What are SPF, DKIM and DMARC? Email security standards simply put

3 min
June 13, 2024

Why is it important to secure your e-mails?

In France, phishing remains the main online threat to such an extent that in 2023, the government platform Cybermalveillance was consulted more than 1.5 million times.

The majority of these phishing attempts are carried out via email. You may be wondering: Why?

Well, emails can easily be sent en masse, which represents a golden opportunity for hackers. What's more, emails are usually read!

Imagine a fisherman casting out a multitude of fishing lines simultaneously: his chances of catching a fish are multiplied tenfold, and the same applies to e-mails.

Phishing is on the rise, thanks to the development of artificial intelligence (AI). With the help of AI, hackers can exploit data leaks even more quickly and easily. Whether it's to craft more credible or more personalized emails for their targets, they use AI to analyze compromised data and increase their chances of success.

To guard against such attacks, it is therefore essential to secure your e-mails correctly and permanently.

To date, there are three complementary protocols that together ensure the security of your e-mails:

  • SPF (Sender Policy Framework)
  • DKIM (DomainKeys Identified Mail)
  • DMARC (Domain-based Message Authentication, Reporting & Conformance)

Together, these protocols limit spam and phishing attempts.

In this article, you'll find out what the SPF, DKIM and DMARC protocols are, how they work and how to configure them correctly to increase your company's email security.

SPF (Sender Policy Framework)

This authentication protocol, which became a standard in 2014, aims to reduce spam from unauthenticated senders.

In concrete terms, anyone in possession of a domain name (such as your company's) can create a public list of verified senders sworn in to send emails using your domain name.

Domain (simplified version): A domain is an identifier that uniquely registers a resource on the Internet. Simply put, it's the registration of a specific resource on the Internet. For example, the domain is the domain of the Paris City Hall.

Find out more: here

Receiving servers can consult this list to authenticate or not an e-mail from your domain name.

This authentication protocol also limits identity theft by verifying that the e-mail comes from an authorized source.

DKIM (DomainKeys Identified Mail)

Standardized in 2007, the DKIM protocol relies on a cryptographic signature to guarantee the authenticity of the sender of an e-mail and the integrity of the message sent.

Like a seal on a letter, this protocol enables the recipient of an e-mail to check that it has not been altered in transit, and confirms the identity of the sending domain. In short, it's a digital security seal.

Note, however, that this protocol does not authenticate the sender, but only the identity of the sending domain. So, if someone receives an e-mail from, the signature ensures that the e-mail originates from the domain, but not necessarily from xyz.

In more technical jargon, this authentication process uses a cryptographic signature on your e-mails, which acts thanks to security keys: a private key and a public key. The public key is published in your domain name, and the e-mail recipient uses it to check that it matches your private key.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

The DMARC protocol complements the other two. Having become a standard since 2015, this protocol aims to reduce spam and phishing attempts by performing various actions based on the results of the SPF and DKIM protocols.

It acts as a control system and ensures the deliverability of emails sent from your domain name. From the records containing the SPF and DKIM results of your sent emails, DMARC implements several policies

For example, an e-mail that doesn't validate the SPF and DKIM prerequisites is declared as non-compliant and is then placed in spam or deleted from inboxes.

Correctly configuring DMARC on your domain means protecting it and ensuring that the emails you send will actually be received by your recipients.

DMARC also ensures that e-mails sent from your domain name are authentic, and prevents potentially dangerous or fraudulent e-mails from being sent in your name.

How do I configure SPF, DKIM and DMARC?

To configure these three protocols, you'll need to visit the website of your web host. Here, you'll be guided through the successive setup and configuration of these three protocols. Be careful, however, to configure SPF and DKIM before setting up DMARC, as the latter relies on the results of the former two!

What to do if you receive a suspicious e-mail?

As you will have gathered, securing your e-mails is a simple and pragmatic solution to protect yourself against phishing and spam attempts.

Correctly setting up your emails also means fighting against identity theft and ensuring their deliverability to your recipients.

From securing your emails to educating your staff about phishing, Bastion offers effective, comprehensive protection for your emails against modern attacks. For more information, click here.

Finally, here are some tips on what to do if you receive a suspicious e-mail:

  • If you can, inform the person in charge of your company's IT security.
  • Be careful: don't click on links, and never enter your passwords unless you're sure you're on a secure page.
  • Don't hesitate to double-check with the person concerned if the e-mail asks you to carry out an urgent action (e.g. information, bank transfer, etc.).

Finally, we can only recommend that you report fraudulent e-mails on dedicated platforms.

Whether it's Signal Spam, Phishing-Initiative or the official portal for reporting illegal Internet content: PHAROS, these sites record, share and block suspicious e-mails.

And if you can, don't hesitate to contact the entity whose identity has been stolen, so that they can take further steps to protect themselves.

Discover our latest articles

Start with a

free cyber audit

Evaluate your cyber posture with a cyber assessment received within 24 hours.

Get a Free Audit

Security Score

Your risk level is critical


Phishing risk

Security of your email accounts


Data leaks

Compromised data on the internet


Web vulnerabilities

Risks associated with websites and web applications


By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.