Email authentication: SPF, DKIM, DMARC, and BIMI in practice
Email spoofing is a 30-year-old problem with a working solution. Here is how to deploy SPF, DKIM, and DMARC correctly so attackers cannot impersonate your domain.
Three DNS-based mechanisms together prevent email spoofing of your domain. SPF (Sender Policy Framework, RFC 7208) lists IP addresses authorized to send for your domain. DKIM (DomainKeys Identified Mail, RFC 6376) attaches a cryptographic signature to outbound messages that recipients can verify. DMARC (Domain-based Message Authentication, Reporting and Conformance, RFC 7489) tells receiving mail servers what to do if SPF or DKIM fails — none, quarantine, or reject — and provides reports back so you can monitor.
A correctly deployed DMARC policy of p=reject prevents impersonation phishing of your brand at virtually every receiver of significance. Google, Microsoft, Yahoo, and Apple Mail all enforce DMARC reject. Bulk senders (over 5,000 messages per day to Gmail) have been required to publish a DMARC policy since 2024 under Google and Yahoo's joint sender requirements. Without DMARC, attackers send "from" your domain to your customers, suppliers, and employees — a daily reality for many Azerbaijani brands whose domains lack proper records.
Deployment proceeds carefully because misconfiguration breaks legitimate mail. Phase 1: publish SPF and DKIM. SPF lists Microsoft 365 (include:spf.protection.outlook.com), Google Workspace (include:_spf.google.com), your marketing platform (Mailchimp, SendGrid, HubSpot), your CRM, and your transactional sender (Postmark, Amazon SES). DKIM is signed per service — enable on each provider and publish their DNS records. Phase 2: publish DMARC at p=none with rua=mailto: pointing to a DMARC monitoring service (DMARCian, EasyDMARC, Valimail, Cloudflare DMARC Reporting). Phase 3: review reports for two to four weeks, fix every legitimate sender failing alignment, then move to p=quarantine, then p=reject.
Do not skip DKIM key strength and key rotation. Publish 2048-bit DKIM keys minimum and rotate annually with selector versioning (e.g., s2026.04._domainkey). Add MTA-STS and TLS-RPT records to enforce TLS for inbound mail. BIMI (Brand Indicators for Message Identification) lets receivers display your verified logo next to messages from your domain — requires DMARC at enforcement and a Verified Mark Certificate from Entrust or DigiCert. The cost of getting email auth right is low; the cost of leaving it open is impersonation incidents that erode trust forever.
Related reading
DNS security: DNSSEC, DoH, DoT, and protective DNS
DNS is the unglamorous foundation that attackers abuse for C2, exfiltration, and phishing. Hardening it is cheap and catches a category of attacks no firewall sees.
Web Application Firewall: deploying WAF without breaking the app
A WAF blocks SQL injection, command injection, and bots — but only when tuned. Untuned WAF either lets attacks through or blocks legitimate users.
Backup strategy 3-2-1: ransomware-resistant backups in practice
The 3-2-1 rule — three copies, two media types, one offsite — is necessary but not sufficient against modern ransomware. Add immutability and air gap.