Email authentication protocols, SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance), work together to verify that emails claiming to come from your domain are actually sent by authorized servers. These protocols are the primary defense against domain spoofing, where attackers send fraudulent emails that appear to come from your organization.
SPF specifies which mail servers are authorized to send email on behalf of your domain by publishing a DNS TXT record. DKIM adds a cryptographic signature to outgoing emails, allowing receiving servers to verify that the message was not altered in transit. DMARC ties SPF and DKIM together with a policy that tells receiving servers what to do when authentication fails, monitor (p=none), quarantine, or reject the message.
Implementing DMARC at enforcement level (p=quarantine or p=reject) prevents attackers from sending convincing spoofed emails using your domain to customers, partners, and employees. This protects your brand reputation and reduces the risk of business email compromise attacks that impersonate your executives or employees. Without DMARC enforcement, anyone can send email that appears to come from your domain.
DMARC implementation should be phased. Start with p=none to collect reports on who is sending email using your domain. Analyze the reports to identify legitimate senders (marketing platforms, CRMs, ticketing systems) and add them to your SPF record. Once all legitimate sources are accounted for, move to p=quarantine and eventually p=reject. This phased approach prevents accidentally blocking legitimate email.
Email authentication is increasingly asked about on cyber insurance applications, reflecting its importance in preventing business email compromise, one of the costliest attack types for insurers. Organizations with DMARC at enforcement level demonstrate proactive protection against domain spoofing, a key factor in BEC attacks.
Insuers recognize that DMARC protects not only the organization but also its customers and partners from fraudulent emails sent in the organization's name. This broader protection reduces the risk of third-party claims and reputational damage, both of which factor into underwriting decisions.
Healthcare organizations frequently communicate with patients via email, making domain spoofing a significant risk. Fraudulent emails appearing to come from a healthcare provider can be used for phishing, insurance fraud, and social engineering. DMARC enforcement protects patients and preserves trust in provider communications.
Law firms are prime targets for domain spoofing because clients trust communications from their attorneys. Fraudulent emails impersonating a firm can redirect settlement payments, steal case information, or compromise client relationships. DMARC at enforcement level is a baseline expectation for protecting the firm's domain.
Financial institutions face constant attempts to spoof their domains for phishing attacks targeting customers. FFIEC guidance supports email authentication as a security control. PCI-DSS compliance benefits from DMARC as part of the broader email security posture. Many banking regulators now explicitly recommend DMARC enforcement.
Retail brands are frequently spoofed in phishing campaigns targeting consumers with fake promotions, order confirmations, and shipping notifications. DMARC enforcement protects customers from these attacks and preserves brand reputation. Large retailers should also monitor DMARC reports for unauthorized use of their domain.
CISA's Binding Operational Directive 18-01 requires all federal domains to implement DMARC at p=reject. Government contractors are strongly encouraged to follow the same standard. CMMC assessors evaluate email authentication as part of communication protection controls.
Publish an SPF record listing all authorized mail servers for your domain
Configure DKIM signing for all outbound email from your mail platform
Publish a DMARC record at p=none and begin collecting authentication reports
Analyze DMARC reports to identify all legitimate email sources and update SPF/DKIM accordingly
Escalate DMARC policy to p=quarantine, then p=reject once all legitimate sources are authenticated
Monitor DMARC reports ongoing to detect new unauthorized senders and maintain compliance
Want to know how your organization measures up on this control?
Take the free assessment →