Email Spoofing Prevention: How SPF, DKIM & DMARC Stop Forged Emails

Email spoofing is responsible for over 90% of targeted cyberattacks. Business Email Compromise (BEC) alone caused $2.7 billion in losses in 2023, according to the FBI's IC3 report. The attacker's weapon is simple: forging the "From" address to impersonate your domain.

The defense is equally straightforward — three DNS records that authenticate your emails: SPF, DKIM, and DMARC. This guide explains how each works and how to implement them correctly.

What Is Email Spoofing?

Email spoofing exploits the fact that SMTP (the email protocol) has no built-in sender verification. Anyone can send an email claiming to be from any address — just like writing any return address on a physical letter.

Attackers use spoofing for:

• Phishing — fake emails from "your bank" or "your CEO" requesting credentials or wire transfers
• Business Email Compromise (BEC) — impersonating executives to authorize fraudulent payments
• Malware distribution — trusted sender addresses increase the chance victims open attachments
• Brand damage — spam sent from your domain destroys your reputation and deliverability

How Spoofing Works

# An attacker can send a spoofed email with a simple SMTP session:
telnet mail.target-server.com 25
HELO attacker.com
MAIL FROM:<ceo@yourdomain.com>     # Forged envelope sender
RCPT TO:<victim@company.com>
DATA
From: CEO <ceo@yourdomain.com>      # Forged display header
To: victim@company.com
Subject: Urgent Wire Transfer

Please wire $50,000 to account XXXX immediately.
.
QUIT

Without SPF, DKIM, and DMARC, the receiving mail server has no way to verify that this email is fraudulent.

SPF: Authorized Senders CRITICAL

SPF (Sender Policy Framework) is a DNS TXT record that lists which IP addresses and mail servers are authorized to send email for your domain.

# Basic SPF record
yourdomain.com.  IN  TXT  "v=spf1 include:_spf.google.com ~all"

# SPF with multiple providers
yourdomain.com.  IN  TXT  "v=spf1 include:_spf.google.com include:sendgrid.net include:mailchimp.com -all"

# Breakdown:
# v=spf1           — SPF version 1
# include:...      — Authorize these mail services
# -all             — HARD FAIL: reject all other senders (recommended)
# ~all             — SOFT FAIL: mark as suspicious but deliver (use during testing)

DKIM: Cryptographic Signatures CRITICAL

DKIM (DomainKeys Identified Mail) adds a digital signature to every outgoing email. The receiving server verifies this signature against a public key published in your DNS.

# DKIM DNS record (public key)
selector._domainkey.yourdomain.com.  IN  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4..."

# How it works:
# 1. Your mail server signs the email with a private key
# 2. The signature is added as a DKIM-Signature header
# 3. The receiving server looks up your public key in DNS
# 4. If the signature matches, the email is verified as authentic and unaltered

DKIM Protects Against

• Content tampering — any modification to the email body or headers invalidates the signature
• Sender forgery — only your mail server has the private key to create valid signatures
• Replay attacks — signatures include timestamps and message-specific data

DMARC: Policy Enforcement CRITICAL

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together and tells receiving servers what to do with emails that fail authentication.

# DMARC DNS record
_dmarc.yourdomain.com.  IN  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; adkim=s; aspf=s; pct=100"

# Breakdown:
# v=DMARC1    — DMARC version 1
# p=reject    — Policy: reject emails that fail (strongest)
# p=quarantine — Policy: send to spam folder
# p=none      — Policy: monitor only (use during rollout)
# rua=        — Aggregate report destination
# ruf=        — Forensic report destination
# adkim=s     — Strict DKIM alignment
# aspf=s      — Strict SPF alignment
# pct=100     — Apply policy to 100% of emails

DMARC Alignment

DMARC requires that the domain in the From: header aligns with the domain authenticated by SPF or DKIM:

• Strict alignment (s) — exact domain match required
• Relaxed alignment (r) — subdomains are allowed (e.g., mail.yourdomain.com passes for yourdomain.com)

Implementation Roadmap

Phase 1: Monitor (Weeks 1-2)

# Start with p=none to collect data without blocking emails
_dmarc.yourdomain.com.  IN  TXT  "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"

Phase 2: Quarantine (Weeks 3-4)

# Move to quarantine — failed emails go to spam
_dmarc.yourdomain.com.  IN  TXT  "v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@yourdomain.com"

Phase 3: Reject (Week 5+)

