Email remains the most common initial access vector, and yet email authentication is still deployed half-heartedly at many organisations. Having implemented SPF, DKIM and DMARC alongside Cisco ESA in enterprise environments, here's the approach that works.
The three mechanisms, briefly
| Mechanism | What it proves | Where it lives |
|---|---|---|
| SPF | This IP may send for the domain | DNS TXT record |
| DKIM | This message body wasn't altered | Cryptographic signature + DNS |
| DMARC | What to do when SPF/DKIM fail alignment | DNS policy record |
SPF and DKIM on their own are almost useless against spoofing — a forged
From: header passes both if the attacker controls their own domain. DMARC
is what ties authentication to the visible sender domain. That alignment
check is the whole point.
Roll out in monitor mode first
Never start at p=reject. Start here:
_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com"
Then spend weeks — sometimes months — reading the aggregate reports. Every organisation discovers legitimate mail flows nobody remembered:
- The marketing platform sending as your domain
- A line-of-business app relaying through a third party
- That one printer that emails scans directly to the internet
Each one needs SPF includes or DKIM signing arranged before you enforce.
Then ratchet up
Move p=none → p=quarantine (optionally with pct=25 to stage it) →
p=reject. At each step, watch the reports for a full business cycle —
month-end and quarter-end jobs love to send email from surprising places.
Operational notes
- Key rotation: rotate DKIM keys on a schedule; use 2048-bit keys.
- Subdomains:
sp=controls subdomain policy — don't leave it open. - Inbound: enforcing DMARC on inbound mail (on your ESA or gateway) protects your users from spoofed third parties, not just your brand.
- Reporting: aggregate (
rua) reports are enough; forensic (ruf) reports raise privacy questions and most receivers don't send them anyway.
Done properly, this is one of the highest-leverage, lowest-cost controls in the entire email security stack.