Email is one of the most common communication tools in business, but it’s also a frequent target for cybercriminals. Phishing, spoofing, and impersonation attacks are on the rise, threatening sensitive data, brand equity, and customer trust. To combat these risks, businesses are turning to several key approaches to email security:
- Sender policy framework (SPF)
- DomainKeys identified mail (DKIM)
- Domain-based message authentication, reporting, and conformance (DMARC)
What are SPF, DKIM, and DMARC?
SPF is an email validation framework that verifies whether an email originates from an authorized mail server. Businesses publish a list of approved sending servers in their domain name system (DNS) records. When an email is received, the recipient’s server checks the sender’s internet protocol (IP) address against the SPF record. If there’s a match, the email is deemed legitimate.
DKIM ensures that an email hasn’t been tampered with during transit. It uses cryptographic signatures to verify the email’s integrity. The sender’s mail server adds a digital signature to outgoing emails, and the recipient’s server uses the public key (stores in the sender’s DNS record) to certify the signature and confirm the message’s integrity.
DMARC builds on SPF and DKIM by adding a policy layer. It enables domain owners to specify how email servers should handle messages that fail SPF or DKIM checks, for example, whether to reject, quarantine, or allow the email. DMARC also provides reporting capabilities, giving domain owners visibility into email authentication activities.
How do SPF, DKIM, and DMARC work?
SPF and DKIM are foundational standards for validating the source and integrity of an email. In an SPF workflow, the sender defines a list of approved mail servers in the DNS record. The receiving server checks if the sender’s IP matches the trusted list. With DKIM, outbound emails are signed with a private key. The receiving server uses the public key in the sender’s DNS record to verify the email’s integrity.
DMARC ties together the two protocols, ensuring consistent authentication and allowing domain owners to enforce policies for unapproved emails. In a DMARC setup, the sender publishes a policy in their DNS record (e.g., reject or quarantine emails failing SPF or DKIM). The receiving server enforces this policy and generates reports to help refine security strategies.
These measures work in unison to create a layered approach that fortifies email against diverse threats.
What online risks do they mitigate?
- Phishing and spoofing: By checking the validity of email senders, these protocols help prevent unauthorized use of your domain to deceive recipients.
- Email tampering: DKIM safeguards messages from being altered during transit, protecting sensitive communications.
- Brand impersonation: DMARC reduces the risk of fraudulent emails tarnishing your organization’s reputation and credibility.
DMARC, SPF, and DKIM use trends
In our 2024 Domain Security Report, we analyzed the domain security practices of companies in Forbes’ Global 2000, evaluating whether critical protections had been implemented. For examples, a couple of these measures were DNS redundancy and domain name security extensions (DNSSEC).
Highlights from the report:
- DMARC: Adoption has surged, with 70.6% of Global 2000 companies implementing it. This marks a sharp increase from 38.9% in 2020, making it the most widely adopted measure covered in the report.
- SPF: 90.2% of companies are leveraging SPF to authenticate email domains.
- DKIM: Despite its importance, DKIM remains underused, with only 12.0% of companies employing it to protect their email communications.
The data shows increased awareness of certain email security methods but also reveals persisting vulnerabilities. Nearly 30% of major companies still lack DMARC, and DKIM adoption continues to trail far behind, leaving many organizations vulnerable to threats like phishing, spoofing, and tampering.
Fortify your domain security
An unsecured email infrastructure exposes your organization to costly breaches, damaged reputation, and diminished customer trust. But domain security extends beyond email, as it encompasses a layered, intricate ecosystem with different potential entry points for threat actors. Learn how we measured the level of domain security measures of companies listed in Forbes’ Global 2000, and see how your organization stacks up.