← Back to Guides

Email Authentication 101

A comprehensive overview of email authentication: SPF, DKIM, DMARC, and how they work together to protect your domain.

The Problem: Email Spoofing

The Simple Mail Transfer Protocol (SMTP) was designed in the early 1980s, long before security was a primary concern. By default, SMTP does not verify the identity of the sender. Any mail server can claim to send email from any domain — there is nothing in the base protocol to prevent it.

This means an attacker can craft a message with a From: header that reads ceo@yourcompany.com and deliver it to anyone. The recipient's mail client will display it as though it genuinely came from your CEO. This technique, known as email spoofing, is the backbone of phishing, business email compromise (BEC), and brand impersonation attacks.

Email authentication protocols were developed to close this gap. There are three, and they work as layers that build on each other.

The Three Pillars of Email Authentication

1. SPF (Sender Policy Framework)

SPF allows a domain owner to declare which mail servers are authorised to send email on behalf of their domain. This declaration is published as a DNS TXT record on the domain.

When a receiving server gets an email, it checks the envelope sender (the Return-Path address used during the SMTP transaction) and looks up the SPF record for that domain. If the sending server's IP address is listed in the SPF record, SPF passes. If not, it fails.

A simple SPF record looks like this:

v=spf1 include:_spf.google.com ip4:203.0.113.5 -all

SPF is effective but has a limitation: it validates the envelope sender, not the From: header that the user sees. An attacker can use their own domain in the envelope while spoofing yours in the visible header.

2. DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to each outgoing email. The sending server signs parts of the message (typically the headers and body) with a private key, and the corresponding public key is published in a DNS TXT record. The receiving server retrieves the public key, verifies the signature, and confirms that the message has not been altered in transit.

A DKIM signature header in an email looks like this:

DKIM-Signature: v=1; a=rsa-sha256; d=yourcompany.com;
  s=selector1; c=relaxed/relaxed;
  h=from:to:subject:date:message-id;
  bh=base64encodedBodyHash;
  b=base64encodedSignature

DKIM proves that an authorised system signed the message and that the content was not tampered with. However, like SPF, DKIM alone does not tell the receiving server what to do when verification fails.

3. DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC ties SPF and DKIM together and adds two critical capabilities: a policy that tells receivers how to handle authentication failures, and a reporting mechanism that gives domain owners visibility into who is sending email as their domain.

A DMARC record is published as a TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=reject; rua=mailto:reports@yourdomain.com; adkim=s; aspf=s;

When a message arrives, the receiving server evaluates SPF and DKIM results and then checks whether either result aligns with the domain in the From: header. If neither aligns, the DMARC policy determines what happens to the message.

How They Work Together

Think of the three protocols as layers of a security system:

  1. SPF checks whether the sending IP is authorised.
  2. DKIM checks whether the message is signed and unaltered.
  3. DMARC checks whether either SPF or DKIM passes and aligns with the visible From domain, then enforces a policy on failures.

A message passes DMARC if at least one of the following is true:

  • SPF passes and the SPF-authenticated domain aligns with the From header domain.
  • DKIM passes and the DKIM signing domain (the d= tag) aligns with the From header domain.

Understanding Alignment

Alignment is the concept that makes DMARC more powerful than SPF or DKIM alone. It ensures that the domain authenticated by SPF or DKIM actually matches the domain the user sees in the From: header.

There are two alignment modes:

  • Relaxed alignment (the default) — The authenticated domain and the From domain must share the same organisational domain. For example, mail.yourcompany.com aligns with yourcompany.com.
  • Strict alignment — The authenticated domain must exactly match the From domain. mail.yourcompany.com would not align with yourcompany.com in strict mode.

You control alignment mode in your DMARC record with the adkim (for DKIM) and aspf (for SPF) tags. Relaxed alignment is recommended for most organisations because it accommodates subdomains used by third-party services.

Why You Need All Three

Each protocol has limitations on its own:

  • SPF alone does not protect the visible From header and breaks when emails are forwarded.
  • DKIM alone does not tell receivers what to do on failure and does not prevent replay attacks.
  • DMARC alone is meaningless — it requires at least SPF or DKIM to exist in order to evaluate alignment.

Together, they form a complete system: SPF and DKIM provide the authentication checks, and DMARC provides the policy and reporting layer that makes the system actionable.

Getting Started

If you are new to email authentication, the recommended path is:

  1. Ensure SPF is configured for your domain. See Understanding SPF Records.
  2. Set up DKIM signing for all mail sources. See DKIM Explained.
  3. Publish a DMARC record starting with p=none and a reporting address. See Getting Started with DMARC.
  4. Monitor your reports with DMARCWatch, fix issues, and gradually enforce stricter policies. See DMARC Policy Guide.
← Back to Guides