Business Email Security · SPF, DKIM, DMARC Setup

SPF authorizes sending servers, DKIM signs messages and DMARC sets the failure policy. Together, the three protect your domain from phishing and spoofing.

Executive summary · TL;DR

90% of cyberattacks start with email. The SPF + DKIM + DMARC combination is the only standard way to stop third parties from impersonating your domain in fraudulent emails. SPF declares which servers may send on behalf of the domain (a DNS TXT record). DKIM cryptographically signs each message (a key in DNS). DMARC sets the failure policy (none → quarantine → reject) and provides daily reports. Implementation is done in 4 phases over 4-12 weeks, with an SME cost of 2,500-6,500 euros depending on complexity. In addition, BIMI (a verified logo in the inbox) and MTA-STS (strict TLS encryption) are recommended. This guide covers the step-by-step plan, a complete technical table, a real-world case at a DO Ribera del Duero winery and a 6-question FAQ.

Email is the number one attack vector: 90% of cyberattacks begin with a malicious email. Phishing, spear-phishing, Business Email Compromise (BEC), attachments carrying malware and links to credential-harvesting sites are daily threats your team faces with every inbox it opens. The good news is that the combination of three email-authentication technologies (SPF, DKIM, DMARC) with organizational measures can drastically reduce the risk. This guide explains how to implement them step by step. If you are looking for the real-world case, jump to the DO Ribera del Duero winery case.

Why is email the preferred attack vector?

Email is perfect for cybercriminals for several reasons. It reaches the end user directly, bypassing perimeter controls. It allows identity impersonation (sending an email that appears to come from your bank, your boss or a supplier). It can include malicious attachments or links to fraudulent sites. And it exploits trust and urgency, the most effective psychological levers of social engineering.

The most frequent email attack types are mass phishing (sending generic messages to thousands of recipients, hoping a percentage fall for it), spear-phishing (personalized attacks aimed at specific people using researched information), Business Email Compromise or BEC (impersonating the CEO, the CFO or a supplier to request transfers), and attachment-borne malware (documents with malicious macros, PDFs with exploits, compressed files with executables).

SPF: verifying who can send from your domain

SPF (Sender Policy Framework, RFC 7208) is a DNS TXT record that indicates which mail servers are authorized to send emails on behalf of your domain. When a receiving server gets an email claiming to come from your domain, it queries the SPF record to verify whether the sending server is on the list of authorized servers. If it is not, the email is flagged as suspicious or rejected.

To configure SPF, identify all the servers and services that legitimately send email from your domain (your mail server, your email marketing provider, your CRM if it sends emails, your billing system). Create a TXT record in your domain's DNS that lists all these authorized servers. And verify that it works correctly with tools such as MXToolbox, dmarcian or Google's SPF Checker.

An example of SPF for a typical Spanish SME using Microsoft 365 + Mailchimp + Brevo:

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net include:spf.sendinblue.com -all

The most frequent mistake is forgetting some service that sends legitimate email, which causes your own emails to be rejected. Make an exhaustive inventory before publishing the record. Watch out, too, for the limit of 10 DNS lookups (if you exceed it, receivers return a PermError and SPF stops working).

DKIM: cryptographically signing your emails

DKIM (DomainKeys Identified Mail, RFC 6376) adds a cryptographic signature to every email you send. The receiving server verifies this signature against a public key published in your DNS. If the signature is valid, the receiver is certain that the email was not modified in transit and that it really comes from your domain.

Configuring DKIM is more technical than SPF because it requires generating a cryptographic key pair, publishing the public key in DNS and configuring the mail server to sign outgoing messages with the private key. Most business email services (Microsoft 365, Google Workspace) simplify this process with setup wizards. In 2026 you should use 2048-bit keys (1024-bit keys are considered vulnerable and deprecated).

DMARC: the policy that ties it all together

DMARC (Domain-based Message Authentication, Reporting and Conformance, RFC 7489) is the piece that ties SPF and DKIM together and lets you define what to do with the emails that fail the checks. In addition, it provides daily XML reports that let you monitor who is sending emails using your domain.

DMARC implementation must be progressive. In the first phase, set the policy to p=none (monitoring only, no blocking). Review the reports for 2-4 weeks to identify legitimate emails that fail the checks and fix them. In the second phase, change the policy to p=quarantine (failing emails go to spam). Monitor for another 2-4 weeks to verify there are no false positives. And in the third phase, change the policy to p=reject (failing emails are rejected outright). This is the most secure policy and the one that should be your final goal.

