Email remains the most common initial access vector, and yet email authentication is still deployed half-heartedly at many organisations. Having implemented SPF, DKIM and DMARC alongside Cisco ESA in enterprise environments, here's the approach that works.

The three mechanisms, briefly

Mechanism What it proves Where it lives
SPF This IP may send for the domain DNS TXT record
DKIM This message body wasn't altered Cryptographic signature + DNS
DMARC What to do when SPF/DKIM fail alignment DNS policy record

SPF and DKIM on their own are almost useless against spoofing — a forged From: header passes both if the attacker controls their own domain. DMARC is what ties authentication to the visible sender domain. That alignment check is the whole point.

Roll out in monitor mode first

Never start at p=reject. Start here:

_dmarc.example.com  TXT  "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com"

Then spend weeks — sometimes months — reading the aggregate reports. Every organisation discovers legitimate mail flows nobody remembered:

  • The marketing platform sending as your domain
  • A line-of-business app relaying through a third party
  • That one printer that emails scans directly to the internet

Each one needs SPF includes or DKIM signing arranged before you enforce.

Then ratchet up

Move p=nonep=quarantine (optionally with pct=25 to stage it) → p=reject. At each step, watch the reports for a full business cycle — month-end and quarter-end jobs love to send email from surprising places.

Operational notes

  • Key rotation: rotate DKIM keys on a schedule; use 2048-bit keys.
  • Subdomains: sp= controls subdomain policy — don't leave it open.
  • Inbound: enforcing DMARC on inbound mail (on your ESA or gateway) protects your users from spoofed third parties, not just your brand.
  • Reporting: aggregate (rua) reports are enough; forensic (ruf) reports raise privacy questions and most receivers don't send them anyway.

Done properly, this is one of the highest-leverage, lowest-cost controls in the entire email security stack.