SPF, DKIM and DMARC: email authentication against phishing
Email was never designed with authentication in mind: the MAIL FROM and the From: header can be set to anything. SPF, DKIM and DMARC are the three layered standards that let a receiving server decide whether a message really came from your domain — and they are the single most effective technical control against domain spoofing in phishing.
The three layers
The standards solve different problems and are meant to be deployed together.
- SPF (Sender Policy Framework) authorizes which IP addresses may send mail for a domain.
- DKIM (DomainKeys Identified Mail) cryptographically signs messages so tampering and forgery can be detected.
- DMARC ties the two together, enforces alignment with the visible
From:domain, and tells receivers what to do on failure — plus it gives you reporting.
SPF
SPF is a single DNS TXT record listing authorized senders. The receiver checks the connecting IP against the Return-Path (envelope) domain's SPF record.
example.com. IN TXT "v=spf1 include:_spf.google.com ip4:198.51.100.10 -all"
include:pulls in another domain's authorized senders (e.g. your ESP).-allis a hard fail (reject anything not listed);~allis a soft fail.- SPF permits a maximum of 10 DNS lookups — exceeding it yields
permerror, so flatten aggressively nested includes.
SPF's weakness: it validates the envelope sender, not the header From: a user actually sees. On its own it does nothing to stop display-name spoofing.
DKIM
DKIM adds a signature header covering selected headers and the body, using a private key held by the sender. The public key lives in DNS under a selector.
selector1._domainkey.example.com. IN TXT
"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ..."
A signed message carries a header like:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1;
h=from:to:subject:date; bh=...; b=...
Because the signature survives forwarding, DKIM is more robust than SPF. Use 2048-bit keys and rotate selectors periodically.
DMARC and alignment
DMARC is where policy lives. It requires that SPF or DKIM not only pass but also align with the domain in the visible From: header.
_dmarc.example.com. IN TXT
"v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s; pct=100"
- SPF alignment compares the
From:domain with theReturn-Pathdomain. - DKIM alignment compares the
From:domain with thed=in the signature. p=is the policy:none(monitor),quarantine, orreject.adkim/aspfset alignment mode:s(strict, exact match) orr(relaxed, same organizational domain).
A message passes DMARC if at least one of SPF or DKIM passes and is aligned. This is why forwarding often breaks SPF but survives on DKIM.
Putting it together at the receiver
1. Connecting IP checked against Return-Path SPF record
2. DKIM-Signature verified against selector public key
3. DMARC: does a passing mechanism align with the From: domain?
4. If not → apply p= policy (reject / quarantine)
5. Emit aggregate (rua) and optional forensic (ruf) reports
Common failure modes
- SPF too many lookups — consolidate
include:chains, preferip4/ip6where stable. - Missing subdomains — attackers spoof
mail.example.comif only the apex is covered. Add_dmarcrecords for subdomains or rely on the org-level policy withsp=. - Third-party senders — invoicing tools, CRMs and marketing platforms all need SPF includes and DKIM keys, or they will fail DMARC.
- Jumping straight to
p=reject— always start atp=none, read the aggregate reports, fix legitimate senders, then tighten.
A DMARC policy of
p=rejecton a well-monitored domain means an attacker can no longer send mail as you to any DMARC-honoring receiver. That closes the most convincing phishing vector: the exact-domain spoof.
How GottaPhish helps
SPF, DKIM and DMARC stop spoofing of your domain, but attackers simply pivot to look-alike domains, display-name tricks and compromised third parties. GottaPhish and its expert support team help you address exactly that residual risk: realistic simulations using those techniques — cousin domains, lax-alignment senders, forwarded-mail edge cases — plus dashboards showing which users clicked and which controls caught what. Our experts assist with setup, design scenarios tailored to your authentication posture, and help you interpret the results so you can prioritize both DNS fixes and targeted awareness training.
