block 2 · online
osint/lab
Log inSign up
guide · featured

SPF, DKIM and DMARC: What They Reveal and What They Don't

Email authentication records are not silver bullets. Here is how to interpret them responsibly.

published
Apr 20, 2026
slug
spf-dkim-dmarc-what-they-reveal
status
Published
All articles

SPF, DKIM and DMARC: What They Reveal and What They Don't

SPF, DKIM and DMARC are three DNS-published mechanisms that together answer a simple question: should a receiving mail server trust a message that claims to come from this domain?

SPF

Lists the IPs and hosts allowed to send mail as the domain. Checks the envelope sender, not the From: header users see.

DKIM

Cryptographic signature added by the sending infrastructure. Proves the message hasn't been modified in transit and was signed by a domain we can name.

DMARC

A policy built on SPF and DKIM. It answers: "when SPF or DKIM fails alignment, what should receivers do?" Options are none, quarantine, or reject. It also asks for aggregate reports.

Three common patterns

  1. p=none for months without changes. The domain is monitoring, not enforcing. This is fine as a migration posture, weak as a permanent one.
  2. SPF present but DMARC missing. SPF alone does not prevent display-name spoofing. Always pair SPF with DMARC.
  3. Strict p=reject without having fixed all senders first. The most painful failure mode — legitimate mail ends up in receivers' Junk folders.

What these records do not tell you

  • Whether the DMARC aggregate reports are actually being read.
  • Whether the underlying mail infrastructure is well-operated.
  • Whether the domain is targeted by lookalike-domain phishing.
tagsIntermediateGuide
03explore next

Related articles.

Editorial pieces that share a tool context or type with this one.

guideApr 20, 2026

Getting Started with Public Surface Analysis

A beginner-friendly walkthrough of what you can responsibly learn from a public URL.

/articles/getting-started-with-public-surface-analysis
guideApr 20, 2026

A Responsible Method for Reconnaissance on Public Web Surfaces

Reconnaissance is not inherently malicious. Here is how to do it ethically, legally and systematically.

/articles/responsible-method-for-web-reconnaissance
articleApr 20, 2026

How to Turn Weak Signals into Better Questions

OSINT is not about finding smoking guns. It is about asking better questions.

/articles/turning-weak-signals-into-better-questions
guideApr 21, 2026

How to Use Sanctions and Risk Lists Without Overreading Them

Sanctions and risk datasets can be useful, but they are easy to misread. Here is a practical way to use them without collapsing adjacency into certainty.

/articles/how-to-use-sanctions-and-risk-lists-without-overreading-them