What DMARC, DKIM and SPF actually do

In the landscape of modern business, email remains the primary vehicle for communication, collaboration, and commerce. Yet, for all its utility, the underlying technology of email—developed decades ago—was never designed with security as a primary concern. This inherent weakness is exactly what cybercriminals exploit through domain spoofing and phishing attacks. For UK SMEs, the threat is not just theoretical; it is a daily reality. When an attacker successfully spoofs your company’s domain, they aren't just sending a fake email; they are eroding your brand reputation, risking your compliance status with the Information Commissioner’s Office (ICO), and potentially tricking your employees or clients into wiring funds to fraudulent accounts.

To defend against these threats, you must implement a "triple-threat" of email authentication protocols: SPF, DKIM, and DMARC. While these acronyms are often thrown around by IT departments, understanding how they function—and why they must work in harmony—is essential for any business leader concerned with cyber security. This guide breaks down these protocols, explains why they are the standard for UK businesses, and provides a roadmap for securing your digital identity.

1. SPF (Sender Policy Framework): Defining the "Who"

At its simplest level, SPF is a DNS (Domain Name System) record that acts as a guest list for your domain. It tells the rest of the world, "These are the only IP addresses and services authorised to send email on behalf of my company."

How it works

When you send an email, the receiving mail server checks your domain’s SPF record. If the email originates from a server listed in your record (such as Microsoft 365 or Google Workspace), it passes the check. If it comes from an unknown, unauthorised server—like one used by a scammer in a different country—the check fails.

The limitations of SPF

SPF is a vital first step, but it has a significant flaw: it does not handle email forwarding well. When an email is forwarded, the "envelope" information changes, which can cause the SPF check to fail even for legitimate messages. Furthermore, SPF does not provide any instructions to the receiving server on what to do if the check fails. It merely says, "This isn't on the list," but it doesn't explicitly command the receiver to discard the message.

2. DKIM (DomainKeys Identified Mail): Providing the Digital Seal

If SPF is the guest list, DKIM is the tamper-evident seal on a package. It ensures that the content of your email hasn't been altered in transit.

How it works

DKIM adds a digital signature to your emails. This signature is created using a private key that only your mail server possesses. When the receiving server gets your email, it uses a public key—which you publish in your DNS records—to verify the signature.

Why DKIM is essential

• Integrity: It proves that the message body and headers haven't been tampered with between your outbox and the recipient’s inbox.
• Authentication: It confirms that the email actually originated from your organisation, even if it has been routed through multiple servers.
• Improved Deliverability: Major email providers like Gmail and Microsoft Outlook are more likely to deliver emails that are cryptographically signed with DKIM, as it signals that you are a legitimate sender.

3. DMARC (Domain-based Message Authentication, Reporting, and Conformance): The Master Controller

DMARC is the protocol that brings SPF and DKIM together. Without DMARC, SPF and DKIM are essentially "silent" protocols—they might tell a receiving server that a message is suspicious, but they don't tell the server what to do about it. DMARC provides the policy instructions.

The three pillars of DMARC

1. Alignment: DMARC ensures that the "From" address shown to the user matches the domain verified by SPF and DKIM. This prevents attackers from using their own valid SPF/DKIM records to bypass security while still spoofing your visible sender name.
2. Policy: You can instruct receiving servers to either none (monitor only), quarantine (send to junk), or reject (block entirely) any emails that fail authentication.
3. Reporting: This is the most powerful feature for IT managers. DMARC provides you with a feedback loop, sending you reports detailing who is sending mail on your behalf. This allows you to identify legitimate services you may have forgotten about or, more importantly, malicious actors attempting to impersonate you.

4. Why UK SMEs Must Prioritise Email Authentication

For UK SMEs, implementing these protocols is no longer optional; it is a fundamental requirement for operational resilience.

Compliance and GDPR

Under the UK GDPR, businesses are required to implement appropriate technical measures to protect personal data. A successful phishing attack resulting from domain spoofing can lead to a data breach. If the ICO determines that your organisation failed to implement basic security standards—like DMARC—to prevent such an attack, you could face significant fines and reputational damage.

Cyber Essentials Alignment

The UK government-backed Cyber Essentials scheme is the gold standard for SME cyber security. While Cyber Essentials focuses on five key controls, email authentication is frequently cited as a "best practice" requirement for maintaining a secure boundary. By implementing SPF, DKIM, and DMARC, you are demonstrating to clients, partners, and insurers that your business takes data protection seriously.

Protecting Your Brand Equity

In the UK, business trust is everything. If a client receives a fraudulent invoice that appears to come from your domain, they may lose faith in your systems. By locking down your domain with strict DMARC policies, you are effectively "signing" your communications, ensuring that your brand cannot be weaponised against your own customers.

5. Practical Implementation: A Step-by-Step Approach

Implementing these protocols requires a methodical approach to avoid accidentally blocking your own legitimate emails.

1. Audit your current state: Use online tools to check if you have SPF, DKIM, and DMARC records currently published.
2. Set up SPF and DKIM: Ensure these are configured correctly for all your sending platforms (e.g., your CRM, your payroll software, and your primary email host).
3. Start with DMARC p=none: This is the "monitoring" phase. It allows you to receive reports on who is sending mail as you without actually blocking anything. Use this time to identify and authorise all legitimate senders.
4. Transition to p=quarantine: Once you are confident that no legitimate mail is failing, move to a quarantine policy. This sends suspicious mail to the junk folder rather than blocking it entirely.
5. Enforce p=reject: This is the ultimate goal. It tells the world to drop any email claiming to be from your domain that fails authentication.

Key Takeaways

• SPF acts as an authorised guest list for your domain's IP addresses.
• DKIM provides a cryptographic seal to prove an email hasn't been altered.
• DMARC ties SPF and DKIM together, providing clear instructions to receiving servers on how to handle failed authentication attempts.
• Visibility is key: DMARC reporting allows you to see exactly who is sending mail on your behalf, exposing potential threats in real-time.
• Phased deployment is critical: Never jump straight to a "reject" policy without first monitoring your email traffic to avoid blocking legitimate business communications.
• Compliance: Implementing these protocols supports your obligations under UK GDPR and aligns your business with the UK government’s Cyber Essentials framework.

Securing your email is an ongoing process of monitoring and refinement. While the initial setup can seem daunting, the protection it offers against impersonation and phishing is one of the highest-return investments an SME can make in its digital infrastructure.

To take the next step

Book a Discovery Call