SPF, DKIM and DMARC: The Invisible Guardians of Email

Every day, over 300 billion emails are sent worldwide. While most are legitimate, a growing number attempt to impersonate identities or alter messages to deceive recipients.

Fortunately, three protocols exist to protect us from these attacks: SPF, DKIM, and DMARC. They are the invisible guardians of email, silently verifying that each message truly comes from the domain it claims to represent.

The Problem They Solve

Email, in its original design, lacked authentication. Anyone could easily forge the sender’s address.
This opened the door to phishing, spam, and corporate domain spoofing.

SPF, DKIM, and DMARC were created to ensure sender authenticity and protect domain reputation.

SPF: The First Line of Defense

SPF (Sender Policy Framework) specifies which servers are authorized to send emails on behalf of a domain.

• It is configured via a TXT record in the domain’s DNS.
• When a server receives an email, it checks whether the sending IP is listed there.
• If not, the message may be flagged as suspicious or rejected.

Example SPF record:

This record means that only Google’s mail servers are authorized to send emails from that domain. Any other attempt will be rejected.

Advantages:

• Easy to implement.
• Prevents unauthorized servers from sending fraudulent emails.

Limitations:

• Does not protect the content of the message.
• Can fail in redirections or forwarding scenarios.

DKIM: The Sender’s Cryptographic Seal

DKIM (DomainKeys Identified Mail) adds a digital signature to the email header.
This signature is generated with the domain’s private key and verified with a public key published in the DNS.

This allows the receiving server to confirm that:

1. The message has not been altered during transmission.
2. It genuinely originates from the domain that signed it.

Example DKIM record:

Advantages:

• Ensures message integrity.
• Strengthens the authenticity of the domain.

Limitations:

• Does not prevent non-authenticated domains from sending fake messages.
• Depends on proper key and signature management.

DMARC: The Referee That Decides What Happens Next

DMARC (Domain-based Message Authentication, Reporting & Conformance) combines SPF and DKIM to define a clear policy for how to handle messages that fail authentication checks.

It also generates activity reports to help detect spoofing attempts.

Example DMARC record:

This means that messages failing verification will be quarantined, and the domain will receive a report with the details.

Advantages:

• Full control over domain authentication.
• Automatic reporting to monitor traffic and detect abuse.
• Improves deliverability and domain trust.

Limitations:

• Requires technical configuration and maintenance.
• DMARC reports can be complex to interpret without proper tools.

How They Work Together

The three protocols function as a layered defense system:

1. SPF validates which servers can send emails.
2. DKIM ensures the message has not been altered.
3. DMARC defines what to do with emails that fail verification.

When properly configured, they dramatically reduce spoofing risks and improve the deliverability of legitimate messages.

Their Role in Registered Email

In services like eEvidence, authenticity and integrity are essential.

Beyond complying with SPF, DKIM, and DMARC standards, each registered email includes its own technical proof of sending, content, and delivery, digitally signed and timestamped.

This ensures complete traceability, extending far beyond standard email authentication mechanisms.

Frequently Asked Questions (FAQ)

What happens if my domain doesn’t have SPF, DKIM, or DMARC?

Your domain becomes vulnerable to impersonation. Attackers can send fake emails that appear to come from you, damaging your reputation and deliverability.

Is DMARC mandatory?

No, but it’s highly recommended. More and more email providers (like Gmail or Microsoft) require it to ensure message authenticity.

Can I use all three protocols together?

Yes — and that’s the best practice.

Do they affect deliverability?

Absolutely. Properly authenticated domains enjoy better reputation and a lower risk of their emails landing in spam folders.

Conclusion

SPF, DKIM, and DMARC are the three pillars of trust in modern email.
Though invisible to the user, they constantly work to prevent spoofing, protect domains, and ensure secure communication.

Combined with trusted services like registered email from eEvidence, they deliver a level of security and traceability that makes email a reliable tool for professional and legal communication.