Phishing Education

DMARC, SPF, and DKIM Email Authentication

By Editorial Team Published

DMARC, SPF, and DKIM Email Authentication Explained

Email authentication is the technical foundation of phishing prevention. Three protocols — SPF, DKIM, and DMARC — work together to verify that email actually comes from the domain it claims to come from. DMARC adoption reached 53.8% in 2024, up from 42.6% in 2023, driven by enforcement mandates from Gmail and Yahoo requiring DMARC for bulk senders. Microsoft followed with similar requirements effective May 2025.

NIST SP 800-177 Rev. 1 (Trustworthy Email) recommends all organizations implement these protocols, and CISA’s phishing guidance specifically calls for DMARC at p=reject as a critical defense.

How the Three Protocols Work Together

SPF (Sender Policy Framework)

SPF lets a domain owner publish a DNS record listing which IP addresses and mail servers are authorized to send email on behalf of their domain.

When a receiving server gets an email claiming to be from example.com, it checks example.com’s SPF record in DNS. If the sending server’s IP address is listed, SPF passes. If not, SPF fails.

Limitation: SPF checks the envelope sender (Return-Path), not the From header that users see. An attacker can pass SPF with their own domain while displaying your domain in the From header.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to each outgoing email. The sending server signs the message with a private key, and the receiving server verifies the signature using the public key published in the sender’s DNS records.

DKIM proves two things: (1) the message was authorized by the domain that signed it, and (2) the message was not altered in transit.

Limitation: DKIM verifies the signing domain, which may differ from the From domain. Attackers can sign emails with their own domain while impersonating yours.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC solves the alignment problem that SPF and DKIM leave open. It checks that the domain in the From header (what users see) matches the domain authenticated by SPF or DKIM. DMARC then tells the receiving server what to do if the check fails:

DMARC PolicyAction on FailureUse Case
p=noneDeliver normally, send reportsMonitoring phase
p=quarantineMove to spam/junkTransition phase
p=rejectBlock the messageFull enforcement

DMARC reports sent to your specified address show who is sending email using your domain — both legitimate services and attackers. These reports are essential during the monitoring phase.

Implementation Roadmap

Step 1: Inventory Your Email Senders

Before setting any policy, identify every legitimate system that sends email using your domain: marketing platforms, CRMs, ticketing systems, transactional email services, third-party applications. Missing a legitimate sender will cause their emails to be blocked once enforcement begins.

Step 2: Implement SPF

Add a TXT record to your domain’s DNS:

v=spf1 include:_spf.google.com include:sendgrid.net -all

This example authorizes Google Workspace and SendGrid. The -all at the end means “fail any sender not listed.”

SPF has a 10 DNS lookup limit. Complex organizations with many sending services may need to flatten their SPF records or consolidate sending infrastructure.

Step 3: Implement DKIM

Configure DKIM signing on every sending system. Each system generates a key pair, and the public key is published as a DNS TXT record. Most email service providers handle DKIM configuration through their admin portals.

Step 4: Publish DMARC at p=none

Start with monitoring mode to collect reports without affecting mail delivery:

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]

Analyze reports for 4-8 weeks. Identify any legitimate senders failing authentication and fix their SPF/DKIM configuration.

Step 5: Move to p=quarantine

Once all legitimate senders pass authentication, change the policy to quarantine:

v=DMARC1; p=quarantine; rua=mailto:[email protected]

Monitor for false positives (legitimate email going to spam). Resolve any issues.

Step 6: Enforce p=reject

Full enforcement — unauthenticated email claiming to be from your domain is blocked:

v=DMARC1; p=reject; rua=mailto:[email protected]

This is the target state recommended by CISA. It prevents attackers from sending phishing emails that impersonate your domain to your customers, partners, and employees.

Impact on Phishing Defense

What DMARC at reject prevents:

  • Domain spoofing — attackers cannot send email as @yourdomain.com
  • Brand impersonation from your exact domain
  • Phishing targeting your customers using your brand
  • BEC using spoofed executive email addresses

What DMARC does not prevent:

  • Lookalike domains (e.g., yourdoma1n.com — the attacker controls authentication on their own domain)
  • Compromised legitimate accounts within your organization
  • Display name spoofing (showing “CEO Name” from a different domain)

DMARC is essential but not sufficient. Combine it with email filtering, MFA, and security awareness training for comprehensive defense.

Analyzing DMARC Reports

DMARC reports arrive as XML files that are difficult to read raw. Use analysis tools:

  • DMARC Analyzer (dmarcanalyzer.com) — hosted analysis and visualization
  • Postmark DMARC (dmarc.postmarkapp.com) — free weekly digests
  • Google Postmaster Tools — DMARC data for mail sent to Gmail
  • PowerDMARC — real-time monitoring and alerting

For organizations learning to read authentication results in email headers, see our email header analysis guide.

Common Implementation Mistakes

  1. Staying at p=none indefinitely — monitoring without enforcement provides no protection
  2. Missing legitimate senders — causes email delivery failures when enforcement begins
  3. Not monitoring reports — DMARC reports reveal attack attempts and configuration issues
  4. Ignoring subdomain policy — set sp=reject to protect subdomains as well
  5. Exceeding SPF lookup limits — causes SPF to fail, undermining DMARC

Key Takeaways

  • SPF, DKIM, and DMARC work together to authenticate email and prevent domain spoofing
  • DMARC at p=reject is the target state — it blocks unauthenticated email from your domain
  • Implementation takes 6-8 weeks with a phased approach (none > quarantine > reject)
  • Gmail, Yahoo, and Microsoft now require DMARC for bulk senders
  • DMARC reports reveal who is impersonating your domain
  • DMARC prevents domain spoofing but not lookalike domains — combine with other defenses

For the complete phishing defense framework, see our phishing recognition and reporting guide.

Sources

This content is for educational purposes only. Email authentication implementation involves DNS changes that can affect email delivery. Test thoroughly in monitoring mode before enforcing policies.

More in Phishing Education

Phishing Recognition and Reporting: Complete Guide Guide Complete Phishing Protection Guide 2026 Guide What Is Phishing? A Complete Guide to Recognizing and Avoiding Attacks Guide AI-Generated Phishing Detection and Defense

View all Phishing Education articles →