Email remains one of the most common communication tools for businesses and individuals. Yet, it is also a prime target for cyberattacks such as phishing, spoofing, and spam. Many organizations rely on SPF (Sender Policy Framework) to verify email senders, but SPF alone no longer provides sufficient protection. To strengthen email authentication, two additional protocols—DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance)—play crucial roles.

This post explains why SPF is no longer enough, how DKIM and DMARC work, and the benefits they bring to email security.

Why SPF Alone Falls Short

SPF allows domain owners to specify which mail servers are authorized to send emails on their behalf. When a receiving mail server gets an email, it checks the SPF record of the sender’s domain to verify if the sending IP is authorized.

While SPF helps reduce spoofing, it has several limitations:

• SPF only checks the envelope sender address, which is often different from the visible "From" address users see. Attackers can exploit this by forging the "From" address while passing SPF checks.

• SPF breaks with email forwarding. When an email is forwarded, the forwarding server’s IP is usually not in the original SPF record, causing SPF checks to fail.

• SPF does not provide message integrity. It does not verify if the email content was altered during transit.

• SPF alone does not give domain owners control over how to handle failed checks. Without DMARC, receivers decide how to treat suspicious emails, which can lead to inconsistent handling.

  
  

Because of these gaps, relying solely on SPF leaves email vulnerable to spoofing and phishing attacks.

What DKIM Does and How It Works

DKIM adds a digital signature to outgoing emails. This signature is generated using a private key held by the sender’s mail server and verified by the receiver using a public key published in the sender’s DNS records.

Key features of DKIM:

• Message integrity: DKIM ensures the email content and certain headers have not been altered after signing.

• Authentication of the sender’s domain: The signature confirms the email was authorized by the domain owner.

• Works well with forwarding: Since the signature is part of the email, forwarding does not break DKIM verification.

  
  

How DKIM works in practice:

1. The sender’s mail server generates a hash of the email’s content and headers.

2. It encrypts the hash with its private key and adds the signature to the email header.

3. The receiver retrieves the public key from DNS and decrypts the signature.

4. The receiver compares the decrypted hash with the hash of the received email.

5. If they match, the email passes DKIM verification.

   
   

By verifying the signature, DKIM protects against tampering and impersonation.

What DMARC Adds to the Equation

DMARC builds on SPF and DKIM by providing domain owners with a way to publish policies on how to handle emails that fail authentication checks. It also offers reporting features to monitor email traffic and detect abuse.

DMARC’s main benefits:

• Alignment enforcement: DMARC requires that the domain in the "From" header aligns with the domain authenticated by SPF or DKIM. This prevents attackers from spoofing the visible sender address.

• Policy control: Domain owners can specify whether to accept, quarantine, or reject emails that fail SPF and DKIM checks.

• Visibility through reports: DMARC generates reports that show who is sending emails on behalf of the domain and how many emails pass or fail authentication.

  
  

How DMARC works:

1. The receiver checks SPF and DKIM results.

2. It verifies if either SPF or DKIM aligns with the "From" domain.

3. Based on the domain owner’s DMARC policy, the receiver decides to accept, quarantine, or reject the email.

4. The receiver sends aggregate and forensic reports back to the domain owner.

   
   

DMARC gives domain owners control over their email reputation and helps reduce phishing attacks.

How DKIM and DMARC Complement SPF

SPF, DKIM, and DMARC work together to provide a layered defense:

• SPF verifies the sending server’s IP address.

• DKIM verifies the message integrity and authenticates the sender’s domain.

• DMARC enforces alignment and policy for handling failed checks.

  
  

Using all three protocols helps prevent spoofing, phishing, and unauthorized use of your domain in emails.

Real-World Examples of Why DKIM and DMARC Matter

Example 1: Preventing phishing attacks

A company using only SPF might still have its domain spoofed in the "From" address because SPF does not check the visible sender. Attackers can send emails that appear to come from the company, tricking customers into clicking malicious links.

With DKIM and DMARC, the company can ensure that only emails signed with their private key and aligned with their domain pass authentication. Emails failing these checks can be rejected or quarantined, reducing phishing risks.

Example 2: Handling email forwarding

A user forwards an email from a mailing list to a colleague. SPF fails because the forwarding server is not authorized in the original SPF record. Without DKIM, the forwarded email might be marked as spam or rejected.

With DKIM, the signature remains intact, allowing the forwarded email to pass authentication. DMARC policies can then guide how to treat the email based on the signature and alignment.

Steps to Implement DKIM and DMARC

1. Set up SPF records to specify authorized sending servers.

2. Generate DKIM keys and publish the public key in DNS.

3. Configure your mail server to sign outgoing emails with DKIM.

4. Create a DMARC record in DNS with a policy (none, quarantine, reject) and reporting addresses.

5. Monitor DMARC reports to identify legitimate and unauthorized senders.

6. Adjust DMARC policy over time to move from monitoring to enforcement.

   
   

Speak to us today to understand how we can implement this robust email authentication for your organisation.

Benefits Beyond Security

Implementing DKIM and DMARC improves email deliverability. Many email providers prioritize authenticated emails, reducing the chance your messages end up in spam folders. It also builds trust with recipients by showing your domain is protected.