Implementing DMARC, DKIM, and SPF Email Security
Overview
SPF, DKIM, and DMARC form the three pillars of email authentication. Together they prevent domain spoofing, validate message integrity, and define policies for handling unauthenticated mail. Proper implementation drastically reduces phishing attacks that impersonate your organization's domain.
Prerequisites
- DNS management access for your domain
- Access to email server/MTA configuration (Postfix, Exchange, Google Workspace, Microsoft 365)
- Basic understanding of DNS TXT records
- Python 3.8+ for validation scripts
Key Concepts
SPF (Sender Policy Framework)
Publishes a DNS TXT record listing authorized IP addresses and mail servers that can send email on behalf of your domain. Receiving servers check the envelope sender's IP against this list.
DKIM (DomainKeys Identified Mail)
Adds a cryptographic signature to outgoing emails using a private key. The corresponding public key is published in DNS. Receivers verify the signature to ensure the message was not altered in transit.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
Builds on SPF and DKIM by specifying a policy (none/quarantine/reject) for messages that fail authentication, and provides a reporting mechanism to monitor spoofing attempts.
Implementation Steps
Step 1: Audit Current State
# Check existing SPF record
dig TXT example.com | grep spf
# Check existing DKIM selector
dig TXT selector1._domainkey.example.com
# Check existing DMARC record
dig TXT _dmarc.example.comStep 2: Implement SPF
# DNS TXT record for example.com
v=spf1 ip4:203.0.113.0/24 include:_spf.google.com include:spf.protection.outlook.com -allKey SPF mechanisms:
ip4:/ip6:- Authorize specific IP rangesinclude:- Include another domain's SPF recorda- Authorize domain's A record IPsmx- Authorize domain's MX record IPs-all- Hard fail all others (recommended)~all- Soft fail (monitoring phase)
Step 3: Implement DKIM
# Generate DKIM key pair (2048-bit RSA)
openssl genrsa -out dkim_private.pem 2048
openssl rsa -in dkim_private.pem -pubout -out dkim_public.pem
# Format public key for DNS (remove headers, join lines)
grep -v "PUBLIC KEY" dkim_public.pem | tr -d '\n'DNS TXT record at selector1._domainkey.example.com:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhki...Step 4: Implement DMARC
# DNS TXT record at _dmarc.example.com
# Phase 1 (Monitor):
v=DMARC1; p=none; rua=mailto:dmarc-aggregate@example.com; ruf=mailto:dmarc-forensic@example.com; pct=100
# Phase 2 (Quarantine):
v=DMARC1; p=quarantine; rua=mailto:dmarc-aggregate@example.com; pct=25
# Phase 3 (Reject):
v=DMARC1; p=reject; rua=mailto:dmarc-aggregate@example.com; pct=100Step 5: Monitor and Analyze DMARC Reports
Use the scripts/process.py to parse DMARC aggregate XML reports and identify authentication failures, unauthorized senders, and spoofing attempts.
Tools & Resources
- MXToolbox: https://mxtoolbox.com/SuperTool.aspx
- DMARC Analyzer (dmarcian): https://dmarcian.com/
- Google Postmaster Tools: https://postmaster.google.com/
- Valimail DMARC Monitor: https://www.valimail.com/
- DMARC Report Analyzer: https://dmarc.postmarkapp.com/
Validation
- SPF record passes validation at mxtoolbox.com
- DKIM signature verified on test emails
- DMARC record properly formatted and reporting enabled
- Test emails pass all three checks in recipient's Authentication-Results header
Compliance Framework Mapping
This skill supports compliance evidence collection across multiple frameworks:
- SOC 2: CC6.1 (Logical Access), CC7.2 (Anomaly Detection)
- ISO 27001: A.7.2 (Information Security Awareness), A.13.2 (Information Transfer)
- NIST 800-53: AT-2 (Awareness Training), SI-8 (Spam Protection), SC-7 (Boundary Protection)
- NIST CSF: PR.AT (Awareness & Training), DE.CM (Continuous Monitoring)
Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.
Deploying This Skill with Claw GRC
Agent Execution
Register this skill with your Claw GRC agent for automated execution:
# Install via CLI
npx claw-grc skills add implementing-dmarc-dkim-spf-email-security
# Or load dynamically via MCP
grc.load_skill("implementing-dmarc-dkim-spf-email-security")Audit Trail Integration
When executed through Claw GRC, every step of this skill generates tamper-evident audit records:
- SHA-256 chain hashing ensures no step can be modified after execution
- Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
- Trust score impact — successful execution increases your agent's trust score
Continuous Compliance
Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.