Email Security — SPF/DKIM/DMARC | Security Training

Why Email Authentication Matters

Email was designed in the 1970s and 1980s with no built-in authentication. The SMTP protocol — the foundation of all email delivery — trusts the sender to identify themselves honestly. It is trivially easy to send an email that appears to come from any address. This is called email spoofing, and it is the foundation of most phishing attacks.

As IT support staff, you need to understand how modern email authentication protocols — SPF, DKIM, and DMARC — work together to verify that an email actually came from who it claims to come from. When users report suspicious emails, your ability to read authentication headers and understand these protocols can be the difference between identifying a phishing attack and dismissing it as a false alarm.

The Three Pillars of Email Authentication

Email authentication is built on three complementary protocols. Each addresses a different aspect of the problem:

Protocol	What It Does	Analogy
SPF	Specifies which mail servers are authorized to send email for a domain	A guest list at a venue — "only these servers may send as us"
DKIM	Adds a digital signature to verify the email was not altered in transit	A wax seal on a letter — proves authenticity and integrity
DMARC	Tells receiving servers what to do when SPF or DKIM fails, and provides reporting	The bouncer's instructions — "reject fakes and tell me about them"

All three work together. SPF alone does not prevent spoofing. DKIM alone does not prevent spoofing. Even SPF plus DKIM without DMARC leaves gaps. You need all three.

SPF: Sender Policy Framework

SPF allows a domain owner to publish a DNS TXT record listing the mail servers that are authorized to send email on behalf of that domain.

How SPF Works

Your organization publishes an SPF record in DNS: v=spf1 include:spf.protection.outlook.com -all
Someone sends an email claiming to be from @yourcompany.com
The receiving mail server checks the SPF record for yourcompany.com
If the sending server's IP address matches the SPF record, SPF passes. If not, SPF fails.

Reading an SPF Record

v=spf1 include:spf.protection.outlook.com include:_spf.google.com ip4:203.0.113.25 -all

Component	Meaning
`v=spf1`	This is an SPF version 1 record
`include:spf.protection.outlook.com`	Microsoft 365 mail servers are authorized
`include:_spf.google.com`	Google Workspace mail servers are authorized
`ip4:203.0.113.25`	This specific IP address is authorized
`-all`	Reject all other senders (hard fail)

SPF Qualifiers

Qualifier	Meaning	Recommendation
`-all`	Hard fail — reject unauthorized senders	Use this in production
`~all`	Soft fail — accept but mark as suspicious	Use during testing/rollout
`?all`	Neutral — don't check	Provides no protection
`+all`	Pass everything	Never use this — it defeats the purpose

SPF Limitations

SPF checks the envelope sender (the Return-Path header), not the From: address that users see. An attacker can pass SPF while still spoofing the visible sender address.
SPF breaks when email is forwarded because the forwarding server's IP isn't in the original domain's SPF record.
SPF records have a 10-DNS-lookup limit. Complex organizations with many email services can exceed this.

DKIM: DomainKeys Identified Mail

DKIM adds a cryptographic signature to outgoing emails. The receiving server verifies this signature using a public key published in the sender's DNS records.

How DKIM Works

Your mail server generates a key pair (private key kept secret, public key published in DNS)
When sending an email, the server signs specific headers and the body with the private key
The signature is added as a DKIM-Signature header in the email
The receiving server retrieves the public key from DNS and verifies the signature
If the signature validates, the email has not been altered since it was signed

What DKIM Proves

The email was sent by a server that possesses the private key for that domain
The email content has not been modified in transit (integrity)
The domain in the DKIM signature is associated with the sender

What DKIM Does Not Prove

DKIM does not prevent a different domain from sending email — it only proves which domain signed the message
Without DMARC, a failing DKIM check may not result in any action

Quick Check

If an email passes DKIM verification, it is guaranteed to be legitimate and safe to open.

DMARC: Domain-Based Message Authentication, Reporting & Conformance

DMARC ties SPF and DKIM together and adds a critical missing piece: a policy that tells receiving servers what to do when authentication fails, and a reporting mechanism that lets domain owners see who is sending email as their domain.

