How SPF and DMARC can help against Spam and Phishing attacks

Mathijs Baas
  • about 2 years ago
  • 2 min read

Phishing attacks and email spam are among the most common methods cyber criminals use to get inside a network. If a single employee clicks on a malicious email attachment, ransomware and viruses can get installed and harvest your sensitive information.

Phishing and spam are so common that most people have been affected. Many often do manual checks to verify the trustworthiness of these messages. They will try to identify the sender and if it was sent from a domain they expected the message to come from. For example, if you receive a message about upgrading your Excel software, you would expect it to come from a domain that ends with Unfortunately, if the owner of the domain doesn't take the right precautions, messages from that domain can be sent by spammers and hackers. Such spam is much harder to identify as fraudulent. This is the exact problem we are looking into in this post.

SPF and DMARC protect a domain

There are two protocols a domain owner can use to prevent this from happening: SFP and DMARC.

  • SPF stands for Sender Policy Framework, it is in essence an email authentication protocol, in which you can specify what servers you use to send out email. The recipient email server will check this and, if it doesn't match, it won't deliver the email or send it with a warning message.
  • DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It works on top of SPF, and you can use it to instruct receiving mail systems what to do with messages that fail SPF checks. In a nutshell, SPF works without DMARC (although with limitations), but DMARC doesn't work on its own, it needs SPF.

In our data, we can see that these protocols are popular. Of the approximately 276 million websites surveyed for this research, 69% have implemented SPF. However, we also identify around 85 million domains that don't leverage this basic protection, leaving ample room for improving security.

Pie chart showing the number of unique domains that are and are not using SPF or DMARC. 69% of websites is using SPF or Dmarc, 31% is not.
31% of unique domains are not protected against phishing & email spam by using an SPF or DMARC.

What can be done to close this security gap?

Registrars could automatically check if all domains in their portfolio use an SPF and notify the domain owners that don't use one to implement an SPF. Furthermore, we believe governments should play an important role by making the use of an SPF mandatory.

Subscribe to our newsletter to stay in the loop about the latest insights and developments around web data.