Privacy Tools Guide

Email spoofing is one of the most common attack vectors used by spammers, phishers, and malicious actors. When you receive an email that appears to come from your bank, your CEO, or a trusted service, how can you actually verify its authenticity? This is where DKIM, SPF, and DMARC come into play—three complementary protocols that form the backbone of email authentication.

Understanding Email Spoofing

Email protocols were designed in the early days of the internet when trust was assumed. The SMTP protocol allows any server to send email claiming to be from any sender address. This fundamental design flaw enables attackers to forge the “From” header and impersonate legitimate senders.

When you configure your domain’s email authentication, you’re creating a cryptographic verification system that tells receiving mail servers: “Emails claiming to come from my domain should only come from my authorized servers, and I can prove it.”

SPF: Sender Policy Framework

SPF operates at the DNS level and specifies which mail servers are authorized to send email on behalf of your domain. When a receiving server gets an email, it looks up the SPF DNS record for the sending domain and checks if the connecting server’s IP address is listed.

How to Configure SPF

Add a TXT record to your domain’s DNS:

v=spf1 include:_spf.google.com ~all

This record tells receiving servers that Google’s mail servers are authorized to send email for your domain. The ~all means “soft fail”—emails from unauthorized servers should be marked as suspicious but not necessarily rejected.

For multiple email providers, you chain them together:

v=spf1 include:_spf.google.com include:_spf.mailchimp.com ~all

Common SPF Mistakes

A frequent error is having multiple SPF records for the same domain, which causes authentication failures. Only one TXT record with your SPF policy should exist. Also, avoid overly permissive setups like v=spf1 ip4:0.0.0.0/0 ~all—this authorizes every IP address and provides no security benefit.

DKIM: DomainKeys Identified Mail

While SPF verifies the “envelope sender” (the server sending the mail), DKIM verifies that the email content hasn’t been tampered with during transit. DKIM uses public-key cryptography to sign email headers and body content.

How DKIM Works

Your mail server generates a public/private key pair. The private key signs outgoing emails, and the corresponding public key is published in your DNS as a TXT record. When receiving servers process your email, they retrieve the public key from DNS, verify the signature, and confirm the message wasn’t modified.

Configuring DKIM

Most email services handle DKIM automatically. If you’re running your own mail server, you’ll generate a key pair and add a TXT record like this:

selector1._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A..."

The “selector” allows you to rotate keys by publishing multiple DKIM records with different selectors. Your mail server specifies which selector to use in the email’s DKIM-Signature header.

DMARC: Domain-Based Message Authentication

DMARC builds on SPF and DKIM by adding a policy layer. It tells receiving servers what to do when authentication fails and provides reporting so you can monitor who’s sending email on your behalf.

DMARC Policy Levels

DMARC has three policy options:

Configuring DMARC

Add a TXT record to _dmarc.yourdomain.com:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com

This configuration:

For stricter protection:

v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:forensic-reports@yourdomain.com

The sp parameter applies the policy to subdomains, and the ruf address requests forensic reports for individual message failures.

How These Protocols Work Together

When an email arrives at a receiving server, the authentication process flows like this:

  1. SPF check: The server checks if the sending IP is authorized in the domain’s SPF record
  2. DKIM check: The server verifies the cryptographic signature in the email headers
  3. DMARC evaluation: The server checks if at least one of SPF or DKIM passes AND the aligned domain matches (either the “From” header matches the SPF domain or the DKIM signing domain)

For DMARC to pass, you need at least one authentication mechanism to succeed with proper alignment. Alignment means the domain in the “From” header matches the domain in the SPF check or DKIM signature.

Testing Your Configuration

Several tools help verify your email authentication setup:

# Check DNS records using dig
dig TXT example.com
dig TXT selector1._domainkey.example.com
dig TXT _dmarc.example.com

Online tools like MXToolbox and DMARC Analyzer provide visual reports and help identify configuration issues.

Common Pitfalls

Forwarded emails frequently fail authentication because the forwarding server becomes the new sender from the recipient’s perspective. This is why email list services and forwarders need careful configuration.

Third-party email services must be included in your SPF record. If you switch from Google Workspace to Microsoft 365, update your SPF record accordingly—otherwise your emails will fail authentication.

DMARC reports can be overwhelming. Start with p=none to gather baseline data, then move to p=quarantine, and finally p=reject once you’re confident your legitimate email sources are properly configured.

Authentication Flow Diagrams

Understanding the complete authentication process helps troubleshoot failures. When an email arrives, receiving servers follow this sequence:

Email arrives at receiving server
    ↓
1. SPF Validation
   - Extract Return-Path domain
   - Look up SPF record
   - Check sender IP against allowed IPs
   - Result: PASS/FAIL/SOFTFAIL/NEUTRAL
    ↓
2. DKIM Validation
   - Extract d= and s= from DKIM-Signature header
   - Look up public key from DNS
   - Verify signature against header and body
   - Result: PASS/FAIL/NEUTRAL
    ↓
3. DMARC Alignment Check
   - For SPF: Does Return-Path domain align with From domain?
   - For DKIM: Does d= domain align with From domain?
   - Does at least one authentication method pass with alignment?
   - Result: PASS/FAIL
    ↓
4. Apply DMARC Policy
   - p=none: Monitor (no action)
   - p=quarantine: Move to spam
   - p=reject: Reject entirely

This alignment requirement is critical. Your email can pass SPF but fail DMARC if the SPF-passing domain doesn’t match the From address domain. Similarly, DKIM can pass authentication but fail DMARC alignment if the signing domain doesn’t match the From domain.

