DNSEmail SecurityDMARC

How to Stop Email Spoofing: SPF, DKIM, and DMARC Explained

WebSentry Team
· · 8 min read

What Is Email Spoofing?

Email spoofing is when someone sends an email that appears to come from your domain — billing@yourcompany.com — without having access to your mail accounts. They don't hack your email; they just forge the From header. To the recipient, the email looks completely legitimate.

Spoofed emails are the delivery mechanism behind most phishing attacks, business email compromise (BEC) fraud, and supplier invoice scams. And the reason they keep working is simple: most domains have incomplete email authentication.

The Three Layers of Email Authentication

SPF, DKIM, and DMARC are not three alternatives — they're three layers that work together. SPF and DKIM do the verification. DMARC enforces what happens when that verification fails.

1. SPF (Sender Policy Framework)

SPF is a DNS TXT record that lists which mail servers are authorised to send email on behalf of your domain. When a receiving mail server gets an email from yourcompany.com, it checks your DNS to see if the sending server is on the approved list.

v=spf1 include:_spf.google.com include:mailgun.org ~all

The ~all at the end is a soft fail — it marks unauthorised senders as suspicious but doesn't reject them. Use -all (hard fail) once you're confident your record includes all legitimate senders.

Limitation: SPF only checks the envelope sender (the technical MAIL FROM address), not the From header that users see. An attacker can pass SPF while still displaying a spoofed From address. This is where DMARC fills the gap.

2. DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outgoing emails. Your mail server signs each message with a private key, and the receiving server verifies that signature against a public key published in your DNS.

; DNS TXT record at: google._domainkey.yourcompany.com
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ...

DKIM proves the email wasn't tampered with in transit and that it originated from a server that holds your private key. If a spoofed email doesn't have a valid DKIM signature, the receiving server knows it's suspect.

Most email providers (Google Workspace, Microsoft 365, Mailgun, SendGrid) configure DKIM automatically — you just need to add the DNS records they provide.

3. DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC is the enforcement layer. It tells receiving mail servers what to do with emails that fail SPF or DKIM checks — and it adds a requirement called alignment: the domain in the user-visible From header must match the domain that SPF or DKIM authenticated.

Without DMARC, an attacker can construct an email that passes SPF (by using their own domain in the envelope) while displaying your domain in the From header. DMARC closes this exact loophole.

Setting Up DMARC

Add a TXT record to your DNS at the subdomain _dmarc.yourcompany.com:

Step 1: Start in monitoring mode

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourcompany.com

p=none means: monitor but take no action. The rua tag sends aggregate reports to your email address so you can see who is sending email as your domain.

Leave this in place for 2–4 weeks and review the reports. You're looking for any legitimate senders you may have missed in your SPF record.

Step 2: Move to quarantine

v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc-reports@yourcompany.com

p=quarantine sends failing emails to the recipient's spam folder. The pct=50 tag applies the policy to 50% of failing mail first — this gives you a safety net while you confirm nothing legitimate is being caught. Increase to 100 once you're confident.

Step 3: Enforce rejection

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourcompany.com

p=reject is the goal. Receiving servers will outright reject any email that fails DMARC alignment. This is what actually stops spoofing.

What About Domains That Don't Send Email?

Parked domains and subdomains that never send email are common attack targets — attackers spoof them because they often have no email authentication at all. Lock them down:

; SPF — reject all senders
v=spf1 -all

; DMARC — reject policy
v=DMARC1; p=reject

You don't need DKIM for a domain that never sends email. Just an SPF -all and a DMARC p=reject record is sufficient.

How to Check Your Current Configuration

The fastest way to see exactly where your domain stands is to run a WebSentry scan. The DNS & Email Auth section checks for SPF, DKIM, and DMARC in one go — and for DMARC specifically, it tells you whether your policy is actually enforcing anything or just monitoring.

A domain with SPF ✓ and DKIM ✓ but DMARC missing (or set to p=none) is still fully spoofable. The scanner flags this clearly so you know exactly what to fix.

The Most Common Gap: DMARC on p=none

In practice, the majority of small business domains fall into one of two situations:

  1. No DMARC at all — the most common. No enforcement, no visibility.
  2. DMARC set to p=none — monitoring only. Spoofed emails still reach inboxes.

Having SPF and DKIM configured but DMARC on p=none is like having a security camera but no locks. You can see what happened after the fact, but you haven't stopped anything.

The fix for most businesses is straightforward: add your DMARC record, start on p=none for two weeks to review reports, then move to p=reject. Total DNS change time: under 10 minutes.

Check Your Website's Security

Run a free security scan and get your A-F grade in seconds.

Scan Your Site Free
← Previous
Subresource Integrity (SRI): Protect Your Site from CDN Compromises
Next →
WordPress Security Hardening: 10 Configuration Fixes to Do This Week