How DMARC Works

Domain owner publishes a DMARC record in DNS: v=DMARC1; p=reject; rua=mailto:dmarc@yourcompany.com
Receiving server checks if the email passes SPF or DKIM with alignment (the authenticated domain matches the From: domain)
If both SPF and DKIM fail alignment, the receiving server follows the DMARC policy
The receiving server sends aggregate reports to the address specified in rua

DMARC Policies

Policy	Action	When to Use
`p=none`	Monitor only — deliver everything, send reports	Initial deployment, gathering data
`p=quarantine`	Send failing emails to spam/junk	Intermediate step after analyzing reports
`p=reject`	Block failing emails entirely	Full enforcement — the goal

DMARC Alignment

This is the concept that catches most people: DMARC requires alignment between the domain in the authentication check and the domain in the From: header.

SPF alignment — The domain in the Return-Path must match the domain in the From: header
DKIM alignment — The domain in the DKIM signature (d=) must match the domain in the From: header

An email can pass SPF and DKIM individually but still fail DMARC if the authenticated domains don't match the From: domain. This is how DMARC closes the spoofing gap that SPF and DKIM leave open.

Reading a DMARC Record

v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc-agg@yourcompany.com; ruf=mailto:dmarc-forensic@yourcompany.com; pct=100

Component	Meaning
`v=DMARC1`	DMARC version 1
`p=reject`	Policy for this domain: reject failing emails
`sp=quarantine`	Policy for subdomains: quarantine failing emails
`rua=mailto:...`	Aggregate reports sent here (daily summaries)
`ruf=mailto:...`	Forensic reports sent here (individual failure details)
`pct=100`	Apply policy to 100% of failing emails

Analyzing Email Headers

When a user reports a suspicious email, checking the authentication headers tells you whether SPF, DKIM, and DMARC passed.

Key Headers to Check

Authentication-Results: mx.google.com;
       dkim=pass header.d=example.com;
       spf=pass (google.com: domain of info@example.com designates 209.85.220.41 as permitted sender);
       dmarc=pass (p=REJECT) header.from=example.com

This email passed all three checks — it is likely legitimate.

Authentication-Results: mx.google.com;
       dkim=fail (signature did not verify);
       spf=fail (google.com: domain of admin@yourbank.com does not designate 185.234.72.90 as permitted sender);
       dmarc=fail (p=NONE)

This email failed all three checks — it is almost certainly spoofed. Note that p=NONE means the sending domain's DMARC policy is monitor-only, so the email was still delivered despite failing.

Scenario Challenge

A user forwards you a suspicious email claiming to be from your CEO (ceo@yourcompany.com). You check the email headers and find: SPF=fail, DKIM=fail, DMARC=fail (p=quarantine). The email was delivered to the user's inbox instead of their junk folder. What should you investigate?

How would you respond? Choose the best option:

DMARC Deployment Roadmap

Rolling out DMARC is a phased process. Going straight to p=reject without preparation will likely block legitimate email from third-party services that send on your behalf (marketing platforms, CRM systems, ticketing tools).

Phase 1: Inventory and SPF/DKIM Setup

Identify all services that send email as your domain
Ensure SPF records include all legitimate sending sources
Configure DKIM signing for all email platforms

Phase 2: DMARC Monitor Mode (p=none)

Publish v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.com
Collect and analyze aggregate reports for 2-4 weeks
Identify legitimate senders that are failing authentication
Fix their SPF/DKIM configuration

Phase 3: Quarantine (p=quarantine)

Update to p=quarantine; pct=10 (start with 10% to limit impact)
Gradually increase the percentage as you confirm legitimate mail is unaffected
Monitor reports for false positives

Phase 4: Reject (p=reject)

Update to p=reject; pct=100
All unauthenticated email claiming to be from your domain is now blocked
Continue monitoring reports for new legitimate senders that need configuration

Key Takeaways

SPF, DKIM, and DMARC work together — All three are required for effective email authentication
SPF alone doesn't prevent spoofing — It only checks the envelope sender, not the visible From: address
DKIM proves integrity and origin — But without DMARC, failures may not be acted upon
DMARC alignment is the key concept — The authenticated domain must match the From: domain
Deploy DMARC in phases — Start with monitoring, then quarantine, then reject
Learn to read authentication headers — When users report suspicious emails, the headers tell you the truth
p=reject is the goal — Anything less than reject still allows spoofed email through

Why Email Authentication Matters

The Three Pillars of Email Authentication

Email authentication is built on three complementary protocols. Each addresses a different aspect of the problem:

Protocol	What It Does	Analogy
SPF	Specifies which mail servers are authorized to send email for a domain	A guest list at a venue — "only these servers may send as us"
DKIM	Adds a digital signature to verify the email was not altered in transit	A wax seal on a letter — proves authenticity and integrity
DMARC	Tells receiving servers what to do when SPF or DKIM fails, and provides reporting	The bouncer's instructions — "reject fakes and tell me about them"

All three work together. SPF alone does not prevent spoofing. DKIM alone does not prevent spoofing. Even SPF plus DKIM without DMARC leaves gaps. You need all three.

