Phishing Inspector
Back to Blog
Technical Deep Dive

SPF, DKIM, and DMARC: The Triple Threat Against Email Spoofing

By Phishing Inspector Engineering TeamMarch 5, 202415 min read

Email was never designed with security in mind. The original SMTP protocol allows anyone to send an email claiming to be anyone else. To fix this "identity crisis," the industry developed three key pillars of authentication: SPF, DKIM, and DMARC.

1. SPF: The Authoritative Guest List

**SPF (Sender Policy Framework)** is a DNS record that lists exactly which servers (IP addresses) are authorized to send email on behalf of your domain.

When an email arrives, the receiving server looks at the "Return-Path" address and checks the DNS records of that domain. If the sender's IP isn't on the list, the email fails the SPF check.

// Example SPF Record

v=spf1 ip4:192.168.0.1 include:_spf.google.com ~all

In this example, the domain allows IP 192.168.0.1 and anything Google-authorized to send emails. The ~all means "Soft Fail" if it's not on the list.

2. DKIM: The Digital Wax Seal

While SPF checks the "Who," **DKIM (DomainKeys Identified Mail)** checks the "What." It adds a cryptographic signature to the header of the email.

This signature is linked to your domain. If even a single character in the email body or subject is changed while the email is in transit, the signature will no longer match the public key in your DNS, and the check will fail.

Why DKIM is better than SPF:

SPF often fails when an email is "forwarded" (because the forwarder's IP isn't on the original list). DKIM survives forwarding because the signature stays with the message.

3. DMARC: The Enforcement Policy

**DMARC** is the glue that holds everything together. It tells the receiving server what to do if the SPF and DKIM checks fail. Without DMARC, a server might see an SPF failure but still deliver the email to the inbox anyway.

The DMARC Policy Options:

  • p=none (Monitoring): "Tell me if someone is spoofing me, but let the email through." (Crucial for first-time setups).
  • p=quarantine (Spam): "If it looks like a spoof, put it in the junk folder."
  • p=reject (Nuclear): "If it fails authentication, block it entirely. Never let the user see it." (The gold standard).

How to Check Your Own Records

You can verify your domain's security posture right now. Most operating systems allow you to check DNS records from the command line:

# To check SPF

nslookup -type=txt yourdomain.com

# To check DMARC

nslookup -type=txt _dmarc.yourdomain.com

Confused by Raw Headers?

Analyzing Authentication-Results headers manually is painful. Paste your email headers into our analyzer, and we'll give you a human-readable report on the SPF, DKIM, and DMARC status instantly.

Inspect Headers Now