DMARC, SPF & DKIM: The Email Security Audit Every Domain Needs
A complete email security audit guide to DMARC, SPF and DKIM — what each record does, how to check yours, and how to reach an enforcing policy that stops domain spoofing and phishing.
The most overlooked audit in security
Owners obsess over their website and forget their email — yet a domain without proper authentication can be spoofed by anyone, and email impersonation drives the majority of business fraud losses. The good news: this is one of the cheapest, highest-impact fixes you can make. This guide audits the three records that protect your domain: SPF, DKIM, and DMARC.
SPF: who is allowed to send
Sender Policy Framework is a DNS record listing the servers permitted to send mail for your domain. When a receiver gets a message claiming to be from you, it checks whether the sending server is on your SPF list.
Audit your SPF for:
- A single SPF record (multiple records break it)
- All legitimate senders included — your mail provider, marketing tools, helpdesk, invoicing
- Fewer than the 10 DNS-lookup limit
- A "-all" (hard fail) or at minimum "~all" (soft fail) ending
DKIM: proof the mail is genuine
DomainKeys Identified Mail adds a cryptographic signature to outbound email. The receiver verifies it against a public key in your DNS, proving the message really came from your domain and was not altered in transit.
Audit DKIM for:
- A valid DKIM selector and public key published in DNS
- Signing enabled on every legitimate sending source
- A key length of at least 2048 bits
DMARC: the policy that ties it together
DMARC tells receivers what to do when a message fails SPF and DKIM alignment — and sends you reports on who is using your domain. This is the record that actually stops spoofing.
The critical audit point is your policy:
- p=none — monitoring only. Spoofers are not blocked. Most domains are stuck here and wrongly believe they are protected.
- p=quarantine — failing mail goes to spam.
- p=reject — failing mail is rejected outright. This is the goal.
If your DMARC is missing or set to p=none, attackers can still send convincing email as your domain.
How to run the audit
- Look up your SPF, DKIM, and DMARC TXT records using any public DNS or DMARC checker.
- Confirm all three exist and are syntactically valid.
- Check that your DMARC policy is quarantine or reject — not none.
- Enable DMARC aggregate reports and review who is sending as you.
- Move toward p=reject gradually: start at none to gather reports, fix any legitimate senders that fail, then ratchet to quarantine, then reject.
Why this belongs in every security audit
Email authentication gaps do not show up if you only test your website, which is why so many "secure" sites remain trivially spoofable. It is a core part of our full website security audit checklist, and it directly limits the phishing that leads to MFA bypass and account takeover.
Audit your domain automatically
Checking three records by hand is doable, but interpreting SPF lookup limits, DKIM alignment, and DMARC reports is where people get stuck. Exarlo's $149 audit inspects your email authentication alongside 60+ other public-surface checks and tells you in plain English exactly what to change to reach an enforcing policy — part of understanding your complete external attack surface.
Find your vulnerabilities before attackers do.
Our automated $149 security audit maps your public attack surface and checks for misconfigurations, outdated components, and missing security headers.
Get Your Security Audit