DMARC, DKIM & SPF India: How to Set Up Email Authentication

Setting up DMARC, DKIM, and SPF is the single most effective step Indian businesses can take to stop email spoofing and Business Email Compromise fraud. All three are DNS-based email authentication protocols: SPF specifies which mail servers are authorised to send on your behalf; DKIM attaches a cryptographic signature to every outgoing message so recipients can verify it arrived unaltered; DMARC enforces a policy — monitor, quarantine, or reject — whenever either check fails, and delivers aggregate reports so you can see who is impersonating your domain. For Indian organisations, CERT-In classifies phishing as the highest-volume reported incident category each year — and without all three protocols correctly configured, anyone with a cheap VPS can send email that appears to originate from your domain, enabling large-scale phishing campaigns and targeted Business Email Compromise fraud.

Why Email Spoofing Is a Critical Threat for Indian Businesses

Email remains the most exploited attack vector across corporate cybersecurity incidents worldwide, and Indian organisations face acute exposure. The Reserve Bank of India has issued repeated advisories warning regulated entities about phishing and Business Email Compromise schemes where attackers impersonate CFOs, vendors, and partner banks to divert payments. CERT-In categorises phishing among the highest-volume incident types reported each year.

The underlying vulnerability is structural. The Simple Mail Transfer Protocol that moves email between servers has no built-in sender verification mechanism. An attacker can set the From address to accounts@yourcompany.in using a standard email client and a cheap VPS. Without SPF, DKIM, and DMARC in place, that email passes through most mail servers and lands in your vendor's or client's inbox looking completely legitimate — no malware required, no technical exploit, just a convincing sender address.

NIST Special Publication 800-177r1 — Trustworthy Email — defines the technical requirements for SPF, DKIM, and DMARC deployment and serves as the authoritative reference for enterprise email authentication globally.

DMARC, DKIM and SPF Protocols Explained for Indian Businesses

SPF: Sender Policy Framework

SPF operates at the envelope level. When your mail server sends an email, the receiving server queries your domain's DNS for an SPF TXT record listing every IP address and sending service authorised to send on your behalf. If the connecting server's IP is absent from that list, the SPF check fails.

A minimal SPF record looks like this:

v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.10 -all

The -all mechanism at the end is critical. It instructs receiving servers to hard-fail — reject or flag — any email not from an authorised source. The common alternatives ~all (soft fail) and ?all (neutral) pass the email onward regardless of the check result, removing almost all of SPF's protective value. Many Indian SMBs are left with ~all because hosting providers set it as a default they never revisit.

DKIM: DomainKeys Identified Mail

DKIM operates at the message level. Your mail server signs each outgoing email with a private cryptographic key. The corresponding public key is published as a TXT record in your DNS. When a receiving server processes your email, it retrieves the public key, verifies the signature, and confirms neither the header nor the body was modified in transit.

DKIM addresses a category of attack that SPF cannot stop: an attacker who routes email through one of your authorised sending platforms — by compromising a shared marketing tool account, for example — passes SPF but will fail DKIM if the private signing key is not also compromised. The two protocols are complementary, not redundant.

DMARC: Domain-based Message Authentication, Reporting and Conformance

DMARC is the policy layer that converts SPF and DKIM results into enforceable action. A DMARC record published in DNS tells receiving servers what to do when an email fails alignment checks, and where to deliver aggregate XML reports. The three policy values are:

1. p=none — Take no action on failures; collect reports only. This is monitoring mode and is the correct starting point.
2. p=quarantine — Route failing emails to the recipient's spam or junk folder.
3. p=reject — Block failing emails at the gateway. They never reach the inbox.

How Email Authentication Works End-to-End

The diagram makes clear why all three protocols are necessary. SPF and DKIM catch different failure modes. DMARC applies the action and aggregates the reporting. An email that fails either SPF or DKIM alignment check still reaches the DMARC policy decision node — the outcome depends entirely on which policy level you have published.

