Skip to main content
Lake CumberlandComputers
All articles

Can Your Business Email Be Spoofed? SPF, DKIM, and DMARC in Plain English

Three DNS records decide whether criminals can send email that looks exactly like it came from your business. Here's what they do — explained with envelopes, signatures, and instructions, not jargon.

Somewhere right now, someone is sending an email that appears to come from a business they've never touched. Not a hacked account — just a forged "From" line, the email equivalent of writing someone else's return address on an envelope. It's how fake invoices reach bookkeepers, and how "the boss" asks payroll to change a direct deposit.

Whether that forged email gets delivered — or lands in junk, or bounces — depends on three public records attached to the business's domain name: SPF, DKIM, and DMARC. Every mail system on earth checks them. Here's what each one does, minus the jargon.

SPF: the list of approved senders

SPF (Sender Policy Framework) is a public list that says: "Mail from our domain legitimately comes from these servers." If your email runs on Microsoft 365, your SPF record says so.

When a receiving mail system gets a message claiming to be from your domain, it checks the actual sending server against the list. On it? Point in favor. Not on it? A strike against.

Where it falls short alone: SPF only checks the envelope, not the "From" line a human reads — and forwarding can break it. Necessary, not sufficient.

DKIM: the tamper-proof signature

DKIM (DomainKeys Identified Mail) has your mail server put an invisible cryptographic signature on every outgoing message. Receiving systems check the signature against a public key in your DNS. A valid signature proves two things: the mail genuinely came through your systems, and nobody altered it on the way.

A forger can't produce that signature — the key never leaves your provider. For Microsoft 365, DKIM shows up as two small DNS entries (selector1 and selector2). Many offices are one wizard step away from having it and never clicked the button.

DMARC: the instructions and the alarm

Here's what most people miss: SPF and DKIM alone are just evidence. DMARC is the record that tells receiving systems what to do when the evidence says a message is a fake — deliver it anyway, quarantine it to junk, or reject it cold.

No DMARC record means no instructions, and most mail systems shrug and deliver the fake. That's why an office can "have SPF and DKIM" and still be spoofable in practice.

DMARC also has a reporting feature: mail systems around the world will tell you when they see forged mail claiming to be you — an alarm bell most businesses never wire up.

DMARC policies come in three strengths: none (just watch and report), quarantine (junk the fakes), and reject (refuse them outright). New setups start at none to make sure real mail passes, then tighten. Parked at none forever, though, the alarm rings and nobody's listening.

The part nobody tells small businesses

These records aren't a premium feature. They're free, they're public, and they protect you specifically — your name, your invoices, your relationships. A missing DMARC record doesn't hurt Microsoft; it hurts the plumbing company whose customers get fake invoices with someone else's bank details on them.

And because the records are public, checking them requires no access to your systems, no software, and no risk. Any mail administrator on the planet can look at your domain and know in seconds whether you're protected. So can criminals — that's rather the point.

Check yours in fifteen seconds

Our free M365 Security Health Check reads your domain's MX, SPF, DKIM, and DMARC records, grades each one, and emails you a plain-English report — what's right, what's missing, and what it means for an office like yours. Passive public lookups only; we never touch your systems.

If the grades come back rough, fixing these records is a small, well-defined job — the kind we handle constantly as part of Microsoft 365 work for offices from Russell Springs to Somerset. Get in touch and we'll get your name back to being yours alone.

Got a question this didn't answer?

Call the shop, use the chat, or book time with a technician — plain answers are the whole business model.

Can Your Business Email Be Spoofed? SPF, DKIM, and DMARC in Plain English | Lake Cumberland Computers