An example of DMARC in the final reject phase:

v=DMARC1; p=reject; sp=reject; pct=100; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; adkim=s; aspf=s; fo=1

Technical table · SPF vs DKIM vs DMARC vs BIMI vs MTA-STS

Protocol	What it does	Record type	Complexity	Mandatory in 2026
SPF	Authorizes sending servers	DNS TXT	Low	Yes (Google/Yahoo >5k sends/day)
DKIM	Cryptographic message signature	DNS TXT (selector._domainkey)	Medium	Yes (Google/Yahoo >5k sends/day)
DMARC	Failure policy + reports	DNS TXT (_dmarc)	Medium-High	Yes (Google/Yahoo >5k sends/day, min. p=none)
BIMI	Verified logo in the inbox	DNS TXT + VMC	High	Recommended (brand trust)
MTA-STS	Mandatory TLS encryption between servers	DNS TXT + HTTPS policy	Medium	Recommended (confidentiality)
TLS-RPT	TLS failure reports	DNS TXT (_smtp._tls)	Low	Recommended (visibility)
DNSSEC	Cryptographic signing of DNS responses	DS / DNSKEY	Medium	Recommended (protect records)

Beyond SPF/DKIM/DMARC: defense in depth

Email authentication is not enough on its own. It must be complemented with advanced anti-phishing filtering that analyzes the content of emails, the attachments and the links for indicators of attack. The most effective filters include a sandbox to analyze attachments in an isolated environment before delivering them, URL rewriting to verify links at the moment of the click (not just at delivery), impersonation analysis to detect sophisticated identity spoofing, and machine learning to identify phishing patterns that evade static rules.

Staff training is the essential complement to technology. Periodic phishing simulations (at least quarterly) with immediate training for those who fall for them are the most effective tool for reducing the click rate on real malicious emails.

Read my article on cybersecurity awareness to design an effective anti-phishing training program.

A 30-day implementation plan

In the first week, inventory all the services that send email from your domain and configure SPF. In the second week, configure DKIM on your main email service. In the third week, publish DMARC in p=none mode and start receiving reports (use a DMARC analyzer platform such as Postmark, Dmarcian, Valimail or EasyDMARC to process the XML). In the fourth week, analyze the reports, fix the false positives and plan the migration to p=quarantine. In the following months, progress from quarantine to reject as you gain confidence in the configuration.

Real-world case: a DO Ribera del Duero winery · 28 employees · SPF/DKIM/DMARC in 3 months

A historic DO Ribera del Duero winery with 28 employees, based in the Aranda region (Burgos) and exporting to 12 countries, suffered two serious CEO fraud (BEC) attempts in 2024: an email apparently from the manager asking the administrative officer for an urgent transfer of 18,500 euros to a supposed Portuguese supplier. The second attempt, two months later, replicated the pattern with an amount of 27,000 euros. Both were stopped by the administrative officer's phone verification, but the incident forced the decision to professionalize email security.

Prior inventory: the domain was sending email from Microsoft 365 (corporate email), Mailjet (a monthly newsletter to 8,400 subscribers), Holded (billing) and a HubSpot marketing CRM. There was no SPF, no DKIM and no DMARC published. Any server in the world could send emails impersonating the domain.

The project ran over 3 months with a total cost of 4,500 € (initial audit 800 € + technical SPF/DKIM/DMARC implementation 1,700 € + an annual Dmarcian subscription for report analysis 480 € + anti-phishing training for 28 employees 600 € + 2 drills 400 € + BIMI with an annual VMC 520 €):

Month 1: inventory + SPF in production with all services + DKIM on Microsoft 365 and Mailjet + DMARC p=none.
Month 2: analysis of the Dmarcian reports: 312 spoofing attempts detected from 47 different IPs (mostly from Eastern Europe and Asia). 2 legitimate services not included in SPF were identified (and fixed). DMARC raised to p=quarantine.
Month 3: DMARC raised to p=reject with pct=100. BIMI published with a verified logo and an Entrust VMC. MTA-STS deployed. Mandatory anti-phishing training for the 28 employees with a quarterly drill scheduled.

