Has someone configured SPF / DKIM / DMARC for your email domain (anti-spoofing)?
Demonstrate that the organization has properly configured SPF, DKIM, and DMARC records for all email-sending domains to prevent domain spoofing and unauthorized email transmission.
Description
What this control does
SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are DNS-based email authentication protocols that prevent unauthorized parties from sending emails that appear to originate from your domain. SPF specifies which mail servers are authorized to send email for your domain, DKIM adds cryptographic signatures to verify message integrity and sender identity, and DMARC defines how receiving servers should handle authentication failures while providing reporting mechanisms. Together, these controls protect against email spoofing, phishing attacks using your brand, and Business Email Compromise (BEC) attempts targeting customers and partners.
Control objective
What auditing this proves
Demonstrate that the organization has properly configured SPF, DKIM, and DMARC records for all email-sending domains to prevent domain spoofing and unauthorized email transmission.
Associated risks
Risks this control addresses
- Attackers impersonate the organization's domain to conduct phishing campaigns against customers, partners, or employees, damaging reputation and enabling credential theft
- Business Email Compromise (BEC) actors spoof executive email addresses to authorize fraudulent wire transfers or sensitive data disclosure
- Malicious actors leverage the organization's domain in spam campaigns, resulting in domain blacklisting and legitimate email delivery failures
- Lack of DMARC reporting prevents visibility into unauthorized use of the organization's domain across the internet
- Absence of DKIM signatures allows email content tampering in transit without detection
- Weak SPF policies (e.g., '+all' or '?all') provide no protection against unauthorized mail servers sending as the domain
- Missing authentication on subdomains enables attackers to exploit forgotten or unmonitored subdomain records for spoofing attacks
Testing procedure
How an auditor verifies this control
- Obtain a comprehensive inventory of all organizational domains and subdomains used for email communication, including primary domains, marketing domains, and third-party sending services.
- Query DNS records for each domain's SPF record by performing 'nslookup -type=txt <domain>' or using DNS lookup tools to retrieve TXT records starting with 'v=spf1'.
- Verify SPF record syntax for proper formatting, absence of lookup-limit violations (maximum 10 DNS lookups), and that the record terminates with a restrictive qualifier ('-all' or '~all' rather than '+all').
- Query DNS records for DKIM selectors by examining outbound email headers or checking with email service providers to identify active selector names, then verify presence of corresponding DKIM public key records.
- Query the DMARC record by performing 'nslookup -type=txt _dmarc.<domain>' and verify the policy exists with appropriate tags including p= (policy), rua= (aggregate reports), and ruf= (forensic reports).
- Evaluate DMARC policy enforcement level by confirming the 'p=' tag is set to 'quarantine' or 'reject' rather than 'none', and verify subdomain policy using 'sp=' tag if present.
- Send test emails through authorized channels and unauthorized sources to validate that SPF/DKIM authentication passes for legitimate mail and that DMARC alignment requirements are met (either SPF or DKIM must align with the From: domain).
- Review DMARC aggregate reports (if monitoring has been active) to identify unauthorized sending sources, authentication failure rates, and validate that legitimate email flows authenticate properly.