SPF: Sender Policy Framework

SPF allows a domain owner to publish a DNS TXT record listing the mail servers that are authorized to send email on behalf of that domain.

How SPF Works

Your organization publishes an SPF record in DNS: v=spf1 include:spf.protection.outlook.com -all
Someone sends an email claiming to be from @yourcompany.com
The receiving mail server checks the SPF record for yourcompany.com
If the sending server's IP address matches the SPF record, SPF passes. If not, SPF fails.

Reading an SPF Record

v=spf1 include:spf.protection.outlook.com include:_spf.google.com ip4:203.0.113.25 -all

Component	Meaning
`v=spf1`	This is an SPF version 1 record
`include:spf.protection.outlook.com`	Microsoft 365 mail servers are authorized
`include:_spf.google.com`	Google Workspace mail servers are authorized
`ip4:203.0.113.25`	This specific IP address is authorized
`-all`	Reject all other senders (hard fail)

SPF Qualifiers

Qualifier	Meaning	Recommendation
`-all`	Hard fail — reject unauthorized senders	Use this in production
`~all`	Soft fail — accept but mark as suspicious	Use during testing/rollout
`?all`	Neutral — don't check	Provides no protection
`+all`	Pass everything	Never use this — it defeats the purpose

SPF Limitations

SPF checks the envelope sender (the Return-Path header), not the From: address that users see. An attacker can pass SPF while still spoofing the visible sender address.
SPF breaks when email is forwarded because the forwarding server's IP isn't in the original domain's SPF record.
SPF records have a 10-DNS-lookup limit. Complex organizations with many email services can exceed this.

DKIM: DomainKeys Identified Mail

DKIM adds a cryptographic signature to outgoing emails. The receiving server verifies this signature using a public key published in the sender's DNS records.

How DKIM Works

Your mail server generates a key pair (private key kept secret, public key published in DNS)
When sending an email, the server signs specific headers and the body with the private key
The signature is added as a DKIM-Signature header in the email
The receiving server retrieves the public key from DNS and verifies the signature
If the signature validates, the email has not been altered since it was signed

What DKIM Proves

The email was sent by a server that possesses the private key for that domain
The email content has not been modified in transit (integrity)
The domain in the DKIM signature is associated with the sender

What DKIM Does Not Prove

DKIM does not prevent a different domain from sending email — it only proves which domain signed the message
Without DMARC, a failing DKIM check may not result in any action

Quick Check

If an email passes DKIM verification, it is guaranteed to be legitimate and safe to open.

DMARC: Domain-Based Message Authentication, Reporting & Conformance

How DMARC Works

Domain owner publishes a DMARC record in DNS: v=DMARC1; p=reject; rua=mailto:dmarc@yourcompany.com
Receiving server checks if the email passes SPF or DKIM with alignment (the authenticated domain matches the From: domain)
If both SPF and DKIM fail alignment, the receiving server follows the DMARC policy
The receiving server sends aggregate reports to the address specified in rua

DMARC Policies

Policy	Action	When to Use
`p=none`	Monitor only — deliver everything, send reports	Initial deployment, gathering data
`p=quarantine`	Send failing emails to spam/junk	Intermediate step after analyzing reports
`p=reject`	Block failing emails entirely	Full enforcement — the goal

DMARC Alignment

This is the concept that catches most people: DMARC requires alignment between the domain in the authentication check and the domain in the From: header.

SPF alignment — The domain in the Return-Path must match the domain in the From: header
DKIM alignment — The domain in the DKIM signature (d=) must match the domain in the From: header

An email can pass SPF and DKIM individually but still fail DMARC if the authenticated domains don't match the From: domain. This is how DMARC closes the spoofing gap that SPF and DKIM leave open.

