Email spoofing remains one of the most effective attack vectors against Indian businesses. SPF, DKIM and DMARC are the three DNS-based mechanisms that together verify email authenticity — but most organisations implement them incorrectly.
1 SPF: Authorising Sending Servers
SPF (Sender Policy Framework) is a DNS TXT record listing the IP addresses and domains authorised to send email for your domain. A receiving mail server checks whether the sending IP is in your SPF record. The most common mistake: using +all (allow all) instead of ~all (soft fail) or -all (hard fail). SPF alone is not sufficient — it fails on email forwarding and does not protect the From header visible to users.
2 DKIM: Cryptographic Signing
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outbound email. The receiving server fetches your public key from DNS and verifies the signature. Unlike SPF, DKIM survives email forwarding because the signature is part of the message headers. Ensure your signing key is at least 2048-bit RSA or use Ed25519 for better security with smaller keys. Rotate keys annually.
3 DMARC: Enforcement and Reporting
DMARC (Domain-based Message Authentication, Reporting and Conformance) is the policy layer that ties SPF and DKIM together. It specifies what to do with emails that fail authentication: none (monitoring only), quarantine (spam folder), or reject (block entirely). Start with p=none and an rua= reporting address to collect data for 30 days before moving to quarantine, then reject.
4 Common DMARC Implementation Mistakes
Publishing p=reject too quickly without first analysing DMARC reports causes legitimate emails to be blocked. Not including all sending sources in SPF — ESPs like Mailchimp, Salesforce and transactional email providers must be authorised. Not setting up DMARC aggregate reporting (rua=) means you are flying blind. Forgetting subdomains — add sp=reject to protect subdomains.
5 Monitoring and Maintenance
DMARC generates aggregate reports (XML files) from every receiving mail server. Use a DMARC reporting tool (Dmarcian, Postmark, Valimail) to parse these and visualise which sources are passing and failing authentication. A mature DMARC implementation requires ongoing monitoring as new email-sending services are added. Aim for more than 99% authenticated volume before moving to p=reject.