Skip to main content
← All controls
CIS-9.5 / NIST SC-7 CIS Controls v8

Are SPF, DKIM, and DMARC fully deployed at p=reject across all sending domains?

Demonstrate that SPF, DKIM, and DMARC are properly configured with enforcement policy set to reject on all organizational email sending domains, preventing email spoofing and unauthorized use of company domains.

Description

What this control does

This control ensures Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) records are correctly configured and enforced across all organizational email sending domains. SPF authorizes sending mail servers by IP address, DKIM cryptographically signs outbound messages, and DMARC instructs receiving servers to reject unauthenticated emails (p=reject policy) while providing feedback reports. Full deployment with reject enforcement prevents domain spoofing, reduces phishing exposure for customers and partners, and protects brand reputation by ensuring unauthorized actors cannot successfully send email appearing to originate from organizational domains.

Control objective

What auditing this proves

Demonstrate that SPF, DKIM, and DMARC are properly configured with enforcement policy set to reject on all organizational email sending domains, preventing email spoofing and unauthorized use of company domains.

Associated risks

Risks this control addresses

  • Attackers spoof organizational domains in phishing campaigns targeting customers, partners, or employees, leading to credential theft or malware installation
  • Business Email Compromise (BEC) attacks impersonate executives or vendors using unprotected domains, resulting in fraudulent wire transfers or data disclosure
  • Lack of DMARC enforcement (p=none or p=quarantine) allows spoofed emails to reach recipients' inboxes even when authentication fails
  • Missing or incomplete SPF records permit unauthorized mail servers to send messages claiming to originate from organizational domains
  • Absent DKIM signatures prevent cryptographic verification of message integrity and origin, enabling message tampering in transit
  • Subdomains or legacy sending domains omitted from email authentication configuration create exploitable gaps for targeted attacks
  • Absence of DMARC aggregate and forensic reporting prevents visibility into authentication failures and ongoing spoofing attempts

Testing procedure

How an auditor verifies this control

  1. Obtain a comprehensive inventory of all organizational domains and subdomains used for sending email, including marketing, transactional, corporate, and subsidiary domains
  2. Query DNS records for each identified domain using dig, nslookup, or a DNS lookup tool to retrieve SPF (TXT record starting with v=spf1), DKIM (TXT record at selector._domainkey subdomain), and DMARC (TXT record at _dmarc subdomain) configurations
  3. Verify SPF records include all authorized sending sources (IP addresses, includes, or mx mechanisms) and terminate with '-all' or '~all' directives, checking that no more than 10 DNS lookups are required to avoid SPF validation failures
  4. Confirm DKIM public keys are published in DNS and correspond to active private keys used by sending mail servers, testing with sample authenticated emails where DKIM-Signature headers reference the published selectors
  5. Review DMARC policy records to confirm 'p=reject' is set for organizational policy enforcement, 'sp=' subdomain policy is also reject or inherits parent policy, 'pct=100' for full enforcement, and 'rua=' and 'ruf=' tags specify aggregate and forensic report recipients
  6. Send test emails from each domain through authorized channels and through unauthorized sources, then examine message headers and delivery outcomes to confirm SPF pass, DKIM pass, and DMARC pass for legitimate mail and DMARC failure with rejection for spoofed attempts
  7. Review DMARC aggregate reports (RUA) from the past 30-90 days to identify any legitimate sending sources failing authentication, verify all failing sources are either unauthorized or have been remediated
  8. Cross-reference the domain inventory against DNS findings to identify any domains lacking complete email authentication implementation or using permissive DMARC policies (p=none or p=quarantine)
Evidence required DNS query results or screenshots showing SPF, DKIM, and DMARC records for all organizational sending domains with policy details visible. DMARC aggregate reports (RUA XML files or parsed summaries) demonstrating authentication pass rates, volume, and policy enforcement. Test email headers from controlled spoofing attempts showing DMARC evaluation results and rejection by receiving servers. Domain inventory listing with corresponding authentication implementation status for each entry.
Pass criteria All identified organizational email sending domains have valid SPF records with restrictive qualifiers, published DKIM keys with verified signatures on outbound mail, and DMARC policies set to p=reject with 100% enforcement, with no legitimate sending sources failing authentication in the past 90 days.