Back to Blog
5/22/2022
ACE IT Security

Stop Email Spoofing: A Technical Guide to SPF, DKIM, and DMARC

How to stop hackers from sending emails that look like they came from you. A deep dive into email authentication protocols.

Email is the primary attack vector for modern business. One of the most common attacks is Spoofing: a hacker sends an email to your accountant that appears to come from CEO@yourcompany.com.

How do they do this? Because the basic protocol of email (SMTP) was built in the 1980s with zero security. Anyone can write any "From" address they want.

To fix this, we use three DNS-based protocols. If your domain is not configured with these, you are vulnerable.

1. SPF (Sender Policy Framework)

"The Guard List" SPF is a text record in your DNS that lists exactly which IP addresses are allowed to send email for your domain.

  • Record: v=spf1 include:spf.protection.outlook.com ip4:203.0.113.5 -all
  • Translation: "Only accept mail from Microsoft 365 and our Marketing Server IP. Reject everything else."

2. DKIM (DomainKeys Identified Mail)

"The Digital Seal" DKIM attaches a cryptographic signature to every email you send.

  • When your server sends an email, it signs it with a private key.
  • The receiver's server uses your public DNS key to verify the signature.
  • If the email was altered in transit (e.g., a hacker changed the bank account number), the seal breaks, and the email is rejected.

3. DMARC (Domain-based Message Authentication, Reporting, and Conformance)

"The Policy Enforcer" SPF and DKIM are just signals. DMARC tells the receiving server what to do if those signals fail.

  • Policy p=none: "Tell me about it, but let the email through." (Monitoring Mode)
  • Policy p=quarantine: "Put it in Spam."
  • Policy p=reject: "Delete it immediately. Do not deliver." (Goal State)

The Business Impact

Without these protocols:

  1. Vulnerability: Hackers can easily impersonate you.
  2. Deliverability: Google and Yahoo now require SPF/DKIM for bulk senders. If you don't have them, your legitimate newsletters will go to spam.

Configuring these records requires precision. A typo in your SPF record can take down your entire company's email. Let ACE IT Solutions audit and harden your email security.

Ready to take the next step?

Don't let your brand be used for phishing. We specialize in DMARC implementation and SPF/DKIM hardening to ensure your emails are always authenticated and delivered.

Book Email Security Audit
Email SecurityTechnicalDNS