Nearly 60% of organizations we rate have misconfigured email authentication. Here's what each protocol does, how to check your current setup, and how to fix it without breaking your mail flow.
Email authentication protocols are the single highest-impact, lowest-effort way to improve your cybersecurity rating. Together, SPF, DKIM, and DMARC prevent your domain from being spoofed in phishing attacks — and their absence is a major red flag for security rating platforms, compliance auditors, and cyber insurers.
SPF publishes a list of IP addresses authorized to send email from your domain as a DNS TXT record. When receiving mail servers check SPF, they verify the sending IP is on your approved list.
⚠️ Use "-all" (hard fail) instead of "~all" (soft fail) for maximum protection and scoring benefit.
DKIM adds a cryptographic signature to every outgoing email, allowing receiving servers to verify the message wasn't tampered with in transit. Your mail server signs with a private key; the public key is published in DNS. Use 2048-bit RSA keys minimum — 1024-bit keys are now considered weak and penalized.
DMARC ties SPF and DKIM together and tells receiving servers what to do when a message fails those checks: nothing (p=none), send to spam (p=quarantine), or reject outright (p=reject). Only p=reject provides full protection and maximum scoring credit.
Get a free report showing your DMARC, DKIM, and SPF status — plus everything else affecting your security grade.
Get My Free Assessment