How do domain owners protect their reputation from spoofing?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine someone sending thousands of phishing emails that look like they came from your domain. Your logo, your name, your address. You never sent a single one. This is domain spoofing, and it happens to businesses of every size.
The good news is that three protocols work together to close that door: SPF, DKIM, and DMARC. Each one does a different job, and you need all three working together before you get real protection.
Step 1: Set up SPF. SPF (Sender Policy Framework) is a DNS record that lists every server allowed to send email on behalf of your domain. When a receiving server gets a message claiming to be from captain@deepcurrent.io, it checks the SPF record for deepcurrent.io to see if that sending server is on the approved list. If it isn't, that's a red flag. Publishing an SPF record is usually as simple as adding one TXT record to your DNS.
Step 2: Set up DKIM. DKIM (DomainKeys Identified Mail) goes a step further. It uses a cryptographic signature to prove that the message content wasn't tampered with in transit and that it genuinely came from your infrastructure. Your ESP adds this signature automatically once you add the DKIM keys they provide to your DNS. No keys, no signature. No signature, no proof.
Step 3: Publish a DMARC record. DMARC is the policy layer that sits on top of SPF and DKIM. It tells receiving servers what to do with messages that fail authentication. The three options are monitor (p=none), quarantine (p=quarantine), and reject (p=reject).
Start at monitor. Seriously. Publishing p=reject on day one before you've checked your sending sources is a great way to accidentally block your own legitimate email. Monitor mode lets you collect DMARC reports without touching delivery. Those reports will show you every source sending email on behalf of your domain, including your ESP, your CRM, your helpdesk tool, and the occasional attacker.
Once you're confident all your legitimate senders pass SPF or DKIM alignment (meaning the domain in the signature matches your From domain), you can move to quarantine, then eventually to reject. That's when spoofed messages get blocked outright rather than delivered.
One concept worth understanding: alignment. DMARC doesn't just check that SPF or DKIM passed. It checks that they passed for your domain specifically. An attacker could send from a server with valid SPF for their own domain. DMARC alignment catches that. The authenticated domain has to match the domain your subscribers see in the From address.
There's also BIMI (Brand Indicators for Message Identification), which lets you display your verified logo next to emails in supported inboxes like Gmail and Yahoo Mail. It requires a valid DMARC policy at enforcement level and a verified mark certificate. Attackers can't replicate that logo. (It's a nice trust signal, but it's the final step, not the first one.)
Now the short version: SPF says who's allowed to send. DKIM proves the message is real. DMARC tells the world what to do when something doesn't line up. All three together is what actually protects your domain reputation from impersonation.
If you want to check whether your domain is already publishing a DMARC record, you can use our free DMARC Generator to build one from scratch, or the DMARC Parser to read any reports you're already getting. Not sure where to start? Drop us a message and we'll take a look at your setup.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.