SPF / DKIM / DMARC

Email authentication is decades old, well-understood, and routinely missed. The attacker doesn't break SMTP — SMTP was never designed to authenticate senders. Spoofing email from `support@yourdomain.com` is a one-line `mail` command unless your DNS tells receivers what's legitimate. The good news: SPF, DKIM, and DMARC together solve the problem, are supported by every major email provider, and cost nothing beyond DNS records and provider configuration. The bad news: the records are unforgiving — wrong by one character and they don't apply, and the failure mode is silent (your legitimate mail still flows; the spoof protection just doesn't work). 'Working email' is not the same as 'authenticated email.'

SPF (Sender Policy Framework) is a TXT record on your apex domain listing the IP addresses and hostnames authorized to send mail as you. Receivers check the envelope sender's IP against the SPF record; mismatches fail SPF. DKIM (DomainKeys Identified Mail) is a TXT record holding a public key (at `<selector>._domainkey.<domain>`) against which the signing private key — held by your sending infrastructure — generates per-message signatures. Receivers verify the signature against the public key; mismatches fail DKIM. DMARC (Domain-based Message Authentication, Reporting and Conformance) ties them together: a TXT record at `_dmarc.<domain>` tells receivers what to do when SPF or DKIM fails (none / quarantine / reject), what alignment to require between the From: header domain and SPF/DKIM domains, and where to report failures.

Phishing emails appearing to come from you, sent at scale. Brand damage when customers receive spoofed messages and lose trust in your real ones. Sender reputation degradation when receivers can't reliably distinguish legitimate from spoofed mail and start junking everything from your domain. Business Email Compromise (BEC) preconditions: attackers spoof executives to social-engineer wire transfers, fake employee credentials, redirect invoices. The financial impact of BEC is staggering — FBI's IC3 puts annual losses in the billions, and missing email auth is the typical enabler.

Set SPF strict — `-all` (hard fail), not `~all` (soft fail). Include only the senders you actually use (your transactional provider, Google Workspace if you use it, marketing platforms). Audit and remove old `include:` directives when you change providers. Sign with DKIM at every sender — Postmark, SendGrid, Resend, Mailgun, Google Workspace, Mailchimp all support it. Use 2048-bit keys; rotate annually. Set DMARC progressively: start at `p=none` for monitoring, watch the reports for two weeks to identify any legitimate sender that's failing alignment, fix those, then advance to `p=quarantine` (sends spoofs to spam), and ultimately `p=reject` (sends spoofs to /dev/null). Configure DMARC reporting (`rua=mailto:dmarc-reports@yourdomain.com`) and actually read the reports — services like Postmark's DMARC monitor or DMARCian aggregate them into something readable. As a final layer, publish BIMI records to display your logo in compliant inboxes — gives users a positive trust signal alongside the negative spoof-protection.