Advanced Configuration: Subdomain Policy

For organizations with multiple subdomains sending email, the sp parameter provides subdomain-specific policies:

v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@example.com

This configuration rejects mail from the primary domain but quarantines mail from subdomains. This prevents overly strict policies from affecting mail from departments or services using subdomains.

Forensic Reports and DMARC Debugging

DMARC forensic reports (ruf=) provide detailed information about individual message failures. While aggregate reports tell you percentages, forensic reports show exactly which messages failed and why:

v=DMARC1; p=reject;
  rua=mailto:aggregate@example.com;
  ruf=mailto:forensic@example.com;
  fo=1:d:s:x

The fo parameter controls forensic report generation:

Real-World Failure Scenarios

Scenario 1: Third-Party Email Service Your marketing team uses Mailchimp. Emails pass DKIM (Mailchimp signs them) but SPF fails because Mailchimp’s servers aren’t in your SPF record. Solution: Update SPF to include:_spf.mailchimp.com.

Scenario 2: Email Forwarding Someone forwards your email to a mailing list. The forwarding service re-sends it with its own envelope sender (Return-Path), breaking SPF alignment. The DKIM signature usually survives forwarding, allowing DMARC to pass. This is why DKIM is essential for organizations whose mail gets forwarded.

Scenario 3: Acquired Company You acquire a company that sends mail from domain.acquired.com but uses your mail servers. The SPF passes, but DKIM and DMARC may not align. Solution: Have the acquired domain’s DMARC policy point to your aggregate report address, or ensure their mail servers have appropriate DNS records.

Monitoring Tools and Services

Beyond manual DNS checks, several platforms help monitor authentication health:

MXToolbox: Provides free SPF/DKIM/DMARC record validation and displays current policy settings. The visual interface makes it easy to spot misconfigurations.

250ok: Commercial DMARC monitoring with detailed visualization of aggregate reports and forensic insights. Particularly useful for large organizations with complex email flows.

Valimail: Enterprise DMARC management with account takeover protection. Automatically manages authentication policies as email services change.

dmarcian: Smaller organizations often prefer dmarcian for its balance of features and pricing. It simplifies DMARC report analysis and suggests policy changes.

Subdomain-Specific Configuration

For organizations with subdomains sending mail from different services:

mail.example.com sends via Google (Gmail)
newsletter.example.com sends via Mailchimp
api.example.com sends internally

Each needs its own SPF record:
mail.example.com: v=spf1 include:_spf.google.com ~all
newsletter.example.com: v=spf1 include:servers.mcsv.net ~all
api.example.com: v=spf1 ip4:10.0.0.5 ~all

DMARC policy at domain level applies to subdomains unless overridden:
_dmarc.example.com: v=DMARC1; p=quarantine; sp=reject
(sp=reject is subdomain policy, stricter than parent)

This configuration allows fine-grained control over mail authentication across organizational boundaries.

Automatic Policy Escalation Strategy

Implement DMARC policy strengthening gradually across time:

# Week 1: Deploy SPF and DKIM
# Monitor for legitimate mail sources

# Week 2-4: Set DMARC p=none
# Collect baseline data
# Identify all legitimate sending sources

# Week 5-8: Set DMARC p=quarantine
# Monitor bounce rates
# Ensure legitimate services authenticate properly

# Week 9+: Set DMARC p=reject
# Only when you're confident about legitimate sources

Document the date of each policy change. If issues arise after policy strengthening, you can roll back with a specific rollback date.

Email Forwarding and DMARC Alignment

Many organizations use email forwarding services (forwarding a work address to personal email). These break DMARC alignment:

Problem: User’s email forwarded from company.com to personal Gmail. Gmail’s servers re-send with Gmail as the envelope sender. DMARC alignment fails because the forwarding server’s SPF domain (Gmail) doesn’t match the From address domain (company.com).

Solution 1: Use authenticated forwarding (companies that preserve DMARC alignment):

Solution 2: Allow forwarders in SPF:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

Solution 3: Accept DMARC quarantine for forwarded mail:

v=DMARC1; p=quarantine; pct=80; sp=none
(pct=80 means apply policy to 80% of traffic, allowing some flexibility for forwarders)

The best approach depends on your organization’s email infrastructure.

Implementation Priority

For most organizations, the recommended implementation order is:

  1. Deploy SPF for all authorized senders
  2. Enable DKIM for your primary mail service
  3. Set up DMARC monitoring with p=none
  4. Analyze reports and address legitimate sources failing authentication
  5. Gradually strengthen DMARC policy to quarantine then reject

This measured approach prevents accidentally blocking legitimate email while building toward protection.

Built by theluckystrike — More at zovo.one

Explore Our Developer Guides

© 2026 theluckystrike Developer Guides