The Email Spoofing Problem: Why Authentication Matters
Email spoofing is when attackers send emails that appear to come from your domain but actually originate from their own servers. This leads to phishing attacks, brand damage, and your domain getting blacklisted.
β οΈ Warning
π The Scale of the Problem:
Over 200,000 phishing attacks occur monthly. 90% of cyberattacks start with email. Domains without DMARC are 3Γ more likely to be spoofed.
Without email authentication DNS records (SPF, DKIM, DMARC), anyone can send emails pretending to be from your domain. Email providers like Gmail, Outlook, and Yahoo may deliver these spoofed emails because they cannot verify authenticity.
β οΈ Real-World Example:
In 2016, attackers spoofed a major political campaign email domain and sent fake documents to journalists. The domain had no DMARC policy, making spoofing extremely easy.
SPF (Sender Policy Framework): Authorize Your Mail Servers
SPF is a DNS TXT record that explicitly lists which IP addresses and servers are authorized to send email for your domain.
SPF Record Syntax:
example.com. TXT "v=spf1 ip4:192.0.2.0/24 include:_spf.google.com ~all"SPF Mechanisms Explained:
- v=spf1 - Version identifier (must be first)
- ip4: - Authorize an IPv4 address or range
- ip6: - Authorize an IPv6 address or range
- a: - Authorize the domain's A record IP
- mx: - Authorize the domain's MX record IPs
- include: - Include another domain's SPF record
- exists: - Check if a domain exists
SPF Qualifiers (What to do with unauthorized senders):
| Qualifier | Result | Recommended For |
|---|---|---|
| + (Pass) | Accept email | Your legitimate servers |
| - (Fail) | Reject email | Strict policy (not recommended) |
| ~ (SoftFail) | Accept but mark suspicious | Recommended default |
| ? (Neutral) | No policy | Testing only |
Real-World SPF Examples:
# Google Workspace (Gmail)
v=spf1 include:_spf.google.com ~all
# Microsoft 365 (Outlook)
v=spf1 include:spf.protection.outlook.com ~all
# Amazon SES
v=spf1 include:amazonses.com ~all
# Multiple providers (SendGrid + Google)
v=spf1 include:sendgrid.net include:_spf.google.com ~allπ‘ Pro Tip
β οΈ SPF Limitations:
SPF breaks when emails are forwarded. This is why DKIM is also necessary. SPF also has a maximum of 10 DNS lookups - exceeding this causes "PermError".
DKIM (DomainKeys Identified Mail): Digital Signatures for Email
DKIM adds a cryptographic digital signature to every email sent from your domain. The signature is verified using a public key published in your DNS.
How DKIM Works:
- Your mail server creates a private/public key pair
- Public key is published as a DNS TXT record
- Outgoing emails are signed with the private key
- Receiving server looks up your DKIM record
- Receiving server verifies the signature using the public key
- If valid, the email is authentic and wasn't tampered with
DKIM Record Syntax:
selector1._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."DKIM Record Components:
- selector: A unique name (allows multiple DKIM keys)
- _domainkey: Fixed prefix (must be exactly this)
- v=DKIM1: Version (must be first)
- k=rsa: Key type (RSA is standard)
- p=: The actual public key (long base64 string)
β Good to Know
β DKIM Advantage:
Unlike SPF, DKIM survives email forwarding because the signature is attached to the email content, not the sending IP.
DMARC (Domain-based Message Authentication): Policy & Reporting
DMARC tells email receivers what to do when SPF or DKIM fails. It also provides reporting so you can monitor authentication results.
DMARC Record Syntax:
_dmarc.example.com. TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:forensic@example.com; pct=100; sp=quarantine; adkim=r; aspf=r"DMARC Tags Explained:
- v=DMARC1: Version (required, must be first)
- p= Policy for the domain (none/quarantine/reject)
- pct= Percentage of messages to apply policy (default 100)
- rua= Aggregate report destination (mailto:)
- ruf= Forensic report destination (mailto:)
- sp= Policy for subdomains (none/quarantine/reject)
- adkim= DKIM alignment mode (r=relaxed, s=strict)
- aspf= SPF alignment mode (r=relaxed, s=strict)
Complete DMARC Examples:
# Monitoring only (start here)
_dmarc.example.com. TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"
# Quarantine suspicious email
_dmarc.example.com. TXT "v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@example.com"
# Reject all unauthenticated email (enforcement)
_dmarc.example.com. TXT "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@example.com; aspf=s; adkim=s"How SPF, DKIM, and DMARC Work Together
For an email to pass DMARC, it must pass EITHER SPF or DKIM (with proper alignment).