# Full enforcement — reject all unauthenticated emails
_dmarc.yourdomain.com.  IN  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; adkim=s; aspf=s"

Monitoring & Reporting

DMARC aggregate reports (RUA) are XML files sent daily by receiving mail servers. They show:

• Which IPs are sending email as your domain
• Whether those emails pass or fail SPF/DKIM
• How many emails were rejected, quarantined, or delivered

Free tools to parse DMARC reports:

• DMARC Analyzer — visual dashboards for aggregate reports
• Postmark DMARC — free weekly DMARC digests
• Google Postmaster Tools — delivery and authentication stats for Gmail

Subdomain spoofing: the gap most organizations miss

A DMARC record on your root domain (yourdomain.com) does not automatically protect your subdomains. Attackers who cannot spoof noreply@yourdomain.com will pivot to noreply@mail.yourdomain.com or support@billing.yourdomain.com — subdomains that may have no email authentication configured at all.

• Use the sp= tag: The subdomain policy tag in your root DMARC record applies to all subdomains that have no own DMARC record. Set sp=reject to protect all subdomains with a single record: v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@yourdomain.com.
• Audit all subdomains for SPF: Any subdomain that sends email needs its own SPF record. Use dig TXT subdomain.yourdomain.com to check each one.
• Protect parked domains immediately: Domains you own but do not use for email are prime targets. Publish a reject DMARC and a null SPF (v=spf1 -all) on every parked domain in your portfolio.

# Protect a parked domain from spoofing (no email sent from this domain)
yourdomain-parked.com.  IN  TXT  "v=spf1 -all"
_dmarc.yourdomain-parked.com.  IN  TXT  "v=DMARC1; p=reject; sp=reject"

DKIM key rotation: when and how

DKIM private keys should be rotated periodically. If a key is compromised, an attacker can forge valid DKIM signatures indefinitely until the key is rotated. Most organizations rotate annually or after any suspected compromise.

• Generate a new key pair: Create a new 2048-bit RSA key with a new selector name (e.g., 2026jan).
• Publish the new public key in DNS: Add the new selector TXT record at 2026jan._domainkey.yourdomain.com.
• Update your mail server to use the new key: Configure your mail server (Google Workspace, Microsoft 365, Postfix) to sign outgoing mail with the new selector.
• Wait for DNS propagation (24-48 hours): Confirm the new key is resolving before switching.
• Remove the old selector DNS record: After confirming the new selector is working, delete the old TXT record to prevent it from being used if the old private key was leaked.

Business Email Compromise (BEC): the real cost of missing DMARC

BEC attacks that exploit missing DMARC are not theoretical. The FBI IC3 2023 report identified BEC as the highest-cost cybercrime category at $2.9 billion in losses. The attack pattern is consistent:

1. Attacker identifies a high-value target organization without DMARC enforcement.
2. Spoofs an executive (CEO, CFO) email address to a finance employee.
3. Requests an urgent wire transfer, gift card purchase, or payroll redirect.
4. Finance employee complies, believing the email is from an executive.
5. Funds are transferred to attacker-controlled accounts — recovery rate is under 10%.

A single p=reject DMARC record would have blocked every one of these attacks at the receiving mail server before the finance employee ever saw the email. The cost to implement: zero dollars and approximately 30 minutes of DNS configuration.

Verifying your email authentication configuration

• Use AI QA Monkey DNS/SPF/DMARC checker to validate all three records simultaneously.
• Send a test email to a Gmail address and view the original message headers — look for Authentication-Results: showing spf=pass, dkim=pass, and dmarc=pass.
• Check the _dmarc report email inbox after 24-48 hours for the first aggregate reports showing authentication results.
• Verify DKIM key length: dig TXT selector._domainkey.yourdomain.com — confirm the p= value is a 2048-bit key (longer base64 string than 1024-bit).

Frequently Asked Questions

What is email spoofing?

Email spoofing is when an attacker sends emails that appear to come from your domain without authorization, by forging the From header to impersonate your organization.

How do SPF, DKIM, and DMARC prevent spoofing?

SPF specifies authorized mail servers. DKIM adds cryptographic signatures. DMARC ties them together with a policy that tells receivers what to do with unauthenticated emails.

Can someone still spoof my email if I have SPF?

SPF alone is not sufficient. You need all three — SPF, DKIM, and DMARC with a reject policy — for comprehensive protection.

How do I check if my domain is protected against spoofing?

Use AI QA Monkey's free DNS/SPF/DMARC Checker to validate your email authentication records instantly.