Email Security (SPF / DMARC / DKIM)

What Is Email Security Misconfiguration?

Email authentication records — SPF, DKIM, and DMARC — are DNS records that prove outgoing email actually comes from your domain. Without them, anyone can send an email to your users that appears to be from noreply@yourapp.com. No server access required — just knowing your domain name.

This is pure DNS configuration, but its absence has real security impact: phishing emails targeting your users look completely legitimate.

The Three Records Explained

SPF (Sender Policy Framework)

SPF is a DNS TXT record that lists which servers are allowed to send email from your domain.

# Good SPF record
yourdomain.com TXT "v=spf1 include:_spf.google.com include:sendgrid.net ~all"
 
# Dangerous — allows ANY server to send email as you
yourdomain.com TXT "v=spf1 +all"
 
# Missing SPF — no restriction at all
# (no TXT record for SPF)

With no SPF or +all, an attacker sends:

From: security@yourapp.com
Subject: Your account has been compromised — reset your password now

This email passes basic checks and reaches your users' inboxes.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outgoing emails, verified against a public key in DNS. Even if an attacker spoofs your From address, they can't forge the DKIM signature without your private key.

# DKIM public key in DNS
selector._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."

Without DKIM, there's no cryptographic proof the email wasn't tampered with or forged.

DMARC (Domain-based Message Authentication)

DMARC ties SPF and DKIM together and tells receiving mail servers what to do when an email fails these checks.

# Good DMARC — reject failing emails
_dmarc.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com"
 
# Weak — monitoring only, no enforcement
_dmarc.yourdomain.com TXT "v=DMARC1; p=none"
 
# Missing DMARC — DMARC policies don't apply
# (no TXT record at _dmarc.yourdomain.com)

p=none means "send me reports but don't block anything" — attackers can still spoof freely.

Real-World Impact

• Phishing at scale — send convincing "password reset" or "payment required" emails to all your users
• Brand damage — your domain is associated with spam and phishing
• Account takeover — users who click spoofed reset links give attackers their passwords
• Business email compromise — fake invoices or wire transfer requests from your finance team's address

How to Fix

Set up SPF — add a TXT record:

yourdomain.com TXT "v=spf1 include:_spf.google.com ~all"

Replace _spf.google.com with your email provider's SPF include. Use ~all (softfail) while testing, –all (hardfail) in production.

Enable DKIM in your email provider:

Most providers (SendGrid, Mailgun, Postmark, Google Workspace) have a one-click DKIM setup that adds the required DNS record. Follow your provider's documentation.

Set an enforcing DMARC policy:

_dmarc.yourdomain.com TXT "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-reports@yourdomain.com"

Start with p=none to receive reports, then move to p=quarantine, then p=reject once you've confirmed all legitimate email is authenticated.

Verify your configuration:

Use MXToolbox or dig to check your records:

dig TXT yourdomain.com          # SPF
dig TXT _dmarc.yourdomain.com   # DMARC
dig TXT selector._domainkey.yourdomain.com  # DKIM

What VibeWShield Detects

VibeWShield's Email Security scanner performs passive DNS-only checks — no HTTP requests to your server. It detects:

• Missing SPF — no TXT record with v=spf1
• Permissive SPF — +all or ?all mechanisms
• Missing DMARC — no _dmarc.<domain> TXT record
• Weak DMARC — p=none policy (monitoring only, no enforcement)
• Missing rua — no aggregate report destination
• Missing DKIM — probes 10 common selectors, none found

Findings are flagged as Medium (individual missing records) to High (no SPF + no DMARC — fully open to spoofing).