Business Email Security: SPF, DKIM & DMARC Explained

Category: Digital Infrastructure
Reading time: Approximately 7 minutes
Author: Kaiah Digital
Published: 2026

Business Email Compromise (BEC) generated losses exceeding $2.9 billion in reported complaints to the FBI in 2023 alone — making it the costliest cybercrime category for the fifth consecutive year.

If you run a professional firm — whether in law, accounting, finance, or any client-facing service industry — your email infrastructure is likely the most vulnerable point in your entire digital operation. Not your website. Not your file storage. Your email.

This is not speculation. It is one of the most consistently documented findings across global cybersecurity reporting. And the businesses most at risk are not large corporations with complex IT systems. They are small and medium-sized professional firms where nobody has ever formally configured how email works behind the scenes.

This article explains what SPF, DKIM, and DMARC are, why they matter, what happens when they are not configured, and what you can do about it.

What Is Business Email Compromise?

Business Email Compromise, commonly abbreviated as BEC, refers to a category of attacks in which criminals exploit weaknesses in email systems to impersonate a business or its personnel. The objective is almost always financial — redirecting payments, extracting sensitive client data, or gaining unauthorised access to accounts.

According to the FBI’s 2023 Internet Crime Report, BEC accounted for $2.9 billion in adjusted losses from 21,489 reported complaints in the United States alone [1]. These figures represent only incidents that were formally reported — the actual scale is widely considered to be significantly higher.

Unlike many cyberattacks that require sophisticated hacking, BEC attacks often succeed because of a simple technical gap: the target’s email domain has no authentication records configured. This means anyone can send an email that appears to come from your business address, and many email clients will display it as legitimate.

“The most damaging attacks are not the most sophisticated ones. They are the ones that exploit configurations nobody ever set up correctly.”

The Three Protocols That Protect Your Email Domain

There are three industry-standard authentication protocols that, when correctly configured, dramatically reduce the risk of your email domain being spoofed. They are SPF, DKIM, and DMARC.

SPF — Sender Policy Framework

SPF is a DNS record that tells the world which mail servers are authorised to send email on behalf of your domain. When a recipient’s email server receives a message claiming to be from your domain, it checks the SPF record. If the sending server is not on the approved list, the message may be flagged or rejected.

Without an SPF record, any server on the internet can send email that appears to come from your domain. This has been a documented best practice since RFC 7208 was published by the Internet Engineering Task Force in 2014 [2].

DKIM — DomainKeys Identified Mail

DKIM adds a cryptographic signature to every outgoing email from your domain. The recipient’s server verifies this signature against a public key stored in your DNS records. If the signature does not match — because the message was tampered with in transit, or was not sent from an authorised source — it fails authentication.

DKIM has been an internet standard since 2011, defined in RFC 6376 [3]. It is now required by Google and Microsoft for bulk email senders.

DMARC — Domain-based Message Authentication, Reporting and Conformance

DMARC is the policy layer that sits on top of SPF and DKIM. It tells receiving servers what to do when a message fails authentication — quarantine it, reject it, or allow it — and sends reports back to the domain owner so you can see who is attempting to send mail on your behalf.

Without DMARC, having SPF and DKIM still leaves your domain open to certain spoofing attacks. DMARC is what binds them into an enforceable policy, formalised in RFC 7489 in 2015 [4].

In early 2024, both Google and Yahoo announced mandatory DMARC requirements for senders delivering more than 5,000 messages per day [5]. Organisations that do not comply will see their email deliverability degrade.

What Happens Without These Records

The consequences of not having SPF, DKIM, and DMARC configured fall into two categories: your domain being abused by others, and your legitimate emails failing to reach recipients.

• Your domain can be used to send phishing emails to your own clients, appearing to come from your address — without your knowledge.
• Invoices or payment instructions can be replicated by attackers using your domain identity.
• Your legitimate emails may be routed to spam because receiving servers cannot verify their authenticity.
• You have no visibility into who is attempting to send email on your behalf.
• If a client loses money because of a spoofed email from your domain, your firm may face reputational and legal consequences.

A 2022 study by Proofpoint found that 75% of organisations experienced at least one successful phishing attack in the prior year, and email-based impersonation was the primary delivery mechanism [6].

How Widely Is This Problem?

The adoption of proper email authentication records remains surprisingly low, particularly among small and medium-sized professional practices.

A 2023 analysis by the Global Cyber Alliance found that less than 25% of domains had a DMARC policy set to enforcement [7]. The majority either had no DMARC record at all, or had it set to monitoring-only mode — which provides reporting but no protection.

Among law firms specifically, a 2022 survey by the American Bar Association found that only 17% reported having security policies that included email authentication measures [8]. This is a profession that routinely handles confidential communications, financial instructions, and sensitive personal data.

If your firm manages client funds, handles legally privileged communications, or processes payment instructions via email, operating without email authentication is an operational and reputational risk you cannot afford to ignore.

What a Properly Configured Email Environment Looks Like

• An SPF record listing all authorised sending sources, including your mail provider and third-party services.
• A DKIM record with a current signing key, rotated periodically.
• A DMARC policy set to at minimum p=quarantine, with a reporting address for regular visibility.
• MFA (multi-factor authentication) enforced across all email accounts.
• Regular review of DMARC reports to identify unauthorised sending sources or authentication failures.

This is not a one-time setup. It is an ongoing administrative function — precisely the type of structured oversight that most small firms lack the internal capacity to maintain consistently.

How Kaiah Digital Addresses This

At Kaiah Digital, email authentication configuration is a foundational component of every Digital Infrastructure engagement. As part of onboarding we conduct a full DNS and email authentication audit, identify gaps, and implement a properly structured configuration aligned with current industry standards.

Ongoing oversight includes monitoring DMARC reporting outputs and reviewing authentication configurations as part of regular monthly system reviews — included as standard across all Digital Infrastructure service plans.

References

[1] Federal Bureau of Investigation (2024). Internet Crime Report 2023. FBI Internet Crime Complaint Center (IC3). https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf

[2] Kitterman, S. (2014). Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1. Internet Engineering Task Force, RFC 7208. https://datatracker.ietf.org/doc/html/rfc7208

[3] Crocker, D., Hansen, T., & Kucherawy, M. (2011). DomainKeys Identified Mail (DKIM) Signatures. Internet Engineering Task Force, RFC 6376. https://datatracker.ietf.org/doc/html/rfc6376

[4] Kucherawy, M., & Zwicky, E. (2015). Domain-based Message Authentication, Reporting, and Conformance (DMARC). Internet Engineering Task Force, RFC 7489. https://datatracker.ietf.org/doc/html/rfc7489

[5] Google (2024). Email sender guidelines: New requirements for sending to Gmail. Google Workspace Admin Help. https://support.google.com/mail/answer/81126

[6] Proofpoint (2022). State of the Phish 2022. Proofpoint Annual Report. https://www.proofpoint.com/us/resources/threat-reports/state-of-phish

[7] Global Cyber Alliance (2023). DMARC Policy Adoption Study. Global Cyber Alliance Research. https://www.globalcyberalliance.org

[8] American Bar Association (2022). ABA Legal Technology Survey Report. American Bar Association. https://www.americanbar.org/groups/law_practice/publications/techreport/

This article was prepared by Kaiah Digital. Visit kaiahdigital.net. For educational purposes only. Does not constitute legal or cybersecurity advice.