← All articles

SPF, DKIM and DMARC: email authentication against phishing

GottaPhish Team · April 29, 2026

Email was never designed with authentication in mind: the MAIL FROM and the From: header can be set to anything. SPF, DKIM and DMARC are the three layered standards that let a receiving server decide whether a message really came from your domain — and they are the single most effective technical control against domain spoofing in phishing.

The three layers

The standards solve different problems and are meant to be deployed together.

SPF

SPF is a single DNS TXT record listing authorized senders. The receiver checks the connecting IP against the Return-Path (envelope) domain's SPF record.

example.com.  IN  TXT  "v=spf1 include:_spf.google.com ip4:198.51.100.10 -all"

SPF's weakness: it validates the envelope sender, not the header From: a user actually sees. On its own it does nothing to stop display-name spoofing.

DKIM

DKIM adds a signature header covering selected headers and the body, using a private key held by the sender. The public key lives in DNS under a selector.

selector1._domainkey.example.com.  IN  TXT
  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ..."

A signed message carries a header like:

DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1;
  h=from:to:subject:date; bh=...; b=...

Because the signature survives forwarding, DKIM is more robust than SPF. Use 2048-bit keys and rotate selectors periodically.

DMARC and alignment

DMARC is where policy lives. It requires that SPF or DKIM not only pass but also align with the domain in the visible From: header.

_dmarc.example.com.  IN  TXT
  "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s; pct=100"

A message passes DMARC if at least one of SPF or DKIM passes and is aligned. This is why forwarding often breaks SPF but survives on DKIM.

Putting it together at the receiver

1. Connecting IP checked against Return-Path SPF record
2. DKIM-Signature verified against selector public key
3. DMARC: does a passing mechanism align with the From: domain?
4. If not → apply p= policy (reject / quarantine)
5. Emit aggregate (rua) and optional forensic (ruf) reports

Common failure modes

A DMARC policy of p=reject on a well-monitored domain means an attacker can no longer send mail as you to any DMARC-honoring receiver. That closes the most convincing phishing vector: the exact-domain spoof.

How GottaPhish helps

SPF, DKIM and DMARC stop spoofing of your domain, but attackers simply pivot to look-alike domains, display-name tricks and compromised third parties. GottaPhish and its expert support team help you address exactly that residual risk: realistic simulations using those techniques — cousin domains, lax-alignment senders, forwarded-mail edge cases — plus dashboards showing which users clicked and which controls caught what. Our experts assist with setup, design scenarios tailored to your authentication posture, and help you interpret the results so you can prioritize both DNS fixes and targeted awareness training.