing Works
SMTP never authenticated the sender, so the visible From address is free text — anyone can claim to be anyone. SPF, DKIM, and DMARC are the retrofit that lets a receiving server decide whether a message really came from who it claims. Without them, an attacker spoofing your own domain to your own employees is trivial, which is exactly the setup for a convincing internal phish.
SPF — Authorized Senders
SPF is a DNS record listing the IPs and hosts allowed to send for the domain; the receiver checks the sending server against it. Its limits matter: SPF breaks on forwarding (the forwarder's server is not on your list), and it checks only the envelope sender, not the visible From address — so SPF alone does not stop From-address spoofing.
DKIM — Cryptographic Signing
DKIM has the sending server sign the message with a private key; the receiver verifies with the public key published in DNS, proving the message is unaltered and authorized. Because the signature travels with the message, DKIM survives forwarding where SPF does not — it is the cryptographic half of the trio, and it applies the signing from Chapter 2 to email.
DMARC — Alignment, Policy, and Reporting
DMARC sits on top and does three things: it requires that SPF or DKIM align with the visible From domain (closing the gap SPF alone leaves), it tells receivers what to do on failure (none, quarantine, or reject), and it sends aggregate reports. Moving the policy to p=reject is what actually stops spoofing of your domain — but you get there safely by starting at p=none with reporting, fixing every legitimate sender the reports reveal, then enforcing.
# SPF: which servers may send for meridian.example (TXT record) meridian.example. TXT "v=spf1 include:_spf.google.com include:mail.provider.example -all" # DKIM: the public key receivers use to verify signatures (TXT record) selector1._domainkey.meridian.example. TXT "v=DKIM1; k=rsa; p=MIGfMA0..." # DMARC: start at p=none with reporting, then quarantine, then reject _dmarc.meridian.example. TXT "v=DMARC1; p=none; rua=mailto:dmarc@meridian.example" # -> after fixing legitimate senders the reports reveal: p=reject
SPF authorizes the sending servers, DKIM publishes the verification key, and DMARC begins at p=none with a reporting address so you can watch. The reports reveal every legitimate sender — marketing platforms, the ticketing system, CI — that you must authorize before tightening. Only once those are covered do you move to quarantine and then reject, the setting that finally makes your domain un-spoofable.
- Publishing SPF and DKIM but leaving DMARC at
p=noneforever, so failures are observed but spoofing is never actually blocked. - Jumping straight to
p=rejectwithout the reporting phase, silently dropping legitimate mail from forgotten senders. - Relying on SPF alone and being surprised it fails on forwarding and does not cover the visible From address.
- Forgetting internal or third-party senders — marketing, ticketing, CI — in the SPF and DKIM setup, which DMARC enforcement then breaks.
- Never monitoring DMARC reports, so new senders and spoofing attempts go unnoticed.
- Deploy all three: SPF and DKIM for the checks, DMARC for alignment, policy, and reporting.
- Roll out DMARC via
p=nonewith aggregate reporting, use the reports to authorize every legitimate sender, then move toquarantineandreject. - Enforce
p=rejectas the goal — that is what stops attackers spoofing your own domain in phishing. - Monitor DMARC reports on an ongoing basis to catch new senders and spoofing attempts (feeds Chapter 10).
- Keep the SPF record within its lookup limits and maintain the DKIM keys, rotating them periodically.
Knowledge Check
What does DMARC add that SPF and DKIM alone do not?
- Alignment with the visible From domain, plus a policy and reporting
- Encryption of the body of every message the domain sends
- A single record that replaces the need for both SPF and DKIM
- Scanning of attachments for malware at the gateway
Why start a DMARC rollout at p=none with reporting rather than p=reject?
- To authorize legitimate senders before enforcement drops real mail
- Because p=none is inherently more secure than p=reject
- Because p=reject is not actually a valid DMARC policy value
- Because enabling aggregate reporting encrypts the published DNS TXT records
Why doesn't SPF alone stop someone spoofing your From address?
- It checks the envelope sender, not the visible From
- SPF only works when the email is sent encrypted
- SPF cryptographically signs the visible message body
- SPF validates the visible From address directly
You got correct