What DMARC, DKIM and SPF actually do

For UK SMEs looking to stay ahead in the modern workplace, understanding email security is fundamentally important. In an era where email remains the primary communication channel and a leading vector for cyber attacks, simply having an email address isn't enough – you need to ensure it's protected. Cybercriminals are constantly evolving their tactics, with phishing and business email compromise (BEC) schemes becoming increasingly sophisticated, often leading to significant financial losses and reputational damage for unsuspecting businesses. This evergreen guide walks you through the core concepts of DMARC, DKIM, and SPF – the essential trio for robust email authentication – explaining what they are, why they are critical for your business, common pitfalls, and practical steps you can implement today. By properly configuring these foundational elements, you can significantly enhance your IT infrastructure's security, improve email deliverability, and ensure compliance with crucial UK data protection regulations, thereby safeguarding your brand and your bottom line against the ever-evolving threat landscape. Neglecting these foundational elements can leave your business vulnerable to devastating phishing attacks, brand impersonation, and significant financial losses.

Sender Policy Framework (SPF): Authorising Your Senders

The concept of what DMARC, DKIM, and SPF mean relates directly to how your business manages its daily operations and protects its digital identity. Let's start with SPF.

What is SPF?

Sender Policy Framework (SPF) is an email authentication method designed to prevent sender address forgery. In simpler terms, it's a list that tells the world which mail servers are authorised to send email on behalf of your domain. Think of it like a guest list for your domain's email party: only those on the list are allowed in. This helps receiving mail servers verify that an email claiming to be from your domain actually originated from an approved source.

How SPF Works

When an email server receives an email, it checks the "envelope from" address (the actual sending address, often hidden from the user) against the SPF record published in the sender's DNS (Domain Name System) records. Your SPF record is a TXT entry in your domain's DNS that lists the IP addresses or hostnames of all mail servers permitted to send email from your domain.

For example, if you use Microsoft 365, your SPF record would typically include a reference to Microsoft's sending servers (e.g., include:spf.protection.outlook.com). If you also use a marketing platform like Mailchimp or a CRM like Salesforce to send emails from your domain, their servers would also need to be listed in your SPF record using similar include mechanisms. The receiving server performs a DNS lookup to match the sending IP address against the list in your SPF record.

Why SPF is Crucial

• Prevents Spoofing: SPF helps stop spammers and phishers from sending emails that appear to come from your domain, protecting your brand reputation and preventing your customers or suppliers from being deceived. This is particularly important for combating phishing attempts that leverage your brand's credibility.
• Improves Deliverability: Email servers are more likely to accept emails from domains with correctly configured SPF records, reducing the chances of your legitimate emails being marked as spam or rejected. Without SPF, your genuine emails might end up in junk folders, impacting critical business communications.
• First Line of Defence: It's often the first check a receiving email server performs, providing a foundational layer of trust. It's a quick and efficient way for servers to filter out obvious illegitimate senders.

Common SPF Pitfalls

1. Too Many Lookups: An SPF record can only contain a maximum of 10 DNS lookups. Exceeding this limit will cause the SPF record to fail validation, often resulting in legitimate emails being rejected. This frequently happens when businesses add multiple third-party services without consolidating or optimising their record. Each include statement counts as a lookup.
2. Missing Legitimate Senders: Forgetting to include a legitimate email sending service (e.g., your HR system, a transactional email platform, or a new marketing tool) in your SPF record can lead to your own emails being flagged as spam or rejected. Always review your SPF record when introducing new email-sending services.
3. Incorrect Syntax: A poorly formatted SPF record can render it ineffective. Tools exist to validate your SPF syntax, such as online SPF checkers, which can help prevent common errors like multiple v=spf1 directives or incorrect mechanisms.
4. Using +all (Pass) or ?all (Neutral): While ~all (softfail) and -all (hardfail) are common, using +all (which means "all senders pass") essentially makes your SPF record useless, as it allows anyone to send email from your domain. ?all (neutral) is only slightly better and generally not recommended for security as it treats non-authorised senders as "neutral," offering little protection. For robust security, -all is preferred once you are confident all legitimate senders are covered.

