Learning about DMARC, SPF and DKIM

Deciphering DMARC, DKIM and SPF

If you’re new to our blog, or haven’t encountered email protocols before here’s the top three you need to know:

  • SPF: Sender Policy Framework
  • DKIM: DomainKeys Identified Mail
  • DMARC: Domain-based Message Authentication, Reporting & Conformance

So, why do we care specifically about these acronyms when explaining email security? There’s no mention of spam or gateways, so are they really vital defenses? 

2018 saw a 250% year-on-year increase in DMARC policies published, so whatever it is, it’s seeing traction in the market. So let’s explain each acronym and see if we can’t make it simple.

The threat of email-based phishing attacks

Email is a widely used communication tool and therefore unsurprisingly vulnerable to cyber attacks. A common entry point into an organization’s network is via those lovable threat vectors, employees. 

How many times have you heard about that unwitting victim that paid an invoice because the CEO had emailed for urgent action to be taken to negate late payment fees? And how many times had that email come from a spoofed email account?

So DMARC is a protocol that ensures that emails are authenticated properly and ensures that recipients can rest assured that emails have been sent from legitimate sources, blocking malicious emails from inboxes, and increasing the overall deliverability of authorized emails.

The science bit (Sort of. Actually it’s very straightforward.)

The way that DMARC does this is by using SPF and DKIM, two foundational technologies that help secure different aspects of email and provide a more comprehensive validation. 

  • SPF verifies whether an email was sent from an authorized IP address. 
  • DKIM verifies if an email has been signed by the same domain it was sent from or from a domain that is authorized to send on behalf of that domain. 

They both produce what is known as authentication identifiers that DMARC uses to authenticate emails and set rules about how receiving servers should treat emails that fail authentication checks.

DMARC is a little bit like a club bouncer who vets visitors – they deny or allow people in based on what the owner has mandated is acceptable; for example dress code, age, and if they’re sober enough to still stand up.

The diagram below shows how SPF, DKIM and DMARC work with each other:

How SPF and DKIM produce authentication identifiers that DMARC uses to authenticate email.

1a & 1b :  An authorised and unauthorised message is sent to the receiver’s email server.

2 : The receiver’s server checks the sender’s DNS for DMARC, SPF, and DKIM records.

3 : The receiving server verifies the incoming message against SPF and DKIM and if either validation passes it sends the message onto the recipient.

4:  If validation fails, the message will be sent to a spam folder or completely rejected, depending on how DMARC is configured – end user will never see the failed message.

So that’s a basic walkthrough on some regularly used email security acronyms. If this has whet your appetite for learning more about security acronyms, have a read of this article by Peter Loshin at SearchSecurity.

If you’re unsure whether your organization is using these globally-accepted email protocols, you can use our free investigate tool to check your email setup today.

Check email DMARC setup


Clare Holmes

2 Oct. 2019



Recent Posts


Introducing DNS Guardian: Stop impersonation and spam caused by domain takeovers 

Rahul Powar

tl;dr: We’re thrilled to announce DNS Guardian — a new feature in Red Sift OnDMARC that can swiftly identify and stop domain takeovers that lead to malicious mail. Back in February, we shared updates with the community about SubdoMailing – an attack discovered by Guardio Labs. The attack was a form of subdomain takeover,…

Read more

Navigating the Information Security Landscape: ISO 27001 vs. SOC 2

Red Sift

As cyber threats evolve, so do the standards and frameworks designed to combat them. Two of the most recognized standards in information security are ISO 27001 and SOC 2. What sets them apart, and which one is right for your organization? Let’s delve into the key differences. Purpose and Scope: Global Framework vs. Client-Centric…

Read more

G2 Summer 2024 Report: Red Sift OnDMARC’s Winning Streak Continues

Francesca Rünger-Field

We’re delighted to announce that Red Sift OnDMARC has again been named a Leader in G2’s DMARC category for Summer 2024. This recognition is based on our high Customer Satisfaction scores and strong market presence. Red Sift appeared in 11 reports – 5 new ones since Spring 2024! – earning 5 badges: A few…

Read more

Google will no longer trust Entrust certificates from October 2024

Red Sift

Tl;dr: Google has announced that as of October 31, 2024, Chrome will no longer trust certificates signed by Entrust root certificates. While there is no immediate impact on existing certificates or those issued before 31st October 2024, organizations should start reviewing their estate now. On Thursday 27th June 2024, Google announced that it had…

Read more

Understanding the polyfill.io domain attack

Francesca Rünger-Field

tl;dr: The recent compromise of the polyfill.io domain has triggered a broad-reaching web supply chain attack, impacting over 100,000 websites across various sectors including finance, healthcare, non-profits, academia, and more. To ensure the security of your website, we strongly advise you immediately remove any reference to polyfill.io. Latest update: 27th June 2024 Sansec, a…

Read more