Protection against email phishing (DMARC, DKIM and SPF)

How many spam emails do you receive on a weekly basis? And at first sight, how many seem to come from someone you know?

Email is an unsafe method of communication, and cybercriminals have worked out ways to cause havoc to businesses by exploiting weaknesses in the original email protocols.

Phishing is one the most popular methods for criminals to gain access to a computer system or to trick someone into action by sending a fraudulent email message. These emails can look extremely convincing, and often try to replicate legitimate emails from reputable businesses.

In those emails, the recipient is often asked to click a link, download a file or take a live action.


When using the combination of Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC) records in the Domain Name System and using DMARC with DomainKeys Identified Mail (DKIM) to sign emails, you can protect your email domain and account from being misused by criminals.

These email security standards help protect your company, your reputation and your customers.

What is DMARC?

DMARC is an email authentication protocol which protects an email domain from unauthorised use, and gives email domain owners the ability to protect their domain from spoofing. Spoofing is a situation where a criminal pretends to send emails from your domain.

What is DKIM?

DKIM uses public key cryptography and the domain name system to digitally sign and validate emails. Thereby the authenticity of the communication is verified. If the signature is invalid and the email can’t be verified, the email will be rejected or flagged as spam by your email account.

What is SPF?

SPF is a verification system designed for emails to detect fake communications. A domain owner publishes its SPF record wherein it indicated which mail servers are allowed to send emails on behalf of their domain. When SPF is enabled and the email can’t be verified, the message will be rejected or flagged as spam by your email account.

Technical specifications

Guidance from the Australian government on How to combat fake emails can be found here