Email Authentication: SPF, DKIM, and DMARC
Implement and validate Sender Policy Framework, DomainKeys Identified Mail, and DMARC policies that prevent domain spoofing and phishing.
The Email Spoofing Problem
The core SMTP protocol (designed in the 1970s) has no built-in sender authentication. Any mail server can claim to send email from any domain — a technique called email spoofing. Attackers exploit this to send phishing emails that appear to come from legitimate organizations (your bank, your CEO, a known vendor). Three DNS-based email authentication standards were developed to address this: SPF, DKIM, and DMARC. Each addresses a different aspect of the spoofing problem, and they work best when deployed together.
Sender Policy Framework (SPF)
SPF is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of a domain. When a receiving mail server gets a message claiming to be from example.com, it looks up the SPF record for example.com and verifies that the sending server's IP address is listed. If the IP is not authorized, the message can be marked as spam or rejected. SPF checks the envelope From address (the SMTP MAIL FROM command), not the display From header visible to users.
# SPF DNS TXT record for example.com
# Authorize Google Workspace + SendGrid + company IP
example.com. TXT 'v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.10 -all'
# Mechanism meanings:
# include: authorize another domain's SPF record
# ip4: authorize specific IPv4 address/range
# ip6: authorize specific IPv6 address
# -all FAIL (reject) mail from non-listed sources
# ~all SOFTFAIL (accept but mark as spam)
# ?all NEUTRAL (no policy stated)All lessons in this course
- Email Authentication: SPF, DKIM, and DMARC
- Secure Email Gateways and Anti-Spam Controls
- Web Content Filtering and DNS Sinkholes
- SSL/TLS Inspection and Man-in-the-Browser Attacks