DNS & Email Spoofing: The Complete Guide

Updated By SurfaceLoop Team

SPF, DKIM, and DMARC protect your domain from email spoofing and phishing. Learn how email authentication works and how to configure it correctly.

Why does email spoofing matter?

Email has no built-in authentication. The SMTP protocol - designed in 1982 - allows any mail server to claim any sender address. Without additional protections, an attacker can send email that appears to come from your CEO, your finance department, or your support team.

This is not a theoretical risk. Email spoofing is the foundation of:

  • Business email compromise (BEC) - attackers impersonate executives to request wire transfers or sensitive data
  • Phishing campaigns - spoofed emails from trusted domains have higher click-through rates
  • Invoice fraud - fake invoices from what appears to be a legitimate supplier domain
  • Brand abuse - spam and scam emails that damage your domain’s reputation

The solution is a trio of DNS-based authentication protocols: SPF, DKIM, and DMARC.

How does email authentication work?

SPF - who is allowed to send?

SPF (Sender Policy Framework) is a DNS TXT record that lists the IP addresses and mail servers authorised to send email for your domain.

When a receiving server gets an email claiming to be from example.com, it looks up the SPF record for example.com and checks whether the sending server’s IP address is in the list. If it is, the email passes SPF. If not, it fails.

An SPF record looks like this:

v=spf1 include:_spf.google.com include:sendgrid.net -all

This says: Google Workspace and SendGrid are allowed to send for this domain. Everything else should fail (-all).

Common SPF mistakes:

  • Using ~all (softfail) instead of -all (hardfail) - softfail is treated as “suspicious but deliver anyway” by most receivers
  • Exceeding the 10 DNS lookup limit - SPF allows a maximum of 10 DNS lookups; exceeding this causes the entire record to fail
  • Forgetting third-party senders - marketing platforms, helpdesk tools, and transactional email services all need to be included

DKIM - was the email tampered with?

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The sending server signs the message headers and body with a private key. The corresponding public key is published in DNS.

When a receiving server gets a DKIM-signed email, it retrieves the public key from DNS and verifies the signature. If the signature is valid, the email has not been modified in transit and was sent by a server with access to the private key.

A DKIM DNS record looks like this (at selector1._domainkey.example.com):

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN...

Why DKIM matters beyond SPF: SPF validates the sending server, but not the message content. DKIM validates that the message itself has not been altered - protecting against man-in-the-middle modifications and proving the email originated from an authorised system.

DMARC - what happens when authentication fails?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the policy layer that ties SPF and DKIM together. Without DMARC, a failed SPF or DKIM check has no guaranteed consequence - the receiving server decides what to do.

DMARC specifies:

  1. Policy - what to do with emails that fail authentication (none, quarantine, or reject)
  2. Alignment - the domain in SPF/DKIM must match the “From” header domain
  3. Reporting - receiving servers send XML reports about authentication results back to you

A DMARC record looks like this (at _dmarc.example.com):

v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100

This says: reject 100% of emails that fail authentication, and send aggregate reports to [email protected].

The enforcement gap: Most organisations start with p=none (monitor only) and never move to enforcement. A p=none policy collects reports but does not prevent spoofing - it just tells you it is happening. Moving to p=quarantine and eventually p=reject is where the actual protection comes from.

How SurfaceLoop handles this

SurfaceLoop checks your domains for SPF, DKIM, and DMARC configuration automatically. It validates record syntax, checks for common misconfigurations (like SPF lookup limits and DMARC policies stuck on “none”), and alerts you when email authentication is missing or incomplete.

See DNS & Email Spoofing feature →

How do the three protocols work together?

SPF, DKIM, and DMARC are not alternatives - they are layers that complement each other:

ProtocolWhat it validatesWhat it prevents
SPFSending server is authorisedSpoofing from unauthorised servers
DKIMMessage integrity and originMessage tampering, origin forgery
DMARCPolicy enforcement and alignmentSpoofing that bypasses SPF or DKIM alone

An email that passes DMARC must pass either SPF or DKIM (or both) with alignment - meaning the authenticated domain matches the visible “From” address. This closes the gaps that exist when SPF or DKIM are used in isolation.

What changed with the 2025 enforcement shift?

Google and Microsoft changed the email landscape in 2025 by requiring SPF, DKIM, and DMARC for bulk senders:

  • Gmail began rejecting non-compliant bulk email outright in November 2025
  • Microsoft Outlook/Hotmail requires SPF, DKIM, and DMARC for domains sending more than 5,000 emails per day

This means DMARC is no longer optional for any organisation that sends email at scale. Even if you are not a bulk sender, your domain’s email deliverability and reputation depend on proper authentication.

How do you check your domain’s email security?

To verify your current configuration:

SPF: Query your domain’s TXT records for a record starting with v=spf1. Check that it includes all your legitimate sending services and ends with -all (not ~all or ?all).

DKIM: This requires knowing your DKIM selector (usually found in your email provider’s documentation). Query selector._domainkey.yourdomain.com for a TXT record containing a public key.

DMARC: Query _dmarc.yourdomain.com for a TXT record starting with v=DMARC1. Check the policy (p=) - if it says none, you are monitoring but not enforcing.

Our article on DMARC enforcement walks through the process of moving from monitoring to full enforcement.

What comes after SPF, DKIM, and DMARC?

Email authentication is the foundation, but complete DNS and email security includes:

  • MTA-STS - enforces TLS encryption for email delivery, preventing downgrade attacks
  • DANE/TLSA - uses DNSSEC to bind certificates to mail servers
  • BIMI - displays your brand logo in supporting email clients when DMARC passes, providing visual trust signals
  • DNSSEC - protects DNS records from tampering, ensuring SPF and DKIM records are authentic

These are advanced configurations that build on top of a solid SPF/DKIM/DMARC foundation.

Frequently asked questions

What is email spoofing?
+
Email spoofing is the forgery of an email sender address to make a message appear to come from a domain the sender does not control. Without SPF, DKIM, and DMARC, any mail server can send email claiming to be from your domain.
What is SPF and how does it prevent spoofing?
+
SPF (Sender Policy Framework) is a DNS TXT record that lists the mail servers authorised to send email for your domain. Receiving servers check whether the sending server's IP is in the SPF record - if not, the email fails SPF validation.
What is DKIM and how does it work?
+
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails. The sending server signs each message with a private key, and the receiving server verifies it using a public key published in your DNS. This proves the email was not tampered with in transit.
What is DMARC and why is it important?
+
DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together with a policy that tells receiving servers what to do when authentication fails - none (monitor only), quarantine, or reject. Without DMARC, SPF and DKIM failures are ignored by most receivers.
How do I check if my domain has SPF, DKIM, and DMARC configured?
+
Query your domain's DNS TXT records. Look for records starting with 'v=spf1' (SPF), a TXT record at a selector subdomain like 'selector._domainkey.example.com' (DKIM), and a TXT record at '_dmarc.example.com' (DMARC). SurfaceLoop checks all three automatically.
What happens if I don't set up DMARC?
+
Without DMARC, anyone can send emails that appear to come from your domain. Your domain can be used for phishing campaigns, business email compromise, invoice fraud, and spam - all without your knowledge. Google and Microsoft now require DMARC for bulk senders.

Get SurfaceLoop security briefings

No spam, just findings that matter. Fortnightly.

Scan your dns & email spoofing - free