DomainKeys Identified Mail (DKIM): The Digital Signature of Trust

While SPF authenticates the sender's server, DKIM takes email authentication a step further by verifying the integrity of the email itself.

What is DKIM?

DomainKeys Identified Mail (DKIM) is an email authentication method that uses cryptographic signatures to verify that an email message was not altered in transit and that it genuinely originated from the claimed sender. Think of DKIM as a tamper-proof seal and a verifiable signature on your email. It ensures that the content you send is exactly what the recipient receives, and that it truly came from your domain.

How DKIM Works

1. Key Generation: Your domain generates a pair of cryptographic keys: a private key and a public key. The private key is kept secret by your sending mail server.
2. Signing: When an email is sent from your domain, your mail server uses the private key to generate a unique digital signature. This signature is calculated based on specific parts of the email (e.g., the body and certain headers like "From," "Subject," "Date"). This signature is then added to the email's header.
3. DNS Publication: The public key is published in your domain's DNS records as a TXT record, usually under a specific "selector" (e.g., s1._domainkey.yourdomain.com). This selector allows receiving servers to find the correct public key if you use multiple DKIM keys or services.
4. Verification: When a receiving mail server gets your email, it finds the public key in your DNS using the selector specified in the email header. It then uses this public key to decrypt the digital signature and recalculates the signature based on the email's content. If the decrypted signature matches the recalculated one, it verifies that the email's content (and certain headers) hasn't been changed since it was signed and that the email truly came from your domain.

Why DKIM is Crucial

• Ensures Message Integrity: DKIM guarantees that the content of your email hasn't been tampered with or altered during its journey from sender to recipient. This is vital for sensitive communications where authenticity is paramount.
• Prevents Email Spoofing: It provides strong proof that the email was sent by an authorised party from your domain, even if the sending server's IP address isn't covered by SPF. This is particularly effective against direct domain spoofing, where an attacker might try to send emails directly from your domain.
• Enhances Deliverability: Like SPF, properly configured DKIM signals to receiving mail servers that your emails are legitimate, further improving their chances of reaching the inbox. Many major email providers (Google, Microsoft, etc.) heavily weigh DKIM in their spam filtering decisions, making it a critical factor for business communication reliability.

Common DKIM Pitfalls

1. Incorrect DNS Records: The public key published in DNS must exactly match the private key used for signing. Any discrepancy, even a single character, will cause DKIM validation to fail. Always copy and paste the provided DNS record precisely.
2. Not Enabling on All Senders: Just like SPF, DKIM needs to be enabled and configured for all services that send email on behalf of your domain. Forgetting a service means those emails won't be signed, leading to potential delivery issues and a weaker overall authentication posture.
3. Key Rotation Neglect: For enhanced security, DKIM keys should be rotated periodically (e.g., annually or bi-annually). Many businesses set it up once and forget it, which can increase the risk if a key is ever compromised. Plan for regular key rotation as part of your security maintenance.
4. Service-Specific Configuration: DKIM configuration varies significantly between email providers (e.g., Microsoft 365, Google Workspace) and third-party services. Understanding each platform's specific requirements and following their setup guides is key to successful implementation.

Domain-based Message Authentication, Reporting & Conformance (DMARC): The Policy Enforcer

DMARC builds upon SPF and DKIM, providing a powerful framework for enforcing email authentication policies and gaining visibility into email sending practices.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a protocol that tells receiving email servers what to do with emails that fail SPF or DKIM checks. Crucially, it also provides reporting back to the domain owner about who is sending email using their domain, whether legitimately or maliciously. Think of DMARC as the referee and reporting mechanism for SPF and DKIM. It takes the information from both and applies a set of rules you define, giving you ultimate control over your domain's email integrity.

