Phishing Protection: SPF, DKIM, DMARC

phishing protection

According to the 2022 X-Force Threat Intelligence Index, phishing was the most used method by cyber criminals to get inside an organization. Usually, they do so to launch a much larger attack such as ransomware. The Index also revealed that phishing was used in 41% of the attacks. Protection from phishing attacks is one of the best ways to protect your online presence from cramers.   

Standard email phishing is one of the most widely known forms of a phishing attack. It is an attempt to get access to sensitive information via an email that appears to be from a legitimate organization. In this digital era, email phishing protection is the need of the hour. 

DMARC: Best Protection Against Phishers 

Identifying phishing emails can be tough if there are multiple emails to analyze. So security analyst needs to think from a wider perspective to set up filters which will automatically reject or block emails which are not from a legitimate organization. DMARC is capable of giving you the best phishing protection against fraud and resonators.  

In the early days of email, there were few tools to provide sender verification. Almost all spam and thefts that were done through emails used forged sender information and verifying the identity of senders still possess a challenging task. Technological advancements in the cyber security world have enabled various ways to prevent phishing which is possible by deploying the best DMARC policy with DMARC policy and DMARC check. 

The three main email security protocols SPF, DKIM and DMARC are complementary in nature, hence implementing them provides the best possible protection. The three protocols authenticate mail servers and prove to Internet service providers (ISPs), mail services, and other receiving servers that senders are authorized to send an email. 

Importance of DMARC, SPF & DKIM

When properly set up, all three protocols prove that the sender is genuine and that they’re not sending email on behalf of a resonator. These anti-phishing measures such as DMARC record check, SPF record checker and DKIM record checker are becoming increasingly crucial, and will one day become mandatory to be implemented by all mail services and servers.

SPF, DKIM & DMARC are complex to configure, and it takes a lot of research to figure out how they complement each other to provide the best possible security. The effort, in turn, is well worth the time spent on learning how to implement them.

What is SPF?

  • Sender Policy Framework (SPF) is an exceptional email authentication protocol for email security and delivery.
  • It protects the DNS servers and restricts the number of people who can send emails on your behalf. SPF is especially helpful in security from Domain spoofing.
  • ISPs can use an SPF record to verify whether a particular mail server is legalized to send an email for a certain domain. An SPF record is a DNS TXT record which lists the IP addresses that are allowed to send an email on behalf of your domain.
  • SPF primarily consists of three components: a policy framework, an authentication technique, and particular headers in an email itself which convey this information.

How Does SPF Detect Fraud Emails?

SPF is used by the receiving mail servers to verify incoming emails from a domain that was sent from a host approved by the domain’s administration. 

The following steps list out the SPF framework:

  • The SPF record is published in the DNS. The record is a list of all the IP addresses that are permitted to send an email on behalf of the domain and it is listed as part of the domain’s overall DNS records.
  • The SPF framework uses the domain in the return-path address to identify the SPF record. The inbound server then matches the IP address of the sender with the authorized IP addresses noted in the SPF record.
  • The receiving server then uses the specified rules in the sending domain’s SPF record to decide whether to accept, reject, or flag the email.

What is DKIM?

  • DomainKeys Identified Mail (DKIM) is an email authentication protocol. This protocol detects fake email sender addresses. It is also another way to track an email back to a domain.
  • While using DKIM, a sender can attach DKIM signatures to an email (header that is added to the message and is secured with encryption), and once the email is received, they can verify that it is actually from a legitimate sender.
  • Just like SPF, DKIM is also used in DMARC alignment. The DNS consists of a DKIM record, although it is a little more difficult to implement than SPF. DKIM carries the advantage of being able to withstand forwarding, making it preferable over SPF and a solid basis for email security.

Key Terms in DKIM:

DKIM Record: A domain owner adds a DKIM record, which is a modified text record, to the DNS records on the sending domain. This record will consist of a public key that’s used by receiving mail servers to verify the signature message. The key is often provided by the company that is sending your email, for example, Gmail.

