Email security rests on three complementary authentication protocols that together prevent spoofing, phishing, and unauthorized mail relay. Sender Policy Framework (SPF, RFC 7208) allows domain owners to publish which IP addresses are authorized to send email on their behalf via DNS TXT records. DomainKeys Identified Mail (DKIM, RFC 6376) adds a cryptographic signature to each email using RSA or Ed25519 key pairs, where the private key signs the message and the public key is published in DNS. Domain-based Message Authentication, Reporting and Conformance (DMARC, RFC 7489) ties SPF and DKIM together by specifying what to do when authentication fails (none/quarantine/reject) and provides aggregate and forensic reporting back to domain owners.

Email authentication failures are among the top causes of phishing success. According to the Anti-Phishing Working Group (APWG), over 300,000 unique phishing attacks occur monthly. A strict DMARC policy (p=reject) with full SPF and DKIM alignment prevents virtually all domain spoofing attacks. Additional protections include BIMI (Brand Indicators for Message Identification) for logo display in supporting clients, MTA-STS (RFC 8461) for enforcing TLS on mail transport, and TLS-RPT (RFC 8460) for TLS failure reporting. Together these standards form a comprehensive email security framework that security engineers must configure correctly to protect organizational domains from impersonation.

Command-Line Usage

Verify email authentication records from your terminal:


macOS / Linux: dig TXT _dmarc.example.com — check DMARC policy
macOS / Linux: dig TXT example.com | grep spf — check SPF record
macOS / Linux: dig TXT selector1._domainkey.example.com — verify DKIM key
Windows PowerShell: Resolve-DnsName -Name _dmarc.example.com -Type TXT
Windows CMD: nslookup -type=TXT _dmarc.example.com — DMARC lookup
Linux: host -t TXT example.com | grep v=spf1 — find SPF record

← Browse All Tool Categories