Stop Email Spoofing

How SPF, DKIM, and DMARC Protect Your Domain

Email spoofing is no longer just a nuisance—it’s a major threat vector used in phishing, ransomware, and business email compromise (BEC) attacks. If you run a domain and send email—even indirectly through services like Mailchimp, Google Workspace, or Outlook—you need SPF, DKIM, and DMARC properly configured.

Failure to do so doesn’t just affect your inbox. It affects your customers’ security, your domain reputation, and your ability to deliver emails at all.

What Are SPF, DKIM, and DMARC?

  • SPF (Sender Policy Framework): Verifies that a mail server is authorized to send emails on your behalf.

  • DKIM (DomainKeys Identified Mail): Attaches a cryptographic signature to your emails, proving they haven’t been altered in transit.

  • DMARC (Domain-based Message Authentication, Reporting and Conformance): Tells receiving servers what to do if an email fails SPF or DKIM—e.g., reject it, quarantine it, or allow it.

Together, these three build a chain of trust between your domain and the recipient’s mail server.

 

The Benefits of Proper Email Authentication

1. Protect Your Brand and Domain from Abuse

If your domain lacks DMARC, anyone can spoof it. In 2020, hackers spoofed the World Health Organization’s domain during the COVID-19 pandemic to spread malware. A properly configured DMARC policy would have prevented most of those emails from landing in inboxes.

Even major airlines get targeted. For example:

In June 2025, mail.turkishairlines.com was flagged for having an invalid SPF record—opening the door to spoofing risks if DKIM or DMARC enforcement is weak.

2. Improve Email Deliverability

Without SPF or DKIM, your emails are more likely to land in spam or get rejected outright. Services like Gmail, Yahoo, and Outlook use these records to assess whether to trust an email. A missing or misconfigured record means less inbox placement—and fewer people seeing your message.

3. Get Visibility with DMARC Reports

DMARC’s rua and ruf tags give you insight into who’s sending on your behalf. You get daily aggregate reports and, optionally, forensic data about spoofing attempts. This can help uncover unauthorized systems sending fake emails under your name.

The Risks of Not Configuring Them

Risk Impact
Spoofing & Phishing Users may receive fake emails that appear to come from your domain.
Blacklisting Your domain/IP could be blacklisted, harming email deliverability.
Loss of Trust Customers will stop trusting emails from your domain.
Compliance Failures GDPR, HIPAA, and other frameworks require email authentication in many contexts.
Reputation Damage News spreads fast when brands get spoofed—just ask PayPal or FedEx.

What We Discovered from Our Own Scans

During a routine audit using a domain scanning tool, we analyzed hundreds of active business domains. Over 90% lacked proper DMARC, SPF, or DKIM configurations—or worse, had misconfigured records that gave a false sense of security. Many had DMARC policies set to none, meaning spoofed emails would still be delivered. Others had SPF records missing key include mechanisms for their email providers, or DKIM with no public keys published. In several cases, we found critical client communication domains with no authentication at all, leaving them open to impersonation. It’s not just a theory—this problem is happening at scale.

What Happens If You Only Do It Partially?

  • SPF only: A spoofed email can still bypass checks if DKIM isn’t used, or if DMARC is set to “none.”

  • SPF + DKIM, but no DMARC: You can sign and verify email, but you’re not enforcing any policy. You’re missing the lock on the door.

  • DMARC with p=none: Good for testing, useless in production. Attackers can still spoof you freely.

Real-World Example: U.S. Federal Mandate

In 2022, the U.S. Department of Homeland Security mandated all federal agencies to implement SPF, DKIM, and DMARC with p=reject after discovering thousands of spoofing attempts targeting .gov domains. The number of phishing emails dropped dramatically after this policy was enforced.

Conclusion: Do It Right, or Don’t Bother Sending

Setting up SPF, DKIM, and DMARC properly is not just a best practice—it’s table stakes. If you’re sending emails, especially under your brand, these protocols are the minimum baseline of trust and security.

Whether you’re a small business or an enterprise, securing your domain is a non-negotiable step in protecting your users and your reputation.

If you send email from your domain—like using Gmail, Outlook, or marketing platforms—there’s a good chance your messages can be faked if you don’t have basic protections in place.

That’s where SPF, DKIM, and DMARC come in. These are security tools that tell other email systems, “Yes, this message is really from us.”

What These Do?

  • SPF: Says which servers are allowed to send emails from your domain.

  • DKIM: Adds a digital signature to your email to prove it wasn’t changed.

  • DMARC: Tells receiving systems what to do if a message fails SPF or DKIM.

Without all three, anyone can send fake messages using your domain name.

Why This Matters

1. Stops Scammers from Pretending to Be You

Hackers often send emails that look like they’re from your company. If your domain isn’t protected, they’ll get through. One example: during the COVID-19 crisis, scammers faked emails from the World Health Organization to spread malware.

In our own tests, we scanned hundreds of company domains and found that over 90% had weak or missing email protection. Some didn’t have any DMARC record at all. Others had incorrect SPF or broken DKIM settings. That means they were all open to abuse.

2. Keeps Your Emails Out of Spam

Email services like Gmail, Yahoo, and Outlook check for SPF, DKIM, and DMARC. If they’re missing, your emails might go to spam—or not get delivered at all.

3. Lets You See Who’s Using Your Domain

With DMARC reports, you can see who is sending emails from your domain—even if they’re not supposed to. It’s a good way to catch abuse early.

What Can Go Wrong If You Skip This?

If You Skip It... What Can Happen
No SPF or DKIM Your emails are easy to fake.
No DMARC You have no control over what happens to fake emails.
Misconfigured records Your emails might end up in spam.
Weak policy (p=none) Fake emails still get delivered to inboxes.
No visibility You won’t know if someone is impersonating your domain.

Real-World Action: U.S. Government

The U.S. government forced all its agencies to use DMARC with a strict policy (p=reject) because so many fake emails were being sent using .gov domains. After the change, fake emails dropped sharply.

Bottom Line

If you send email, you need SPF, DKIM, and DMARC:

  • They protect your domain and your customers

  • They keep your emails out of spam

  • They help you detect problems early

Set it up correctly—or get help from someone who knows how.

Need expert help securing your Domain DMARC?

Get Started
Picture of Albert Abdul-Vakhed

Albert Abdul-Vakhed

Founder of Hostgard. When he’s not obsessing over server performance and digital security, he’s probably writing blog posts like this one to help creators build smarter, faster, and reliable websites.

Recent Posts

Follow Us

About the Simplified Version

This blog includes a Simplified Version to support readers who prefer:

  • Shorter paragraphs

  • Bullet points and summaries

  • A quicker, easier reading experience

Whether you’re short on time, feeling mentally tired, or just prefer a more direct format — this version is here to help.

Because good information should be easy for everyone to access.