Cyber risk resources
[SPF/DKIM] Don't let attackers spoof your emails

[SPF/DKIM] Don't let attackers spoof your emails

If you do not have SPF, DKIM, and DMARC in place, please read on. There are three core technologies that work together to make your email process trustworthy and secure. 

What are SPF, DKIM, and DMARC?

Think of SPF as a sports team uniform.

A Sender Policy Framework (SPF) tells the world who can send emails as part of your organization. It identifies those that are “on your team” and their mailboxes will contain a record showing their address is part of your organization. 

Think of DKIM as the official team logo that appears on the uniform.

Domain Keys Identified Mail (DKIM) adds a digital signature to email to prove the sender’s identity. This increases trust in the legitimacy of the email. If there is no signature, these emails could be spoofed. After all, anyone running around in a Manchester United uniform can claim they play for that team, but having the legitimate, authentic uniform and logo separates the fake players from the real ones. 

Read more on DKIM: 

Think of DMARC as the roster that matches the correct players with their team.

DMARC is a record that gets published via DNS to establish the relationship between SPF entries (players on your team) and the DKIM signatures that identify them. Anyone across the internet can use the DMARC record to look up your team roster and verify the information. This record covers everyone sending emails on behalf of your domain, and can help identify phishing or suspicious activity.

Why are SPF, DKIM, and DMARC so important?

The Verizon Data Breach Report found that 86% of malware involved across their study of over 7,000 incidents in 2022 was delivered via email. When someone can spoof an email coming from your company, the risk of them distributing malware or harassing your customers is very high. These policies help prevent spoofing.

How can I ensure that my domain email security is up to scratch?

1. Check your settings for yourself!

2. Set a DMARC record:

    O-365 or Outlook Mail: 

    Google Mail:  or read these G-Mail steps to define your DMARC record.

A DMARC policy tells receiving servers what action to take on unauthenticated messages they get from your domain. The action to take is specified with the policy (p) tag. (v) is the version of DMARC in use. This is an example of a DMARC policy record. The v and p tags must be listed first, other tags can be in any order and refer to additional options you can set.

Read about tags here: 

In the example below, any server will “reject” and send an email to the dmarc@domain address letting them know someone was spoofing their email. How crucial! You can be notified if someone is selling false sports uniforms or pretending to be your players. 

An example DMARC record may look like:

v=DMARC1; p=reject;,; pct=100; adkim=s; aspf=s

Helpful Link MX Toolbox Guide: