Email authentication is one of the few controls that can be enforced at the ecosystem level: when configured correctly, it allows receiving mail servers to reject messages that pretend to be from your domain. The issue is that brand impersonation is broader than domain spoofing. A complete program includes both email controls and external monitoring.
What spoofing is (in email terms)
When people say "someone spoofed our domain", they usually mean: a message had a visible From: address like billing@yourbrand.com but it was sent from infrastructure you do not control.
Authentication checks (SPF/DKIM/DMARC) allow mailbox providers to decide whether the sender is authorized to send mail for that domain and whether the message was modified in transit.
SPF: sender IP authorization
SPF is a DNS record that lists which servers are allowed to send mail for a domain. Receivers check whether the connecting IP is authorized.
- What it is good at: blocking simple spoofing from random infrastructure.
- Where it breaks: forwarding changes the connecting IP; also, SPF evaluates the envelope sender (Return-Path), not necessarily the visible From.
DKIM: message integrity
DKIM adds a cryptographic signature to the email headers and body. Receivers validate the signature using a public key published in DNS.
- What it is good at: proving the message came from an authorized signer and was not modified.
- Where it breaks: mailing lists and some gateways rewrite messages, invalidating the signature unless configured to preserve DKIM.
DMARC: policy and alignment
DMARC ties SPF and DKIM to the visible From domain via alignment rules, then publishes a policy for receivers: none, quarantine, or reject. It also enables reporting.
- Alignment matters: it is possible for SPF to pass while still failing DMARC if the SPF domain does not align with the visible From domain.
- Policy matters: DMARC at p=none is monitoring-only. It does not instruct receivers to block anything.
For brand protection, aim for DMARC p=reject on your primary sending domains, with proper SPF/DKIM alignment across your email providers.
Common failure modes
- Multiple senders without SPF ownership: marketing tools, CRMs, support platforms, and transactional providers each need correct SPF/DKIM.
- Too many SPF DNS lookups: SPF has a hard limit (10 lookups). Overusing include: chains can cause permerror and reduce protection.
- Missing DKIM rotation: long-lived keys increase blast radius if compromised.
- Subdomain gaps: attackers target subdomains if orgs only protect the root domain. Consider sp= policy.
What they do not stop
Even with strict DMARC, you still need external monitoring because attackers can avoid spoofing entirely:
- Lookalike domains: register a visually similar domain and set up SPF/DKIM for it legitimately.
- Display-name impersonation: "Finance Team" as the display name with a different domain.
- Compromised accounts: phishing from real mailboxes will pass authentication.
- Web-based phishing: users are lured to fake login pages; email authentication does not apply.
Key takeaways
- SPF and DKIM are mechanisms; DMARC is policy and enforcement.
- DMARC p=none does not stop impersonation — it only measures it.
- Alignment and subdomain policy are frequent weak points.
- Lookalike domains and compromised accounts remain major gaps, even with strict DMARC.