Email Security Basics: Protecting Your Domain from Spoofing

Every day, billions of emails are sent pretending to be from domains they don't actually belong to. This is called "email spoofing" and it's the foundation of most phishing attacks. Let's learn how three simple DNS records can protect your domain.

The Problem: Anyone Can Pretend to Be You

Email was designed in a more trusting time. By default, anyone can send an email claiming to be from your domain - there's no built-in verification. This is like being able to write any return address on a physical letter.

Real-World Impact: Without email authentication, criminals can send emails that appear to come from your CEO asking employees to wire money, or from your brand asking customers to "verify" their credit cards on a fake website.

The Solution: Email Authentication

Three technologies work together to verify that emails actually come from who they claim:

SPF

"Who is allowed to send?"

DKIM

"Is this email authentic?"

DMARC

"What to do with failures?"

SPF: The Sender's Guest List

SPF (Sender Policy Framework) is like a guest list for your domain's email. It's a DNS record that lists which mail servers are authorized to send email on behalf of your domain.

How SPF Works

  1. You publish a list of approved mail servers in your DNS
  2. When someone receives an email "from" your domain, their server checks your SPF record
  3. If the sending server isn't on your list, the email is flagged as suspicious
v=spf1 include:_spf.google.com include:sendgrid.net -all

This example SPF record says: "Only Google and SendGrid servers can send email for us. Reject everything else."

The "-all" vs "~all" Difference:
  • -all (hard fail) - Reject unauthorized emails outright
  • ~all (soft fail) - Mark as suspicious but deliver anyway
Start with ~all while testing, then switch to -all for full protection.

DKIM: The Digital Signature

DKIM (DomainKeys Identified Mail) adds a digital signature to your emails. It's like a wax seal on a letter - it proves the email hasn't been tampered with and really came from your domain.

How DKIM Works

  1. Your mail server has a private key (kept secret) and a public key (published in DNS)
  2. When sending an email, your server creates a unique signature using the private key
  3. The receiving server uses your public key to verify the signature matches
  4. If the email was altered in transit, the signature won't match
Why DKIM Matters: Unlike SPF, DKIM survives email forwarding. If someone forwards your email, the signature stays valid because it's part of the email itself.

DMARC: The Policy Enforcer

DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together. It tells receiving servers what to do when an email fails authentication, and sends you reports about who's trying to use your domain.

DMARC Policies

Policy What Happens Use Case
p=none Deliver normally, just report Monitoring phase - see who sends as you
p=quarantine Send to spam folder Intermediate - catch suspicious emails
p=reject Don't deliver at all Full protection - block fake emails
v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100

This DMARC record says: "Reject any email that fails authentication, and send me daily reports about it."

How They Work Together

When someone receives an email claiming to be from your domain:

  1. SPF Check: Is the sending server on the approved list?
  2. DKIM Check: Does the digital signature verify?
  3. DMARC Check: Do SPF or DKIM pass? Does the "From" address align?
  4. Action: Based on your DMARC policy, deliver, quarantine, or reject
Important: DMARC requires "alignment" - the domain in the From address must match the domain that passed SPF or DKIM. This prevents clever attacks that pass individual checks but still spoof you.

Getting Started: Implementation Order

Follow this recommended sequence:

  1. Set up SPF first - List all services that send email for your domain (email provider, marketing tools, support systems, etc.)
  2. Configure DKIM - Most email providers have a button to enable it. You'll add a DNS record they provide.
  3. Start DMARC with p=none - Monitor for a few weeks to see all legitimate sources of your email.
  4. Move to p=quarantine - Once you've verified all legitimate senders are passing.
  5. Finally, p=reject - Full protection once you're confident in your setup.

Common Mistakes to Avoid

  • Forgetting third-party senders: Marketing tools, CRM systems, support desks - they all need to be in your SPF record
  • SPF lookup limits: SPF allows only 10 DNS lookups. Too many "include:" statements will break it
  • Jumping to p=reject: Always monitor with p=none first, or you might block legitimate email
  • Not checking subdomains: Attackers can spoof mail.yourdomain.com if you only protect yourdomain.com

Test Your Email Security

Use our free Email Security Checker to see how well your domain is protected:

Check Your Email Security →

Next Steps

Now that you understand the basics, dive deeper:

Advanced Email Authentication → Email Deliverability Guide →