Skip to Content

How SPF, DKIM, and DMARC Work Together — And Why MSPs Can’t Ignore Them

January 14, 2026 by
support@aits.ca

A no junk mail box on a blue door

How SPF, DKIM, and DMARC Work Together and Why MSPs Can’t Ignore Them

As MSPs, we spend a lot of time talking about MFA, EDR, and backups.

But one of the most common causes of real-world incidents we see still starts with email impersonation, not malware, ransomware, or zero-days. 

(2023 Phishing Threats Report, n.d.)Just someone sending an email from the client’s domain.

And almost every time we investigate, the root cause is the same:

SPF, DKIM, and DMARC are not working together, or DMARC is missing entirely (Common Misconfigurations in Email Authentication and How to Fix Them, 2024).

The Problem Clients Don’t See

From a client’s perspective:

  • Email works
  • Messages are going out
  • Nothing looks broken

From an attacker’s perspective:

  • The domain can be spoofed
  • Customers trust the sender
  • Invoices, wire requests, and phishing emails get delivered (How to Stop Email Spoofing Attacks and Phishing Attacks with DMARC, 2023) 

This is why email-based fraud keeps winning. It takes advantage of trust, not technology.

SPF: The First Gate (But Not a Lock)

SPF answers one question:

Is this mail server allowed to send email for this domain?

It’s (Applied Security Visualization, 2024) necessary, and we enable it for every client. But SPF alone:

  • Breaks with forwarding
  • Doesn’t protect the visible “From” address
  • Doesn’t stop spoofing by itself

SPF is a signal (Nightingale, n.d.), not a form of enforcement.

DKIM: Proving the Message Wasn’t Altered

DKIM signs outgoing email so receiving systems can verify:

  • The message wasn’t modified
  • It was signed by the sending domain

This is especially important in Microsoft 365 environments.

But DKIM alone:

  • Doesn’t  (Microsoft Enforces SPF, DKIM, DMARC for High-Volume Senders, 2025)op someone from spoofing your brand
  • Doesn’t tell receivers what to do when something looks wrong

Again, it is a strong signal but a weak control without policy.

DMARC: Where MSPs Actually Reduce Risk

DMARC is the control that turns SPF and DKIM into real protection. (Nightingale, 2017) (SMB1001 & DMARC: What SMBs Must Know, 2026)It does three critical things:

  1. Requires SPF or DKIM to align with the visible “From” domain
  2. Tells receiving mail servers what to do when authentication fails
  3. Provides reporting so we can see abuse and misconfigurations

Without DMARC:

  • Spoofed emails still land in inboxes
  • Customers get phished as your client
  • The MSP ends up explaining an avoidable incident

Why “DMARC = none” Is Not Enough

We still see many tenants with:

p=none

That means:

  • No blocking
  • No quarantining
  • No protection

p=none is for monitoring, not for security. (DMARC Warning about not being protected against phishing and spoofing threats, 2025)It’s fine as a short transition phase, but not as a final state.

The Baseline We Aim for as an MSP

For every managed client, the goal should be:

  • ✅ SPF scoped only to required senders
  • ✅ DKIM enabled for all mail sources
  • ✅ DMARC set to quarantine or ideally reject

This setup:

  • Stops domain spoofing
  • Protects customers and vendors
  • Reduces phishing success rates
  • Lowers incident response noise

Most importantly, it prevents the MSP from being reactive.

Why This Is an MSP Responsibility Now

Clients don’t manage DNS policies.

They don’t understand email authentication.

They only notice when money is gone or trust is damaged.

If SPF, DKIM, and DMARC aren’t part of your standard onboarding and audits, attackers will find that gap before you do.

Final Thought

SPF, DKIM, and DMARC are not “email extras.

”They’re foundational controls, and when they work together, they shut down one of the most abused attack paths we see in SMB environment. If you manage email for clients and DMARC isn’t enforced yet, that’s the next win waiting to happen.to happen.


Jaspreet Singh — Author at MSPinsights.ca | Founder & CEO, Accelerate IT Services Inc.


References

(n.d.). 2023 Phishing Threats Report. https://regmedia.co.uk/2023/08/25/phishingthreatsreport.pdf

(2024). Common Misconfigurations in Email Authentication and How to Fix Them. YOUR DMARC. https://support.yourdmarc.com/en/articles/10357965-common-misconfigurations-in-email-authentication-and-how-to-fix-them

(2023). How to Stop Email Spoofing Attacks and Phishing Attacks with DMARC. DMARC Eye. https://dmarceye.com/insights/how-to-stop-email-spoofing-attacks-and-phishing-attacks-with-dmarc

(2024). Applied Security Visualization. Publisher Name. https://vdoc.pub/documents/applied-security-visualization-50hurpdud5e0

Nightingale, S. (n.d.). NIST Technical Note 1945. https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.1945.pdf

(April 3, 2025). Microsoft Enforces SPF, DKIM, DMARC for High-Volume Senders. dmarcian.com. https://dmarcian.com/microsoft-enforces-spf-dkim-dmarc/

(2026). SMB1001 & DMARC: What SMBs Must Know. PowerDMARC. https://powerdmarc.com/smb1001-dmarc-guide/

Nightingale, J. S. (2017). Email Authentication Mechanisms: DMARC, SPF and DKIM. Technical Note (NIST TN) - 1945. https://doi.org/10.6028/NIST.TN.1945

(2025). DMARC Warning about not being protected against phishing and spoofing threats. DMARC Report. https://support.dmarcreport.com/support/solutions/articles/5000896904-dmarc-warning-about-not-being-protected-against-phishing-and-spoofing-threats

Inbox Rules: The Email Attack Most SMBs Don’t See Until the Money Is Gone