Email Authentication Explained

How SPF, DKIM, and DMARC work together to prevent phishing and email spoofing

Why Email Authentication Matters

Email was designed in the 1970s without security in mind. Anyone can send an email claiming to be from any address. This fundamental flaw enables phishing, spoofing, and business email compromise (BEC) attacks that cost organizations billions annually.

SPF, DKIM, and DMARC are three protocols that work together to verify email authenticity and prevent spoofing. Understanding how they work is essential for email security analysis.

SPF (Sender Policy Framework)

What is SPF?

SPF allows domain owners to publish a list of mail servers authorized to send email on behalf of their domain. When you receive an email claiming to be from @example.com, the receiving server checks if the sending server is on example.com's approved list.

How SPF Works:

1.Email arrives claiming to be from sender@example.com
2.Receiving server checks the actual sending IP address (e.g., 192.0.2.1)
3.Server looks up example.com's SPF record in DNS
4.Server checks if 192.0.2.1 is listed in the SPF record
5.Result: pass (authorized) or fail (not authorized)

SPF Results Explained:

passThe sending server is authorized to send email for this domain

failThe sending server is NOT authorized - likely spoofing

softfailThe server is probably not authorized, but domain owner isn't certain

neutralDomain owner makes no assertion about this server

noneDomain has no SPF record

temperrorTemporary error during SPF check (DNS problems)

permerrorPermanent error - SPF record is invalid

SPF Limitation:

SPF only checks the "envelope from" address (Return-Path), not the "From" header that users see. Attackers can pass SPF while spoofing the visible From address. This is why DMARC is needed.

DKIM (DomainKeys Identified Mail)

What is DKIM?

DKIM uses cryptographic signatures to prove that an email actually came from the claimed domain and hasn't been modified in transit. Think of it as a tamper-evident seal on the message.

How DKIM Works:

1.Sending server creates a cryptographic hash of the email content
2.Server signs the hash with domain's private key
3.Signature is added to email as DKIM-Signature header
4.Receiving server retrieves domain's public key from DNS
5.Server verifies signature matches message content
6.Result: pass (valid signature) or fail (invalid or altered)

DKIM Results Explained:

passSignature verified - message is authentic and unmodified

failSignature verification failed - message was altered or signature is invalid

neutralMessage is not signed

policySignature present but domain policy prevents verification

temperrorTemporary error during verification (DNS problems)

permerrorPermanent error - signature is malformed

DKIM Strength:

Unlike SPF, DKIM is extremely difficult to forge because it requires the sender's private cryptographic key. A DKIM pass is a strong signal of message authenticity.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

What is DMARC?

DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It also requires "alignment" - the domain in the From header must match the domain that passed SPF or DKIM.

This closes the loophole where attackers could pass SPF/DKIM for their own domain while spoofing a trusted brand in the visible From address.

How DMARC Works:

1.SPF and DKIM checks are performed
2.DMARC checks if the From domain aligns with SPF/DKIM domains
3.For DMARC pass: At least one of SPF or DKIM must pass AND align
4.If DMARC fails, receiving server applies domain's policy (none/quarantine/reject)
5.Server sends report to domain owner about authentication results

DMARC Results:

passBoth SPF/DKIM aligned and passed - message is authentic

failSPF/DKIM not aligned or failed - likely spoofing attempt

noneDomain has no DMARC policy

DMARC Policies:

noneNo enforcement

Monitor only - don't reject or quarantine failed messages

quarantineMedium enforcement

Put failed messages in spam/junk folder

rejectMaximum enforcement

Reject failed messages entirely - strongest protection

How SPF, DKIM, and DMARC Work Together

Example: Legitimate Email

From: support@paypal.com

SPF: pass - Server IP is in PayPal's SPF record

DKIM: pass - Signature verified with PayPal's public key

DMARC: pass - From domain (paypal.com) aligns with DKIM domain

✓ Result: Email is authentic and delivered to inbox

Example: Phishing Attempt

From: support@paypal.com (spoofed)

SPF: fail - Attacker's server not in PayPal's SPF record

DKIM: none - No signature (attacker doesn't have PayPal's private key)

DMARC: fail - Neither SPF nor DKIM passed for paypal.com

✗ Result: Email rejected or quarantined based on PayPal's DMARC policy

Important Limitations

•
Authentication is not authorization: Just because an email passes SPF/DKIM/DMARC doesn't mean it's safe. Attackers can register look-alike domains (paypa1.com) that pass all checks.
•
No content inspection: These protocols only verify sender identity. They don't check for malicious links, attachments, or social engineering in the message content.
•
Results are claims: Authentication-Results headers show what the receiving server claimed to verify. A compromised or misconfigured server could lie.
•
Forwarding breaks authentication: When emails are forwarded, SPF often fails because the forwarding server isn't in the original domain's SPF record. ARC helps solve this.

Best Practices for Analysis

1.
All three must pass for high confidence
SPF + DKIM + DMARC all passing is the strongest authentication signal.
2.
Check domain alignment
Verify the From domain matches the domain that passed authentication.
3.
Be suspicious of partial passes
SPF pass + DKIM fail might indicate forwarding OR spoofing. Investigate further.
4.
Verify with independent tools
Don't rely solely on Authentication-Results headers. Use PhishCheck for independent content analysis.
5.
Context matters
Even with perfect authentication, check for suspicious content, urgency, and requests for sensitive information.