Setting up Email Impersonation Protection

How SPF, DKIM, and DMARC work

SPF, DKIM, and DMARC are three records in your domain's DNS that let receiving mail servers confirm a message really came from you. SPF (RFC 7208) lists which servers are allowed to send mail for your domain. DKIM (RFC 6376) adds a cryptographic signature so the message can't be altered in transit without detection. DMARC (RFC 7489) ties the two together: it tells receivers what to do when a message fails the checks, and sends you reports on who is sending mail as your domain.

What's at stake

Without these records, anyone can forge your "From" address and the recipient's mail server has no way to tell. This is the mechanism behind gift-card requests from "the owner" and fake invoices from "a vendor." CISA lists SPF, DKIM, and DMARC as baseline email security controls every organization should have in place.

How to fix it

1. Publish an SPF record. List the services allowed to send email for your domain (your mail provider, marketing tools, and so on).
2. Enable DKIM. Your email platform - Microsoft 365 or Google Workspace - generates the keys; you add the published value to DNS.
3. Add a DMARC record. Start at p=none to monitor the reports without affecting delivery. Once your legitimate mail is passing cleanly, move the policy to quarantine, then to reject. dmarc.org documents each stage.

How to confirm it's fixed

Check the Your Results table in your Cyber Score - SPF, DKIM, and DMARC should each return a valid record. Your DMARC reports will also show whether any unauthorized sender is still using your domain. Open your Cyber Score, review the current SPF, DKIM, and DMARC values, then have your IT provider correct them in DNS.

Sources

• RFC 7208 - Sender Policy Framework (SPF)
• RFC 6376 - DomainKeys Identified Mail (DKIM)
• RFC 7489 - DMARC
• dmarc.org - Specifications
• CISA - Enhanced Email and Web Security‍