DKIM Signature: DKIM gives emails a signature that is added to the email header and secured with encryption. Each DKIM signature consists of all the information needed for an email server to verify that the signature is legitimate, and is encrypted by a pair of DKIM keys. The originating email server has a “private DKIM key,” which can be verified by the receiving mail server or ISP with the other half of the key pair, called the “public DKIM key.” These signatures travel with the emails and are verified along the way by the email servers that move the emails toward their final destination.

DKIM Selectors: The DKIM selector is specified in the DKIM-Signature header and guides where the public key portion of the DKIM key pair exists in DNS. The receiving server uses the DKIM selector to locate and retrieve the public key to verify whether the email message is authentic and unaltered. The DKIM selector is inserted into the DKIM-Signature email header as an s= tag when the email is sent. 

How Does DKIM Detect Suspect Emails?

  • When an inbound email server receives an email, it will detect the DKIM signature and look up the sender’s public DKIM key in DNS. 
  • Special DKIM signatures are attached to the emails that servers transmit. These signatures travel along with the emails and are verified as they make their way to their final destination by the email servers.
  • These signatures operate as a watermark for email, allowing recipients to confirm that the email originated from the domain it claims to come from and that it hasn’t been tampered with.
  • The DKIM selector provided in the DKIM signature is used to indicate where to look for this key. If the key is found, it is used to decrypt the DKIM signature. This is then matched to the values retrieved from the received email. If they match, the DKIM is described as valid.


Domain-based Message Authentication, Reporting, and Conformance (DMARC) consist of both DKIM and SPF to validate the authentication of the email sender, DMARC is particularly useful for businesses. A DMARC record allows a sender to confirm that their messages are secured by SPF and/or DKIM, and it instructs the receiver what to do if neither of those authentication techniques succeeds.

How DMARC will Suspect a Malicious Email:

DMARC relies on the established SPF and DKIM protocols for email authentication. It also piggybacks on the well-established DNS. The process of DMARC validation works like this:

  • A domain administrator publishes the policy defining its email authentication practices and how receiving servers should handle mail which violates this policy. This policy is listed as part of the domain’s DNS records.
  • When an inbound server receives an email, it uses DNS to look up the DMARC policy for the domain contained in the message’s “From” (RFC 5322) header. The inbound server then validates the message for three key factors:
    • Is the DKIM signature on the email valid?
    • Did the email originate from IP addresses that the sending domain’s SPF records allowed?
    • Do the headers in the email show proper “domain alignment”?
  • With this information, the server is ready to apply the sending domain’s DMARC policy to either accept, reject or flag the email.
  • After using the DMARC policy to determine the proper disposition for the message, the receiving server will report the outcome to the sending domain owner.

DMARC Policies:

  • None: Treat all emails sent from your domain as they would be without any DMARC validation
  • Quarantine: The recipient server may accept the mail, but should place it somewhere other than the recipient’s inbox, for the example spam folder
  • Reject: Outright reject the message.


In the era of the technologically advanced world where consumer preferences are drastically shifting towards digitalization, it is crucial to maintain a safe online presence for your business. GoDMARC is your one-stop shop for email spoofing protection. We provide the comfort of securing your data from phishers with the best GoDMARC pricing and DMARC email security. Talk to our cyber security expert and get your DMARC plan now!  

Frequently Asked Question!

Q1. Why is DMARC Important? 

With a surge in social internet and the accelerating e-commerce market, spammers and phishers have a tremendous financial incentive to compromise user accounts, credit cards, and bank details and enable the theft of passwords. Since emails are easily spoofed, it is vital to have a security protocol installed to save browsing and message delivery. 

Q2. What is DMARC, and how does it combat phishing?

DMARC is an efficient method that makes it easier for email senders and receivers to determine whether or not the particular message is from a legitimate sender or not. It helps in keeping people’s inboxes free from spam.

Explore Our More Tools:


Look Up and validate SPF Record

Learn More

Look Up DKIM Record

Learn More

Look Up DMARC Record

Learn More

Look Up BIMI Record

Learn More