← Blog
Last updated Nov 21, 2024

SPF and DKIM don't stop spoofing: why you need DMARC

  • 6 min. read
Key points
  • DMARC is a mechanism that lets organizations enforce that their emails are delivered to recipients only if they’re properly authenticated and actually coming from your domain.
  • A common misconception is that SPF and DKIM are enough to prevent spoofing attacks, but they’re not.
  • DMARC ensures that SPF and DKIM identifiers are aligned with your domain, thus preventing attacks. DMARC also allows to define a policy to apply on failure and supports the generation of reports.

There’s a fact that most people don’t fully realize, and it’s that electronic mail is unauthenticated by design: anyone can spin up an SMTP server (the software that is responsible for sending emails behind the scenes) and send emails from any domain.

In fact, in SMTP there’s no built-in mechanism to verify the identity of who’s sending an email, so anyone can send a message pretending to be someone else. This can be prevented by setting up email authentication (SPF and DKIM) and, most importantly, DMARC.

In short, DMARC is a mechanism that lets organizations express that they want their emails delivered to recipients only if the messages are properly authenticated and actually coming from your domain name, fixing some SPF and DKIM shortcomings.

Let’s dive into this topic in more detail.

It all starts with SPF and DKIM

When you configure email sending on a custom domain, one of the first things you’ll do is setting up SPF and DKIM, which are the two authentication mechanisms on which DMARC relies.

Both of these are relatively recent (SPF as we currently know it was formalized in 2014, DKIM in 2011) but are essential to achieve DMARC compliance.

In summary, this is what SPF and DKIM do:

  • SPF checks whether the sending domain explicitly authorizes the sending SMTP server to send email for that domain. If it doesn’t, it means that someone is using an unauthorized SMTP server to spoof the domain.
  • DKIM provides a mechanism to digitally sign and verify the contents of an email message. It ensures that the integrity of a message is preserved (i.e. it wasn’t modified while being transmitted through the network) but also serves as an authentication mechanism: if a DKIM signature, which is tied to a domain, is valid, we know that only the domain owner could have created that signature (unless something very bad happened).

A common misconception is that SPF and DKIM are enough to prevent spoofing: after all, if you ensure that the sending server is authorized to send from your domain, and in addition to that you also have a valid cryptographic signature that only the domain owner can generate, you have just proven that an email message is legitimate.

Unfortunately there’s a catch: SPF and DKIM alone do not prevent spoofing, unless DMARC is also configured.

SPF and DKIM aren’t enough

The reason why SPF and DKIM alone do nothing to prevent spoofing is that when we reason about spoofing we think about the From address, while SPF and DKIM use different identifiers.

The From address is the one that you see in your email inbox, the address that we commonly refer to as the email sender.

SPF and DKIM do not look at the From address, at all! Here’s what they do instead:

  • SPF is a mechanism that works at the SMTP level, since its purpose is to validate if a mail server is authorized. Therefore, it runs its checks not on the From address but on another address that is often called Envelope From. This address is to be found outside the actual email message: it’s what SMTP servers use to communicate.
    • It’s trivial for an attacker to use a valid Envelope From they control, while spoofing the From address, and SPF wouldn’t catch that!
  • DKIM signatures have a similar issue: they are tied to a domain, but the signature domain has nothing to do with the From domain. It can really be anything.
    • It’s trivial for an attacker to generate a valid DKIM signature for a domain they control, but this would do nothing to prove that the From address is valid.

You might have grasped where we’re going: if we ensure that all these identifiers are aligned to the From address, we can solve this issue and easily detect if an email is spoofed. That is indeed DMARC’s core.

What DMARC does

DMARC is the acronym for Domain-based Message Authentication, Reporting, and Conformance and was formalized in 2015.

It mainly does three things:

  • DMARC provides an algorithm to verify alignment of authentication mechanisms. In practice:
    • If SPF checks pass, it verifies that the Envelope From domain is aligned with the From domain (with a level of strictness that you can decide).
    • For valid DKIM signatures, it checks that the DKIM signature domain is aligned with the From domain (you can apply different levels of strictness here too).
    • If at least one of these two alignment checks passes, DMARC says OK. Otherwise it fails and we say that the message is not DMARC compliant (or not DMARC aligned).
    • Be careful you get this right (there’s lots of incorrect information on the web): you can get a successful DMARC result by achieving either SPF alignment or DKIM alignment. You can have both, but you don’t need both. This is an essential property that prevents “incorrect” failures when an email is forwarded by a server.
  • DMARC defines a DNS record format that can be used to specify the level of alignment strictness and the action that should be taken when DMARC alignment fails, i.e. the DMARC policy.
    • The DMARC policy can be none (do nothing, accept the email message), quarantine (move the email to spam) or reject (refuse to deliver the email message). In practice, each email provider interprets the policy in its own way so you shouldn’t take this literally.
  • DMARC also provides a way to get visibility into DMARC checks and the actions taken by mail servers. This is where DMARC reporting comes into play: in the DMARC DNS record you can specify an inbox address that will receive XML reports from mail servers periodically.

Why you need DMARC

Overall, there are a few reasons why you would want to set up DMARC:

  • Prevent email spoofing, i.e. unauthorized people sending emails from your domain. This is especially important to ensure that your users aren’t tricked into phishing campaigns. It also helps preserve the email sending reputation of your domain and avoid ending up in the spam folder.
  • Comply with email providers requirements: in 2024, Google and Yahoo started requiring DMARC on incoming mail from high-volume senders. If you send emails to Gmail addresses, you may be affected by this. Even if you aren’t, this is likely just Google’s and Yahoo’s first step in a path to enforce DMARC checks on all incoming email, and organizations must prepare in advance.

How to achieve DMARC compliance

Setting up DMARC is something that needs to be done carefully, to avoid causing rejections on destination email servers.

The typical way to do it is to set up DMARC without enforcing it, while monitoring if your emails are getting through with DMARC reports.

One way to simplify DMARC compliance is by using DMARCwise, a DMARC monitoring and analysis tool. You can start for free here, or you can read our Guide to DMARC compliance to learn more.


Struggling with email deliverability?

Test your email setup for free, then start monitoring SPF, DKIM and DMARC.

✅ Ensure your emails land in the inbox
🚀 Troubleshoot with a powerful dashboard
🧪 Run interactive diagnostics
📊 Monitor with weekly email digests

Create a free account

or

Learn more about DMARCwise