How It Works SPF Exploit SPF / DKIM / DMARC Policies Record Builder
Email Authentication Protocol
🏢 A product by Lumiversesolutions Pvt. Ltd.

Your Email. Fully Protected.

SPF, DKIM & DMARC explained — with the exploits, the alignment rules, and the policies that block phishing before it reaches your inbox.

scroll to explore
0Billion spoofed emails/day
0% attacks start with email
0× fewer spoofing incidents
0Minutes to configure
Email Flow

What happens when
you send an email

Every email travels through a gauntlet of checks. Here's exactly where each protocol kicks in — and where attackers try to slip through.

✉️
Sender
your@domain.com
📡
SMTP Server
SPF + DKIM signed
🌐
Internet
In transit
📥
Inbox / Spam / Reject
Final verdict
📋
DMARC Policy
none/quarantine/reject
🔍
Receiving MTA
Checks SPF, DKIM
Critical Vulnerability

SPF checks Return-Path,
not visible From

This single mismatch is the attack surface that lets billions of spoofed emails reach inboxes every day — even when SPF passes.

What users see: From: header

Your inbox shows noreply@paypal.com — looks completely legitimate. Users trust this.

🔍

What SPF actually checks: Return-Path

SPF validates the Return-Path (aka Envelope-From) domain — invisible to the recipient and can be set to any attacker-controlled domain.

⚠️

The exploit: SPF passes, phishing lands

Attacker sets Return-Path: bounce@evil.com (SPF passes) while From: shows ceo@yourcompany.com. SPF ✅. Phishing delivered.

🛡️

The fix: DMARC alignment

DMARC enforces that the Return-Path domain must align with the visible From: domain. No alignment = rejected or quarantined.

✓ With DMARC p=reject, this phishing email never reaches the recipient's inbox.
Email Auth Stack

The Three Pillars

SPF, DKIM, and DMARC work together as a layered defence. Each one addresses a different layer of trust — and all three are required for full protection.

Layer 1
SPF
Sender Policy Framework — authorises which servers can send on your domain's behalf.
  • Published as a TXT record in DNS
  • Lists authorised sending IP ranges
  • Checks Return-Path domain, not From:
  • Breaks when email is forwarded
  • Must align with From: for DMARC pass
SPF
Layer 2
DKIM
DomainKeys Identified Mail — cryptographically signs emails to prove they haven't been tampered with.
  • Public key published in DNS as TXT record
  • Private key signs email headers + body
  • Survives forwarding (unlike SPF)
  • Validates integrity in transit
  • d= tag must align with From: domain
DKIM
Layer 3
DMARC
Domain-based Message Auth — ties SPF & DKIM together and tells receivers what to do on failure.
  • Requires SPF or DKIM to align with From:
  • Sets policy: none, quarantine, reject
  • Sends aggregate reports (rua) to you
  • Sends forensic failure reports (ruf)
  • Closes the visible From: spoofing gap
DMARC
Alignment Rules

Domain alignment: pass vs fail

DMARC requires that the domain in SPF's Return-Path OR DKIM's d= tag matches the visible From: domain.

Legitimate Email ✓ DMARC PASS

From: header (visible)
noreply@paypal.com
Return-Path (SPF domain)
bounce@paypal.com
DKIM d= tag
d=paypal.com
SPF alignment
✓ paypal.com = paypal.com
DKIM alignment
✓ paypal.com = paypal.com
✓ Both aligned — DMARC passes, email delivered

Spoofed Phishing Email ✗ DMARC FAIL

From: header (visible)
noreply@paypal.com
Return-Path (SPF domain)
bounce@evil-spammer.com
DKIM d= tag
d=evil-spammer.com (or missing)
SPF alignment
✗ evil-spammer.com ≠ paypal.com
DKIM alignment
✗ evil-spammer.com ≠ paypal.com
✗ No alignment — DMARC fails, policy applied
Enforcement Levels

The three DMARC policies

DMARC lets you start with monitoring and ramp up to full enforcement — a zero-risk path to stopping spoofing completely.

👁️
p=none

Monitor mode. No action taken on failing emails — they land in the inbox. Reports sent to your rua address so you can understand your email flow before enforcing.

Protection LevelLow
📦
p=quarantine

Suspicious emails are sent to the spam/junk folder. Good intermediate step while validating that all your legitimate senders are configured correctly.

Protection LevelMedium
🛡️
p=reject

Full enforcement. The receiving server drops failing emails outright — they never reach the inbox. This is the gold standard and stops spoofing completely for your domain.

Protection LevelMaximum ✓
Implementation

Your journey to
full enforcement

Don't go straight to p=reject. Follow this proven ramp-up path to avoid blocking legitimate email.

1

Set p=none + rua reports

Start monitoring. Collect aggregate reports for 2–4 weeks to map all your sending sources (ESP, CRM, ticketing, etc.)

2

Configure SPF for all senders

Add every authorised sending IP and include mechanism. Keep your SPF record under the 10-lookup limit.

3

Add DKIM to all senders

Configure DKIM signing for each mail platform. The d= tag must match your From: domain for alignment.

4

Ramp to p=quarantine (pct=10)

Apply policy to 10% of failing messages first. Monitor reports. Increase pct incrementally over 2–4 weeks.

Move to p=reject

Once reports show only legitimate senders passing, enforce p=reject. Your domain is now fully protected.

SPF Record Example
v=spf1
include:_spf.google.com
include:sendgrid.net
ip4:203.0.113.0/24
~all
DKIM Record Example
Host: selector1._domainkey
v=DKIM1; k=rsa;
p=MIIBIjANBgkqh...
(your public key)
Interactive Tool

Build Your DMARC Record

Configure your options and get a production-ready DMARC TXT record to publish in your DNS.

DNS TXT Record — _dmarc.yourdomain.com
v=DMARC1; p=reject; rua=mailto:support@getmydmarc.com; aspf=r; adkim=r; pct=100
Publish Here
Host: _dmarc
Type: TXT
TTL: 3600
Verify With
dig TXT _dmarc.yourdomain.com
Propagation
Typically 15 min – 48 hours depending on DNS TTL
Why It Matters

The scale of the problem

Email spoofing isn't a niche threat. It's the primary vector for phishing, BEC fraud, and ransomware delivery globally.

3.4B
Spoofed emails sent daily
Every day, attackers send over 3.4 billion emails impersonating legitimate organisations — many passing basic SPF checks due to the Return-Path loophole.
📧
$26B
BEC losses since 2016
Business Email Compromise has cost organisations over $26 billion globally, with spoofed executive emails as the most common attack vector.
💸
91%
Attacks start with email
91% of all cyberattacks begin with a phishing email. DMARC at p=reject eliminates domain spoofing as an entry point for your organisation entirely.
🎯
~40%
Domains have no DMARC
Despite being a well-understood standard, nearly 40% of domains have no DMARC record — leaving them fully open to impersonation by anyone on the internet.
🔓

Secure your domain.
Today.

Five minutes of DNS configuration separates you from full email authentication enforcement. Don't leave the door open.

_dmarc.yourdomain.com
TXT "v=DMARC1; p=reject;
rua=mailto:support@..."