While compliance frameworks such as CMMC, NIST 800-171, and DFARS 7012 lay the groundwork for baseline cybersecurity posture, they do not explicitly mandate controls around email authentication protocols like DMARC, DKIM, and SPF. However, these controls are vital for brand protection, domain ownership, and customer trust—extending well beyond the boundaries of formal compliance.
Implementing DMARC, DKIM, and SPF is not just a technical necessity—it is a strategic investment in preserving digital reputation and securing communications in an era of increasingly sophisticated phishing and impersonation attacks.
Why DMARC, DKIM, and SPF Matter Beyond Compliance
1. Protecting Brand Reputation from Spoofing Attacks
Email spoofing can severely damage a company’s credibility. Threat actors can impersonate your domain to distribute malware or conduct fraud. Without proper authentication, recipients cannot differentiate between a legitimate message and a forged one.
2. Demonstrating Domain Control and Security Maturity
Publishing properly configured DMARC, DKIM, and SPF records signals to customers and partners that your organization proactively manages its domain infrastructure—showing security maturity and signaling trustworthiness.
3. Improving Deliverability and Reliability
Major email providers prioritize emails that are authenticated. Without these protocols, your business risks being flagged as spam or blocked outright, even when sending legitimate communications.
4. Going Beyond Compliance to Brand Trust
DMARC and its supporting technologies offer protection not only from technical threats but also reputational damage. By adopting these standards, your organization demonstrates its dedication to responsible stewardship—an essential signal to customers and regulators alike.
The SPF Challenge: Managing Authorized Senders Intelligently
SPF (Sender Policy Framework) is often underestimated in complexity. While the premise is simple—specifying which IP addresses or hostnames can send emails on your domain’s behalf—the operational reality can be nuanced and error-prone:
- SPF Record Size Limitations: SPF records are limited to 10 DNS lookups. Third-party services (e.g., CRMs, marketing platforms, helpdesk tools) often consume multiple lookups, pushing this limit quickly.
- IP Management Overhead: As vendors change infrastructure or add new IPs, your SPF record must be updated manually. Failure to keep it current leads to false positives in DMARC evaluations.
- Flattening Complexity: Tools like SPF flatteners or include optimizers can help reduce lookup depth but must be monitored regularly to avoid stale entries or outdated IPs.
- Best Practice: Maintain a documented inventory of all authorized senders and implement routine SPF validation tools (such as MXToolbox or DMARCian) to test the accuracy of your record.
DKIM in Microsoft 365: How to Enable It Effectively
Microsoft 365 (Outlook) offers native support for DKIM (DomainKeys Identified Mail), but it is not enabled by default for custom domains. Enabling DKIM ensures your emails are cryptographically signed to verify their authenticity.
Steps to Enable DKIM on Microsoft 365:
- Access Admin Center
Go to the Microsoft 365 Defender Portal at https://security.microsoft.com - Navigate to DKIM Settings
Under Email & Collaboration → Policies & Rules → Threat Policies, select DKIM. - Publish DNS Records
Microsoft requires two CNAME records to be added to your DNS.
Example:
selector1._domainkey.yourdomain.com → selector1-yourdomain-com._domainkey.<initial>.onmicrosoft.com
selector2._domainkey.yourdomain.com → selector2-yourdomain-com._domainkey.<initial>.onmicrosoft.com
Enable Signing
Once DNS propagates, return to the DKIM settings panel and enable DKIM signing for each custom domain.
Note: For multi-tenant or hybrid deployments, additional configuration may be required to align DKIM selectors and record propagation across services.
DMARC: A Gradual Enforcement Strategy for Impactful Protection
DMARC (Domain-based Message Authentication, Reporting and Conformance) builds on SPF and DKIM to enforce policy and provide visibility into domain usage. However, strict enforcement (such as p=reject) should not be immediate.
Step-by-Step Journey Toward Full Enforcement:
- Start with p=none (Monitoring Mode)
Allows visibility without blocking any mail.
Set up a rua (aggregate) and optionally ruf (forensic) report destination.
Example:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; fo=1;
Analyze Reports
Use tools like dmarcian, Valimail, or Postmark to interpret DMARC XML reports.
Identify unauthorized or misconfigured sources.- Transition to p=quarantine
Email failing authentication will be routed to spam folders.
Monitor for unintended consequences or legitimate services failing authentication. - Finalize with p=reject
Only after verifying that all legitimate senders pass SPF and/or DKIM.
Provides maximum protection against spoofing.
Recommendation: Maintain an internal policy to review DMARC reports weekly and audit any newly introduced email services to ensure compliance before reaching the reject phase.
Conclusion: Build Customer Trust with Email Authentication
Though not explicitly required under current versions of CMMC, NIST 800-171, or DFARS 7012, implementing SPF, DKIM, and DMARC is a best-in-class practice for cybersecurity, domain integrity, and communication assurance.
Key Takeaways
- SPF requires active IP inventory management and optimization to avoid DNS lookup limits.
- DKIM enhances message integrity and can be activated within Microsoft 365 with minimal effort.
- DMARC offers valuable reporting and protection—but it must be implemented gradually and monitored continuously.
By adopting these protocols, organizations not only enhance their technical posture but also elevate their brand as trustworthy, secure, and forward-thinking—a message every customer wants to hear.
Kaushal Saraf is currently the Lead Engineer at Atomus – a cybersecurity compliance platform for small businesses in the Aerospace and Defense who want to sell their products and services to the DoD. Before Atomus, Kaushal worked at Goldman Sachs and WeWork, as well as won DoD contracts for cybersecurity products.
At Atomus, we help our customers build and demonstrate trust not only through regulatory compliance frameworks like CMMC, NIST 800-171, and DFARS 7012, but also by addressing broader cybersecurity risks that impact brand reputation and customer confidence.
One such risk—email spoofing—often falls outside the immediate scope of compliance checklists but poses significant operational and reputational threats. By guiding organizations through the correct implementation of SPF, DKIM, and DMARC, we ensure they go beyond mere compliance and embrace a security posture that reflects true digital responsibility and ownership of their communication channels.
Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information. BSM is cited as one of Feedspot’s top 10 cybersecurity magazines.