How DMARC Works

1. Authentication Check: A receiving mail server checks an incoming email against both SPF and DKIM.
2. Alignment: DMARC requires "alignment." This means that the domain in the "From" header (what the user sees in their email client) must match the domain used for SPF authentication (the "envelope from" domain) and/or the domain used for DKIM signing. If either SPF or DKIM passes and is aligned, the email passes DMARC.
3. Policy Application: If an email fails DMARC (i.e., both SPF and DKIM fail alignment), the DMARC record, published in your DNS, tells the receiving server what action to take. There are three main policies:
   • p=none: Monitor mode. No action is taken on failing emails, but aggregate reports (RUA) and forensic reports (RUF, though less commonly used now due to privacy concerns) are sent to the domain owner. This is ideal for initial deployment, allowing you to understand your email ecosystem without impacting deliverability.
   • p=quarantine: Emails that fail DMARC are sent to the recipient's spam or junk folder. This is a good intermediate step, providing protection without outright blocking potentially legitimate emails while you refine your SPF and DKIM configurations.
   • p=reject: Emails that fail DMARC are completely rejected by the receiving server and never reach the recipient's inbox or spam folder. This is the strongest policy and provides the highest level of protection against spoofing and phishing, but should only be implemented once you are confident that all legitimate sending sources are correctly authenticated.

Why DMARC is Crucial

• Centralised Policy Enforcement: DMARC unifies SPF and DKIM, providing a definitive policy for how receiving servers should handle emails that don't pass authentication. This eliminates ambiguity and strengthens your domain's security posture.
• Visibility into Email Ecosystem: The reporting feature of DMARC is invaluable. You receive reports (typically daily) detailing all emails sent from your domain, whether legitimate or fraudulent. This allows you to identify unauthorised senders, misconfigurations, and potential brand abuse in real-time.
• Prevents Brand Impersonation and Phishing: By enforcing a p=reject policy, you can effectively stop attackers from sending emails that appear to come from your domain. This directly protects your customers, suppliers, and employees from sophisticated phishing, spoofing, and Business Email Compromise (BEC) attacks, thereby safeguarding your brand reputation and preventing financial losses.
• Compliance and Trust: Implementing DMARC demonstrates a commitment to email security, which is increasingly important for regulatory compliance (e.g., GDPR in the UK, by reducing the risk of data breaches via email fraud) and building trust with your business partners.

Common DMARC Pitfalls

1. Skipping p=none: Rushing directly to p=quarantine or p=reject without first monitoring in p=none mode is a common mistake. This can result in legitimate emails being quarantined or rejected, disrupting business operations. Always start with p=none for several weeks to gather data.
2. Ignoring DMARC Reports: The reports are the most powerful feature of DMARC. Many businesses set up DMARC but fail to regularly analyse the aggregate (RUA) reports. These reports provide critical insights into all email traffic using your domain. Utilising a DMARC reporting service can help simplify the analysis.
3. Incorrect Alignment: DMARC requires SPF and/or DKIM to align with the "From" header domain. Misunderstanding or misconfiguring this alignment is a frequent issue, leading to legitimate emails failing DMARC even if SPF or DKIM technically pass.
4. Lack of Iteration: DMARC deployment is not a "set it and forget it" task. It requires an iterative process of monitoring, adjusting SPF and DKIM records, and gradually moving from p=none to p=quarantine and eventually p=reject. Many businesses get stuck in p=none indefinitely.

Why This Trio is Non-Negotiable for UK SMEs

For UK SMEs, the combined power of DMARC, DKIM, and SPF is not just a 'nice to have' – it's a fundamental requirement for modern cyber security and operational integrity.

