Email Security

SPF and DMARC Explained: Why Your Email Domain is Vulnerable

May 2026 · 7 min read · masoSec

Right now, without any special tools, an attacker can send an email that appears to come from your domain — your company address, your bank, your supplier. Most recipients will not be able to tell the difference. This is email spoofing, and it's trivially easy when SPF and DMARC aren't configured correctly.

This guide explains exactly how spoofing works, what SPF, DKIM, and DMARC do to prevent it, and how to check and fix your own DNS records.

How email spoofing works

Email was designed in the 1970s with no authentication whatsoever. The SMTP protocol allows any server to claim any sender address. When your mail client shows you "From: ceo@yourcompany.nl", that string was typed by the sender — there's no inherent verification.

Attacker's server → Gmail/Outlook → Your inbox From: ceo@yourcompany.nl ← completely fake, nothing verifies this To: accountant@yourcompany.nl Subject: Urgent wire transfer needed

This technique — called a Business Email Compromise (BEC) attack — costs businesses billions per year. The Dutch police (Politie) regularly publishes warnings about Dutch companies being defrauded this way. Without SPF and DMARC, your domain is trivially spoofable by anyone.

SPF: Sender Policy Framework

SPF is a DNS record that tells receiving mail servers which IP addresses are authorised to send email on behalf of your domain.

How it works

1. Attacker sends email claiming to be from yourcompany.nl 2. Receiving mail server looks up yourcompany.nl's SPF record in DNS 3. SPF record says: "only these IP addresses are allowed to send our mail" 4. Attacker's server IP is not in that list 5. Receiving server marks the message as SPF FAIL

What an SPF record looks like

# Minimal SPF — only Google Workspace sends our mail
yourcompany.nl. TXT "v=spf1 include:_spf.google.com ~all"

# Multiple providers (Google + Sendgrid + your own server)
yourcompany.nl. TXT "v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.5 ~all"

The ~all at the end is a softfail — mail from unlisted sources gets flagged but not rejected. -all is a hardfail — mail from unlisted sources is rejected outright. Start with ~all and move to -all once you're confident your record is complete.

Common SPF mistake: Having multiple SPF records for the same domain. You can only have one. If you have two, both fail. Merge them into a single record.

Check your SPF record

# Using dig (Linux/Mac)
dig TXT yourcompany.nl | grep spf

# Using nslookup (Windows)
nslookup -type=TXT yourcompany.nl

DKIM: DomainKeys Identified Mail

DKIM adds a cryptographic signature to every outbound email. The private key is held by your mail server; the public key is published in DNS. Receiving servers verify the signature against the public key — if they match, the email was genuinely sent by your server and wasn't tampered with in transit.

# DKIM public key in DNS (Google Workspace example)
google._domainkey.yourcompany.nl. TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."

DKIM alone doesn't prevent spoofing of the visible "From" address, but it's required for DMARC to work properly.

DMARC: Domain-based Message Authentication

DMARC is the policy layer that ties SPF and DKIM together. It tells receiving mail servers what to do when an email fails authentication — and it sends you forensic reports so you can see who is sending email using your domain.

DMARC policies

# Monitor only — log failures but don't reject anything (start here)
_dmarc.yourcompany.nl. TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.nl"

# Quarantine — failed emails go to spam
_dmarc.yourcompany.nl. TXT "v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@yourcompany.nl"

# Reject — failed emails are blocked outright (maximum protection)
_dmarc.yourcompany.nl. TXT "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@yourcompany.nl"

How to roll out DMARC safely

Start with p=none — monitor only. You'll receive daily aggregate reports showing all sources sending mail as your domain.
Review the reports for 2–4 weeks. Look for legitimate sending sources (CRM tools, marketing platforms, transactional email services) that aren't yet in your SPF record. Add them.
Move to p=quarantine — unauthenticated mail goes to spam. Watch for a week.
Move to p=reject — unauthenticated mail is dropped entirely. This is full protection.

The DMARC rua address (rua=mailto:...) receives daily XML reports. You can use a free service like dmarcian.com or postmark's DMARC digests to parse them into readable summaries.

DKIM alignment and DMARC

DMARC requires "alignment" — the domain in the SPF check or DKIM signature must match the domain in the visible "From" header. This is what prevents the attack where a spammer passes SPF by using their own domain in the envelope while forging your domain in the visible From.

What happens without these records

If your domain has no SPF, no DKIM, and no DMARC:

Anyone can send email claiming to be from your domain
Your customers may receive phishing emails that appear to be from you
Your own legitimate email is more likely to be marked as spam
You have no visibility into who is using your domain to send email

Quick check: how exposed is your domain?

# Check SPF
dig TXT yourdomain.nl | grep -i spf

# Check DMARC
dig TXT _dmarc.yourdomain.nl

# Check DKIM (replace 'google' with your selector)
dig TXT google._domainkey.yourdomain.nl

If any of these return nothing, or if your DMARC policy is p=none, your domain is currently spoofable or unprotected.

masoSec checks all of this automatically

masoSec's email security scanner checks SPF, DKIM, DMARC, and MX configuration for your domain and scores the results. Add your domain and you'll get an alert whenever your configuration changes — including if someone accidentally deletes your DMARC record.

Check your domain's email security now

Free DMARC and SPF check — no account needed. Results in under 10 seconds.

Run a free email check →