Set up SPF, DKIM and DMARC to stop email spoofing
Without SPF, DKIM and an enforcing DMARC policy, anyone can send email that appears to come from your domain.
Why it matters
Email authentication is the single most abused gap for phishing and business-email-compromise. A domain with no DMARC (or p=none) lets attackers impersonate your brand to your own customers and staff, and hurts deliverability of your legitimate mail.
How to fix it
Publish an SPF TXT record listing your senders, sign outgoing mail with DKIM, then add a DMARC record and move it from p=none (monitor) to p=quarantine and finally p=reject once your reports are clean.
; SPF
@ TXT "v=spf1 include:_spf.google.com -all"
; DMARC (start at none, then enforce)
_dmarc TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"
Is your domain affected?
Prove ownership and run a scan for a graded, verifiable report.
Related guides
- Add the HTTP security headers every site should send
- Fix TLS: valid certificate and modern protocols only
- Remove exposed .git, .env and backup files
- Disable directory listing
Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.