Topic 49

Email Authentication: SPF, DKIM, DMARC

SPF/DKIM/DMARC

Email was designed with no way to verify the sender, so anyone can put ceo@meridian.example in the From field — the technical root of spoofing and much phishing. Three stacked standards fix this: SPF says which servers may send for a domain, DKIM cryptographically signs messages, and DMARC ties them together, tells receivers what to do with failures, and reports back.

This topic makes the trio concrete: how to configure them for meridian.example so attackers cannot spoof the company's own domain — and why the rollout order matters as much as the records themselves.

Why Email Spoofing Works

SMTP never authenticated the sender, so the visible From address is free text — anyone can claim to be anyone. SPF, DKIM, and DMARC are the retrofit that lets a receiving server decide whether a message really came from who it claims. Without them, an attacker spoofing your own domain to your own employees is trivial, which is exactly the setup for a convincing internal phish.

SPF — Authorized Senders

SPF is a DNS record listing the IPs and hosts allowed to send for the domain; the receiver checks the sending server against it. Its limits matter: SPF breaks on forwarding (the forwarder's server is not on your list), and it checks only the envelope sender, not the visible From address — so SPF alone does not stop From-address spoofing.

DKIM — Cryptographic Signing

DKIM has the sending server sign the message with a private key; the receiver verifies with the public key published in DNS, proving the message is unaltered and authorized. Because the signature travels with the message, DKIM survives forwarding where SPF does not — it is the cryptographic half of the trio, and it applies the signing from Chapter 2 to email.

DMARC — Alignment, Policy, and Reporting

DMARC sits on top and does three things: it requires that SPF or DKIM align with the visible From domain (closing the gap SPF alone leaves), it tells receivers what to do on failure (none, quarantine, or reject), and it sends aggregate reports. Moving the policy to p=reject is what actually stops spoofing of your domain — but you get there safely by starting at p=none with reporting, fixing every legitimate sender the reports reveal, then enforcing.

Meridian's email-authentication DNS records, and the safe rollout
# SPF: which servers may send for meridian.example (TXT record)
meridian.example.  TXT  "v=spf1 include:_spf.google.com include:mail.provider.example -all"

# DKIM: the public key receivers use to verify signatures (TXT record)
selector1._domainkey.meridian.example.  TXT  "v=DKIM1; k=rsa; p=MIGfMA0..."

# DMARC: start at p=none with reporting, then quarantine, then reject
_dmarc.meridian.example.  TXT  "v=DMARC1; p=none; rua=mailto:dmarc@meridian.example"
#   -> after fixing legitimate senders the reports reveal:  p=reject

SPF authorizes the sending servers, DKIM publishes the verification key, and DMARC begins at p=none with a reporting address so you can watch. The reports reveal every legitimate sender — marketing platforms, the ticketing system, CI — that you must authorize before tightening. Only once those are covered do you move to quarantine and then reject, the setting that finally makes your domain un-spoofable.

Common Mistakes
  • Publishing SPF and DKIM but leaving DMARC at p=none forever, so failures are observed but spoofing is never actually blocked.
  • Jumping straight to p=reject without the reporting phase, silently dropping legitimate mail from forgotten senders.
  • Relying on SPF alone and being surprised it fails on forwarding and does not cover the visible From address.
  • Forgetting internal or third-party senders — marketing, ticketing, CI — in the SPF and DKIM setup, which DMARC enforcement then breaks.
  • Never monitoring DMARC reports, so new senders and spoofing attempts go unnoticed.
Best Practices
  • Deploy all three: SPF and DKIM for the checks, DMARC for alignment, policy, and reporting.
  • Roll out DMARC via p=none with aggregate reporting, use the reports to authorize every legitimate sender, then move to quarantine and reject.
  • Enforce p=reject as the goal — that is what stops attackers spoofing your own domain in phishing.
  • Monitor DMARC reports on an ongoing basis to catch new senders and spoofing attempts (feeds Chapter 10).
  • Keep the SPF record within its lookup limits and maintain the DKIM keys, rotating them periodically.
Comparable toolsRecords SPF · DKIM · DMARC (DNS TXT)Report analysis dmarcian · PostmarkRelated BIMI · MTA-STS/TLS-RPT — ties to Ch 2 signing

Knowledge Check

What does DMARC add that SPF and DKIM alone do not?

  • Alignment with the visible From domain, plus a policy and reporting
  • Encryption of the body of every message the domain sends
  • A single record that replaces the need for both SPF and DKIM
  • Scanning of attachments for malware at the gateway

Why start a DMARC rollout at p=none with reporting rather than p=reject?

  • To authorize legitimate senders before enforcement drops real mail
  • Because p=none is inherently more secure than p=reject
  • Because p=reject is not actually a valid DMARC policy value
  • Because enabling aggregate reporting encrypts the published DNS TXT records

Why doesn't SPF alone stop someone spoofing your From address?

  • It checks the envelope sender, not the visible From
  • SPF only works when the email is sent encrypted
  • SPF cryptographically signs the visible message body
  • SPF validates the visible From address directly

You got correct