Cyber Deception Cyber Security Email Security

Demystifying the powerful SPF, DKIM and DMARC technologies

The topic of this post is the SPF, DKIM and DMARC authentication mechanisms and how we can utilise them to build a healthier mail exchange ecosystem.

Contrary to popular belief, the role of SPF, DKIM and DMARC is not to protect a mail system against threats. That means they don’t work as an email security tool would, nor they act as some anti-malware and so on.

Instead, they act as protection mechanisms for mail exchange worldwide,

But let’s start by explaining what SPF, DKIM, and DMARC are.

What they are and how to use them

SPF (Sender Policy Framework)

SPF is an email authentication standard that helps counter spam, spoofing and phishing attempts.

SPF works by publishing a list of authorised mail servers for a domain in its DNS records. When an email is received, the receiving server checks the SPF record of the sending domain to ensure that the email originated from an authorised mail server.

The record is added as a TXT entry to a domain’s public DNS zone and is the most popular among all three.

DKIM (DomainKeys Identified Mail)

DKIM is another email authentication protocol designed to detect forgery or alterations for emails in transit.

The method allows the mail recipient to check that it was indeed sent and authorised by the sending domain, not someone impersonating the sender.

It does that by adding a digital signature to the header of an email message. This signature is generated using a private key that is associated with the sending domain.

When an email is received, the receiving server uses the public key published in the DNS records of the sending domain to verify the digital signature. If the signature is valid, the email is considered authentic and can be delivered to the recipient.

DMARC (Domain-based Message Authentication Reporting and Conformance)

DMARC is a policy framework that allows domain owners to specify how their emails should be handled when they fail SPF and/or DKIM checks.

DMARC works by publishing a policy in the DNS records of a domain that specifies how the receiving server should handle emails that fail SPF and DKIM checks.

The policy can instruct the receiving server to either quarantine the email, reject the email, or allow the email to be delivered as usual.

DMARC also provides reporting capabilities that allow domain owners to receive feedback about how email receivers are handling their emails.

An analyst is focused working her way analysing an email exchange

Analysing an email

One of my favourite ways to get deep down when analysing a message is using Message Header Analyser.

The tool is available online, and there is also a direct link to it from within Microsoft 365 Defender in the email & collaboration tab.

It allows for a complete breakdown of the authentication methods used during the exchange and contains many details and a result for each in the form of pass/fail.

It also performs checks such as Spam Confidence Level, Spam Filtering Verdict and IP Filter Verdict. Those checks are linked to Microsoft’s documentation so we can check and compare the present values.

I am also fond of using VirusTotal to analyse suspicious files, domains, IPs and URLs; thus, I highly recommend it when you find yourself checking a message’s whereabouts.


SPF, DKIM and DMARC comprise a set of email authentication methods to provide the means to check the authenticity of a mail exchange communication.

Together, these three technologies provide a robust set of tools for email authentication and can help prevent email spoofing, phishing, and other types of email-based attacks.

By implementing SPF, DKIM, and DMARC, domain owners can improve the deliverability of their emails and reduce the risk of their domains being used for malicious purposes.