The Email Attack Landscape

Understanding which threats your authentication stack actually neutralises helps prioritise configuration effort. Business Email Compromise is the highest-value attack category for adversaries: while phishing emails are sent in bulk to thousands of recipients, a targeted BEC email impersonating a director or CFO requires no malware and no technical exploit — just a convincing sender address and a plausible payment instruction. SPF, DKIM, and DMARC at p=reject directly block both at-scale phishing and BEC emails that impersonate your exact domain.

Source: Approximate distribution by incident volume — FBI IC3 Annual Report 2023 / Verizon DBIR 2024

Want to know whether your domain's SPF, DKIM, and DMARC records are correctly configured right now? Get your free security scan on Bachao.AI — the automated DNS assessment flags misconfigurations and missing records in under a minute.

One gap to note: SPF, DKIM, and DMARC protect your domain. They do not defend against lookalike domain attacks, where an attacker registers yourcompany-in.com or yourcompany.co and sends from there. Those threats require a separate layer of domain monitoring and brand protection.

How to Set Up DMARC, DKIM and SPF in India: Step-by-Step Configuration

All three records are TXT entries added to your domain's DNS zone. The table below shows what each requires, with the recommended configuration and the risk profile of common misconfigurations.

The recommended rollout sequence:

1. Audit every service that sends email using your domain
2. Publish SPF with all authorised sender IPs and includes, ending in -all
3. Enable DKIM signing in each sending platform; publish public keys to DNS
4. Publish DMARC at p=none with a rua (aggregate report) address you monitor
5. Analyse reports for two to four weeks using any DMARC report parser
6. Fix gaps — add missing senders to SPF, enable DKIM on all platforms
7. Advance to p=quarantine and monitor for two more weeks
8. Advance to p=reject — full enforcement achieved

Common DMARC, DKIM and SPF Mistakes Indian SMBs Make

Multiple SPF records on one domain. DNS allows only one SPF TXT record per domain name. If your hosting provider created one and you added another, behaviour is undefined — most resolvers evaluate only one, often the wrong one. Merge all include: directives into a single record.

Exceeding the SPF lookup limit. The SPF specification caps DNS lookups at ten per evaluation. Organisations using multiple SaaS email services frequently breach this limit, causing SPF to return a permerror — which DMARC treats as a failure equivalent to a hard fail. SPF flattening tools resolve this by collapsing nested lookups into direct IP ranges.

Neglecting DKIM key rotation. Once published, DKIM signing keys are frequently left unchanged indefinitely. Long-lived private keys accumulate exposure risk. Rotate DKIM keys at least annually, and immediately if a sending platform account is compromised.

Ignoring DMARC aggregate reports. Many teams set the rua tag, receive the XML reports, and never parse them. Unmonitored DMARC reports mean misconfigurations and active spoofing attempts go undetected for months. Treat DMARC reports as a continuous feed — even a weekly review reveals trends that require action.

Closing the Gaps DMARC Reports Surface

DMARC reports frequently reveal that a third-party SaaS tool — an invoice platform, a support helpdesk, an HR onboarding system — is sending email from your domain without DKIM signatures or from an IP not in your SPF record. The resolution is usually a single vendor-side configuration toggle plus one DNS entry. Add their DKIM public key and their sending IP ranges, and the alignment failure disappears from your next report cycle.

For Indian businesses that process payments or hold customer data, email authentication also intersects directly with compliance obligations. Phishing campaigns that impersonate your brand and harvest customer credentials can trigger data-breach notification requirements under the DPDP Act. A fully enforced DMARC policy materially reduces the likelihood of your domain being weaponised in such campaigns.

Running a free VAPT scan through Bachao.AI — built by Dhisattva AI Pvt Ltd, a DPIIT Recognised Startup — includes automated DNS security checks: SPF, DKIM, and DMARC configuration are evaluated as part of the assessment alongside TLS settings, exposed services, and known vulnerability findings. Browse the Bachao.AI blog for additional guides on securing your infrastructure.