email-securityDMARCSPFbrandguard

Email Spoofing 101 — Why Your SPF/DKIM/DMARC Config Matters

Email spoofing is one of the simplest yet most effective attack vectors. An attacker sends an email that appears to come from your domain — your customers, partners, and employees trust it because they trust you.

The Three Layers of Email Defense

SPF (Sender Policy Framework)

SPF publishes a list of IP addresses authorized to send email from your domain. It’s a TXT record in your DNS.

Vulnerability: SPF alone allows the attacker to spoof the “From” header. SPF only checks the envelope sender (Return-Path). Many servers don’t enforce SPF strictly.

# Weak SPF — allows anyone to send
v=spf1 +all

# Better — specify authorized senders
v=spf1 include:_spf.google.com include:spf.protection.outlook.com -all

# Best — hard fail with monitoring
v=spf1 include:_spf.google.com ~all

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to outgoing emails. The receiving server checks the signature against a public key published in your DNS.

Vulnerability: If DKIM isn’t configured, or if the signature algorithm is weak (1024-bit RSA), attackers can forge emails without detection. Selective signing (only signing some emails) also creates gaps.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC tells receiving servers what to do when SPF or DKIM fails. It also sends you reports about who’s sending email claiming to be from your domain.

Vulnerability: Most companies never get past monitoring mode (p=none). Without enforcement (p=quarantine or p=reject), DMARC does nothing to stop spoofing.

# Monitoring only — no protection
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

# Quarantine suspicious email
v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@yourdomain.com

# Reject spoofed email entirely
v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@yourdomain.com

What BrandGuard Checks

Every scan runs three parallel checks:

  1. DNS record presence: Do SPF, DKIM, and DMARC records exist?
  2. Syntax validation: Are the records syntactically correct?
  3. Security scoring: Is there a -all (hard fail) for SPF? Is DMARC in enforcement mode? Are the DKIM keys strong enough?

Example Report Output

Domain: stryxintel.com
─────────────────────────────────
SPF:    ✅ present (hard fail)
DKIM:   ✅ present (2048-bit RSA)
DMARC:  ⚠️  monitoring only (p=none)
Status: 🔶 At Risk — upgrade DMARC to p=quarantine

The SME Problem

Many SMEs set up email through Google Workspace or Microsoft 365 and assume security is handled. Default configurations often:

  • Leave SPF as ~all (soft fail) instead of -all (hard fail)
  • Never configure DKIM
  • Set DMARC to p=none and forget it

An attacker needs exactly one of these gaps to send a convincing phishing email from your domain.

Automated Remediation (Coming Soon)

With Stryx Remediate, you’ll be able to generate DNS config snippets for your provider (Cloudflare DNS, Namecheap, AWS Route53) and apply them with one click.

Until then, check your own domain at the BrandGuard scanner — it’s free, and it takes 10 seconds.