Reading a DMARC Record

v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc-agg@yourcompany.com; ruf=mailto:dmarc-forensic@yourcompany.com; pct=100

Component	Meaning
`v=DMARC1`	DMARC version 1
`p=reject`	Policy for this domain: reject failing emails
`sp=quarantine`	Policy for subdomains: quarantine failing emails
`rua=mailto:...`	Aggregate reports sent here (daily summaries)
`ruf=mailto:...`	Forensic reports sent here (individual failure details)
`pct=100`	Apply policy to 100% of failing emails

Analyzing Email Headers

When a user reports a suspicious email, checking the authentication headers tells you whether SPF, DKIM, and DMARC passed.

Key Headers to Check

Authentication-Results: mx.google.com;
       dkim=pass header.d=example.com;
       spf=pass (google.com: domain of info@example.com designates 209.85.220.41 as permitted sender);
       dmarc=pass (p=REJECT) header.from=example.com

This email passed all three checks — it is likely legitimate.

Authentication-Results: mx.google.com;
       dkim=fail (signature did not verify);
       spf=fail (google.com: domain of admin@yourbank.com does not designate 185.234.72.90 as permitted sender);
       dmarc=fail (p=NONE)

This email failed all three checks — it is almost certainly spoofed. Note that p=NONE means the sending domain's DMARC policy is monitor-only, so the email was still delivered despite failing.

Scenario Challenge

How would you respond? Choose the best option:

DMARC Deployment Roadmap

Phase 1: Inventory and SPF/DKIM Setup

Identify all services that send email as your domain
Ensure SPF records include all legitimate sending sources
Configure DKIM signing for all email platforms

Phase 2: DMARC Monitor Mode (p=none)

Publish v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.com
Collect and analyze aggregate reports for 2-4 weeks
Identify legitimate senders that are failing authentication
Fix their SPF/DKIM configuration

Phase 3: Quarantine (p=quarantine)

Update to p=quarantine; pct=10 (start with 10% to limit impact)
Gradually increase the percentage as you confirm legitimate mail is unaffected
Monitor reports for false positives

Phase 4: Reject (p=reject)

Update to p=reject; pct=100
All unauthenticated email claiming to be from your domain is now blocked
Continue monitoring reports for new legitimate senders that need configuration

Key Takeaways

SPF, DKIM, and DMARC work together — All three are required for effective email authentication
SPF alone doesn't prevent spoofing — It only checks the envelope sender, not the visible From: address
DKIM proves integrity and origin — But without DMARC, failures may not be acted upon
DMARC alignment is the key concept — The authenticated domain must match the From: domain
Deploy DMARC in phases — Start with monitoring, then quarantine, then reject
Learn to read authentication headers — When users report suspicious emails, the headers tell you the truth
p=reject is the goal — Anything less than reject still allows spoofed email through

Why Email Authentication Matters

The Three Pillars of Email Authentication

SPF: Sender Policy Framework

How SPF Works

Reading an SPF Record

SPF Qualifiers

SPF Limitations

DKIM: DomainKeys Identified Mail

How DKIM Works

What DKIM Proves

What DKIM Does Not Prove

DMARC: Domain-Based Message Authentication, Reporting & Conformance

How DMARC Works

DMARC Policies

DMARC Alignment

Reading a DMARC Record

Analyzing Email Headers

Key Headers to Check

DMARC Deployment Roadmap

Phase 1: Inventory and SPF/DKIM Setup

Phase 2: DMARC Monitor Mode (p=none)

Phase 3: Quarantine (p=quarantine)

Phase 4: Reject (p=reject)

Key Takeaways

Ready to test your knowledge?

Why Email Authentication Matters

The Three Pillars of Email Authentication

SPF: Sender Policy Framework

How SPF Works

Reading an SPF Record

SPF Qualifiers

SPF Limitations

DKIM: DomainKeys Identified Mail

How DKIM Works

What DKIM Proves

What DKIM Does Not Prove

DMARC: Domain-Based Message Authentication, Reporting & Conformance

How DMARC Works

DMARC Policies

DMARC Alignment

Reading a DMARC Record

Analyzing Email Headers

Key Headers to Check

DMARC Deployment Roadmap

Phase 1: Inventory and SPF/DKIM Setup

Phase 2: DMARC Monitor Mode (p=none)

Phase 3: Quarantine (p=quarantine)

Phase 4: Reject (p=reject)

Key Takeaways

Ready to test your knowledge?