Protecting Your Brand and Customers

In the UK, consumer trust is paramount. A single successful phishing attack impersonating your business can severely damage your reputation, leading to customer churn, loss of goodwill, and potentially legal ramifications. DMARC, DKIM, and SPF work together to prevent bad actors from using your domain to send fraudulent emails, ensuring that your customers and partners can trust the emails they receive from you. This proactive defence safeguards your brand's integrity and prevents the erosion of trust that cyber incidents inevitably cause.

Meeting Regulatory and Compliance Demands (GDPR, ICO, Cyber Essentials)

UK businesses operate under stringent data protection regulations.

• GDPR (General Data Protection Regulation): While not directly mandating DMARC, GDPR requires organisations to implement "appropriate technical and organisational measures" to protect personal data. Email fraud, often facilitated by a lack of DMARC, DKIM, and SPF, can lead to data breaches. By implementing these protocols, you significantly reduce the risk of such breaches, helping you demonstrate compliance with GDPR's security principles and potentially avoiding hefty fines from the Information Commissioner's Office (ICO).
• ICO (Information Commissioner's Office): The ICO, as the UK's independent authority for data protection, expects organisations to take reasonable steps to protect data. A robust email authentication setup is a clear demonstration of such steps.
• Cyber Essentials: For many UK government contracts and increasingly for private sector partnerships, Cyber Essentials certification is a prerequisite. While not explicitly listed as a control, strong email authentication is a foundational element of secure IT infrastructure, contributing to the overall security posture assessed by Cyber Essentials. It helps meet requirements related to protecting against malware and phishing attacks.

Improving Business Continuity and Deliverability

Beyond security, these protocols directly impact your day-to-day operations. Emails are the lifeblood of most SMEs. If your legitimate emails are constantly being flagged as spam or rejected due to poor authentication, it can severely disrupt communications with clients, suppliers, and internal teams. Implementing DMARC, DKIM, and SPF ensures your emails reach their intended recipients reliably, maintaining smooth business operations and preventing missed opportunities or critical delays.

Implementing DMARC, DKIM, and SPF: A Step-by-Step Approach

Deploying these protocols effectively requires a methodical approach. Rushing the process can lead to legitimate emails being blocked.

1. Start with SPF

• Audit Your Senders: Identify every service that sends email on behalf of your domain. This includes your primary email provider (e.g., Microsoft 365, Google Workspace), marketing platforms (Mailchimp, HubSpot), CRM systems (Salesforce), HR platforms, transactional email services, and even internal applications. Don't forget any legacy systems.
• Create Your SPF Record: Consult the documentation for each identified sender to get their required SPF entries. Consolidate these into a single TXT record in your domain's DNS. Remember the 10-lookup limit and aim for a -all mechanism once confident.
• Validate: Use online SPF validation tools to check for syntax errors and the 10-lookup limit.

2. Implement DKIM for All Senders

• Generate Keys: For each email sending service, follow their instructions to generate DKIM keys. This typically involves them providing you with a CNAME or TXT record to publish in your DNS.
• Publish DNS Records: Add the provided DKIM records to your domain's DNS. Each service will usually require its own unique DKIM record (identified by a selector).
• Enable Signing: Ensure that DKIM signing is enabled within each sending service's configuration.
• Verify: Use online DKIM validation tools to confirm that your DKIM records are correctly published and that emails sent from each service are being signed correctly.

3. Deploy DMARC in Monitor Mode (p=none)

• Create Your DMARC Record: Publish a DMARC TXT record in your DNS under _dmarc.yourdomain.com. Start with a p=none policy, specifying an email address to receive aggregate reports (RUA).
  • Example: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; fo=1;
• Monitor Reports: For at least 2-4 weeks (or longer for complex environments), diligently review the DMARC aggregate reports. These reports will show you:
  • Which IP addresses are sending emails from your domain.
  • Whether SPF and DKIM are passing for these emails.
  • Whether SPF and DKIM are aligning with your "From" header.
  • Any unauthorised senders attempting to spoof your domain.
• Identify and Rectify: Based on the reports, identify any legitimate senders that are failing SPF or DKIM authentication/alignment. Adjust your SPF and DKIM records as necessary until all legitimate traffic shows DMARC passing.

