DKIM, SPF and DMARC – brief explanation on why implementing them provides the best email protection

Before addressing how DMARC is set up for a domain, it’s important to have a clear understanding why DMARC is vital for email security and how it’s connected to SPF and DKIM.

Most organizations have some sort of inbound security enabled for their company. These tools protect incoming emails and filter messages containing spam and/or viruses. However these tools only cover the inbound aspect.

As shown in the graph below, DMARC adds two interesting aspects to the security. The most important addition is the visibility into the outbound channel, so the emails which are sent on behalf of your organization. You can gain control over these emails and by using the DMARC policy instruct ISPs what to do with messages which fail DMARC.

If you also apply DMARC on the inbound messages, you can filter messages appearing from your domains and thus protect your employees against spear phishing attacks.

inbound and outbound security

Why is DMARC linked to SPF and DKIM?

SPF or DKIM on it’s own don’t protect an organization’s email channel. On itself, without the use of DMARC,, SPF and DKIM do not mitigate the deliverability of email. Only when DMARC is used to combine the two authentication techniques, the deliverability of emails can be controlled. When ISPs encounter a DMARC record they will check the setup of SPF and DKIM and based on this result deliver the email in the inbox of the receiver or not. Based on the setting of the DMARC record, invalidly configured emails may be quarantined or rejected.

SPF records are a long-standing form of email authentication. SPF is relatively easy to implement, however breaks easier because it doesn’t survive automatic forwarding. In essence, SPF dictates the method for receiving mail servers to verify whether incoming emails have originated from a host that has been authorized by the domain administrator.

DKIM is safer because it adds a digital signature to the headers of and email body. Only Implementing DKIM will not work on it’s own as you need to have a DMARC record in on your domain to protect against spoofing or attacks. Good to know is that DKIM does not work on it’s own! Without a DMARC record in place, your domains will still be open for spoofing and attacks.

How can DMARC Analyzer help monitoring outbound email flows?

With the help of DMARC Analyzer, organizations can gain full insight into their outbound email channel. Previously, organizations could only get insight into phishing attacks when an attack had already happened. Using DMARC it is possible to gain insight into attacks before they happen, as well as being informed in advance with any malicious activity.