π‘οΈ DMARC Pass Condition:
(SPF Pass AND SPF Alignment) OR (DKIM Pass AND DKIM Alignment)
Alignment Explained:
- SPF Alignment: The domain in the "MAIL FROM" command must match the domain in the "From" header
- DKIM Alignment: The domain in the DKIM signature's "d=" tag must match the domain in the "From" header
- Relaxed Mode (r): Subdomains are allowed
- Strict Mode (s): Exact match required
Email Authentication Flow:
1. Email arrives at recipient's server
2. Server checks SPF β Pass/Fail/Neutral
3. Server checks DKIM signature β Pass/Fail
4. Server looks up DMARC policy for your domain
5. DMARC evaluation:
- If SPF Pass with alignment β DMARC Pass
- OR if DKIM Pass with alignment β DMARC Pass
- Else β DMARC Fail
6. DMARC policy applied (none/quarantine/reject)
7. Report sent to your rua/ruf addressesStep-by-Step Configuration Guide
Phase 1: Setup SPF (Day 1)
# Add SPF record for your domain
v=spf1 include:_spf.google.com include:sendgrid.net ~all
# Verify SPF
dig example.com TXT +shortPhase 2: Setup DKIM (Day 2)
# Add DKIM record (provided by your email provider)
mail._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY"
# Test DKIM
dig mail._domainkey.example.com TXT +shortPhase 3: Setup DMARC - Monitoring Mode (Day 3)
# Start with p=none to monitor
_dmarc.example.com. TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com; pct=100"Phase 4: Analyze Reports & Adjust (Week 2-4)
- Review DMARC aggregate reports (XML format)
- Identify legitimate senders not yet authorized
- Update SPF includes and DKIM selectors as needed
Phase 5: Implement Quarantine (Week 4-6)
# Move to quarantine policy
_dmarc.example.com. TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100"Phase 6: Final Enforcement - Reject (Week 6-8)
# Full enforcement
_dmarc.example.com. TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100; aspf=s; adkim=s"DMARC Policies: None, Quarantine, Reject
p=none (Monitor Only)
Action: No action on failing emails
Use Case: Initial setup, monitoring
p=quarantine
Action: Send to spam folder
Use Case: After monitoring phase
p=reject
Action: Block delivery entirely
Use Case: Production, full protection
π Recommended Migration Path:
p=none (2 weeks) β p=quarantine (pct=10 β 100 over 2-4 weeks) β p=reject (permanent)
DMARC Reports: RUA (Aggregate) and RUF (Forensic)
RUA (Aggregate Reports) - Daily Summary
XML reports sent daily showing authentication results by source IP, SPF/DKIM pass/fail counts, and volume.
rua=mailto:dmarc@example.com, mailto:dmarc@example.netFree DMARC Reporting Services: Postmark DMARC, DMARC Report (URIports), DMARC Advisor
RUF (Forensic Reports) - Per Failure Details
Detailed reports for each authentication failure (contains email headers, potentially sensitive data).
ruf=mailto:forensic@example.comTesting Your Email Authentication Setup
Free Online Testing Tools:
- Google Postmaster Tools: View your domain's reputation
- MXToolbox SPF/DKIM/DMARC Checker: https://mxtoolbox.com/dmarc.aspx
- LearnDMARC Tester: https://learndmarc.com/ (visual email flow)
Command Line Testing:
# Check SPF record
dig example.com TXT +short | grep spf
# Check DKIM record
dig selector1._domainkey.example.com TXT +short
# Check DMARC record
dig _dmarc.example.com TXT +shortSend a Test Email:
- Check DMARC: mailto:check-dmarc@dmarc.postmarkapp.com (auto-responds with analysis)
- Mail Tester: https://www.mail-tester.com/ (gives score out of 10)
Common SPF/DKIM/DMARC Mistakes & Fixes
β Mistake 1: Multiple SPF Records
Problem: DNS can only have one SPF record.
Fix: Combine into one: v=spf1 include:spf1.com include:spf2.com ~all
β Mistake 2: Using -all Too Early
Problem: -all rejects all unlisted IPs, including legit forwarders.
Fix: Use ~all for 6+ months before switching.
β Mistake 3: Exceeding 10 SPF DNS Lookups
Problem: Too many includes β SPF PermError.
Fix: Use SPF flattening or reduce includes.
β Mistake 4: Not Monitoring DMARC Reports
Problem: Using p=reject without monitoring can break legit emails.
Fix: Stay on p=none until 2 weeks of reports analyzed.
Advanced Configurations for Large Organizations
Subdomain Policy (sp=)
_dmarc.example.com. TXT "v=DMARC1; p=none; sp=reject; rua=mailto:dmarc@example.com"Percentage Rollout (pct=)
# Week 1: Apply to 1% of emails
_dmarc.example.com. TXT "v=DMARC1; p=quarantine; pct=1; rua=mailto:dmarc@example.com"
# Week 2: Increase to 10%
# Week 3: Increase to 50%
# Week 4: Increase to 100%BIMI (Brand Indicators for Message Identification)
Display your logo next to authenticated emails in supported email clients.
_bimi.example.com. TXT "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/certificate.pem"
