Presence Digital

🛡️How to Stop Email Spoofing with Proper SPF, DKIM, and DMARC Configuration

🛡️How to Stop Email Spoofing with Proper SPF, DKIM, and DMARC Configuration
Email spoofing is one of the most common and damaging forms of cyberattack — and it often happens because of simple misconfigurations in your domain’s DNS records. In this post, we’ll explain how to secure your domain against spoofing using SPF, DKIM, and DMARC, and avoid common mistakes that can leave your emails vulnerable — or even undeliverable. 🔍 What Is Email Spoofing? Email spoofing is when someone sends an email that appears to come from your domain, but was not sent by you. Attackers use this to: • Send phishing emails that appear legitimate • Damage your reputation and domain trust • Trick customers, vendors, or internal staff The scary part? Without proper DNS records in place, there’s nothing stopping them. 🔐 The Three Layers of Protection To prevent spoofing, you need to set up all three of the following: ✅ SPF (Sender Policy Framework) • Defines which servers are allowed to send email for your domain • Example: v=spf1 include:mailgun.org include:_spf.google.com ~all ✅ DKIM (DomainKeys Identified Mail) • Adds a cryptographic signature to emails so the receiver can verify they weren’t tampered with • Set up by adding a public key as a DNS record ✅ DMARC (Domain-based Message Authentication, Reporting & Conformance) • Tells receiving servers what to do if SPF or DKIM fails • Example: v=DMARC1; p=reject; rua=mailto:you@example.com 🚨 The Most Common Mistakes 1. DMARC Policy Set to p=none This is the default setting and provides no protection — it only monitors. Fix: Change to: v=DMARC1; p=reject; rua=mailto:you@example.com Or use p=quarantine to send suspicious emails to spam. 2. Multiple SPF Records SPF must be a single TXT record. Multiple v=spf1 entries will break validation. Fix: Combine all entries into one: v=spf1 include:sendgrid.net include:_spf.google.com ~all 3. SPF Lookup Limit Exceeded SPF allows a maximum of 10 DNS lookups. Exceeding this silently breaks SPF. Fix: • Use fewer includes • Flatten SPF using tools like: • dmarcian SPF Survey • Word to the Wise SPF Tool 4. DKIM Not Set or Not Aligned Even with SPF and DMARC, mail may still fail if DKIM isn’t configured or aligned with your domain. Fix: Set up DKIM through your mail provider (e.g. Google Workspace, Mailgun, SendGrid) and publish the provided public key in your DNS. ✅ Quick Security Checklist • SPF record exists, valid, and under 10 lookups • DKIM configured and passing • DMARC policy set to p=quarantine or p=reject • Only one SPF record exists per domain • Tested using tools like mxtoolbox.com or dmarcian.com 🧪 Test Your Setup • SPF: https://mxtoolbox.com/spf.aspx • DKIM: https://dmarcian.com/dkim-inspector/ • DMARC: https://dmarcian.com/domain-checker/ 💬 Final Thoughts Email authentication is no longer optional — especially with new sending requirements from Google and Yahoo. Whether you’re a startup, a solo founder, or managing multiple domains, securing your DNS records is one of the easiest and most effective ways to protect your domain from abuse. Don’t wait for a spoofing incident to learn the hard way.