4. Progress to Enforcement (p=quarantine then p=reject)

• Move to p=quarantine: Once you are confident that all legitimate emails are passing DMARC with alignment, update your DMARC record to p=quarantine. Continue monitoring reports closely for any unexpected issues. This step allows you to catch any remaining misconfigurations while still protecting recipients by moving suspicious emails to spam.
• Move to p=reject: After a period of successful operation at p=quarantine (typically another 2-4 weeks), you can confidently update your DMARC record to p=reject. This is the strongest protection, ensuring that any email failing DMARC is completely blocked. Continue monitoring reports to ensure ongoing security.

Monitoring and Maintenance: Staying Secure

Implementing DMARC, DKIM, and SPF is not a one-time task. It requires ongoing vigilance and maintenance to remain effective against evolving threats and changes in your IT environment.

Regular DMARC Report Analysis

As mentioned, DMARC reports are your eyes and ears. Regularly review the aggregate reports to:

• Spot New Senders: Identify any new email sending services that might have been introduced to your organisation without proper SPF/DKIM configuration.
• Detect Spoofing Attempts: See if malicious actors are still attempting to send emails from your domain and confirm that your DMARC policy is effectively rejecting them.
• Monitor Alignment: Ensure that your legitimate email streams continue to pass DMARC alignment checks.

Consider using a third-party DMARC reporting service. These services parse the often-complex XML reports into user-friendly dashboards, making analysis much simpler and more actionable for UK SMEs without dedicated security teams.

Periodic Key Rotation

For DKIM, it's a best practice to rotate your cryptographic keys periodically (e.g., annually). This reduces the risk of a compromised key being exploited over a long period. Most email service providers offer a mechanism to generate new DKIM keys. When rotating, ensure the new public key is published in DNS before the old key is decommissioned to avoid service disruption.

Adapting to Changes in Your IT Environment

Your email sending infrastructure is not static.

• New Services: Whenever you onboard a new marketing platform, CRM, HR system, or any other application that sends emails from your domain, immediately update your SPF and DKIM records.
• Decommissioned Services: When you stop using a service, remove its SPF include and DKIM records from your DNS to keep your records clean and efficient.
• IP Address Changes: If your internal mail servers' IP addresses change, ensure your SPF record is updated accordingly.

Proactive management of these records is crucial to prevent legitimate emails from being blocked and to maintain the integrity of your email authentication.

Key Takeaways

• SPF (Sender Policy Framework): Authorises which servers can send email on behalf of your domain, preventing basic spoofing and improving deliverability. Treat it like a guest list for your domain's email.
• DKIM (DomainKeys Identified Mail): Provides a digital signature for your emails, verifying message integrity and sender authenticity, protecting against tampering and direct domain spoofing. It's your tamper-proof seal.
• DMARC (Domain-based Message Authentication, Reporting & Conformance): Unifies SPF and DKIM, enforcing policies (monitor, quarantine, reject) on emails that fail authentication and providing invaluable reports on email activity from your domain. It's the referee and reporter.
• Non-Negotiable for UK SMEs: This trio is essential for protecting your brand, preventing financial losses from phishing and BEC attacks, improving email deliverability, and demonstrating compliance with UK regulations like GDPR and Cyber Essentials.
• Phased Implementation is Key: Always start with DMARC in p=none (monitor) mode, meticulously analyse reports, and gradually move to p=quarantine and then p=reject to avoid blocking legitimate emails.
• Ongoing Maintenance: Email authentication is not a one-time setup. Regular monitoring of DMARC reports, periodic DKIM key rotation, and updating records for new or decommissioned services are critical for sustained security.

To take the next step

Book a Discovery Call