Results measured over 12 months after implementation: zero successful phishing through domain impersonation (attempts still arrive but are rejected at source by receivers), the quarterly drill click rate down from an initial 26% to 3% by the fourth quarter, the BIMI logo visible in Gmail and Apple Mail clients (an 11% increase in the B2B newsletter open rate according to Mailjet metrics), and the disappearance of BEC attempts as attackers lost the technical viability of impersonating the domain.

Mini glossary of email security

SPF: Sender Policy Framework · authorizes sending servers (RFC 7208).
DKIM: DomainKeys Identified Mail · cryptographic message signature (RFC 6376).
DMARC: Domain-based Message Authentication, Reporting and Conformance · policy and reporting (RFC 7489).
BIMI: Brand Indicators for Message Identification · a verified logo in the inbox.
VMC: Verified Mark Certificate · a registered-trademark certificate for BIMI.
MTA-STS: Mail Transfer Agent Strict Transport Security · mandatory TLS server to server.
TLS-RPT: TLS Reporting · TLS failure reports for diagnostics.
BEC: Business Email Compromise · targeted impersonation fraud (CEO fraud, vendor fraud).
Spear-phishing: phishing targeted and personalized to specific people or roles.
Credential harvesting: a fraudulent site designed to capture credentials.
DMARC analyzer: a platform that processes daily XML reports to make them readable.

Do you need to secure your company's email? Let's talk about a professional SPF, DKIM and DMARC configuration, plus an assessment of your anti-phishing defenses.

Authored by Ángel Ortega Castro · independent consultant in strategy, quality and digitalization for SMEs, based in Aranda de Duero (Burgos).

Frequently asked questions

What exactly do SPF, DKIM and DMARC do?

SPF declares authorized servers (DNS TXT). DKIM cryptographically signs each message (a key in DNS). DMARC ties SPF + DKIM together, sets the failure policy (none/quarantine/reject) and provides daily XML reports.

In what order should they be implemented?

Inventory of sending services → SPF (-all) → DKIM on each service → DMARC p=none + rua → analyze for 2-4 weeks → p=quarantine → another 2-4 weeks → p=reject. Total: 4-12 weeks.

How much does it cost in an SME?

Basic configuration: 1,500-3,500 euros. Full implementation with a DMARC analyzer + BIMI + MTA-STS: 3,500-6,500 euros. Annual maintenance 800-1,500 euros. Eligible for Kit Consulting in the cybersecurity category.

What is BIMI and what is it for?

BIMI shows your verified logo next to the email in Gmail, Yahoo and Apple Mail if you have DMARC at p=quarantine or reject. It requires a VMC (Verified Mark Certificate) from Entrust or DigiCert (250-1,500 euros/year).

What are the most frequent mistakes?

Forgetting legitimate services in SPF, exceeding 10 DNS lookups, publishing +all, DKIM with a 1024-bit key, jumping to p=reject without going through p=none, never reviewing the XML reports.

Is it mandatory for any regulation?

Google and Yahoo have required it since Feb 2024 for senders of more than 5,000/day. ISO 27001 control A.13.2.3, the ENS Authenticity dimension, cyber-risk insurers and many public-sector tenders value it. The GDPR recommends it implicitly.

Business email security · SPF, DKIM, DMARC.

Why is email the preferred attack vector?

SPF: verifying who can send from your domain

DKIM: cryptographically signing your emails

DMARC: the policy that ties it all together

Technical table · SPF vs DKIM vs DMARC vs BIMI vs MTA-STS

Beyond SPF/DKIM/DMARC: defense in depth

A 30-day implementation plan

Real-world case: a DO Ribera del Duero winery · 28 employees · SPF/DKIM/DMARC in 3 months

Mini glossary of email security

Work with me on your email security.

Business email security · SPF, DKIM, DMARC.

Why is email the preferred attack vector?

SPF: verifying who can send from your domain

DKIM: cryptographically signing your emails

DMARC: the policy that ties it all together

Technical table · SPF vs DKIM vs DMARC vs BIMI vs MTA-STS

Beyond SPF/DKIM/DMARC: defense in depth

A 30-day implementation plan

Real-world case: a DO Ribera del Duero winery · 28 employees · SPF/DKIM/DMARC in 3 months

Mini glossary of email security

Related insights.

Ransomware · prevention, detection and recovery

Cybersecurity audit · how to assess your company

Cybersecurity consulting · services and costs

Work with me on your email security.