Skip to main content
Email SecurityPhishingCybersecurityBusiness Email

Email Security Beyond Spam Filters: DMARC, DKIM, SPF, and Phishing Prevention

· By Ashkaan Hassan

Why Spam Filters Are Not Enough for Los Angeles Businesses

Spam filtering is still useful, but it only catches part of the threat landscape. Modern phishing attacks often pass basic content checks by impersonating trusted vendors, clients, and executives. In Los Angeles, fast-moving teams in real estate, logistics, legal, healthcare, and media are frequent targets. Attackers exploit urgent payment requests, wire changes, payroll updates, and “sent from iPhone” style social engineering. The control gap is simple: spam filters analyze messages, while domain authentication verifies sender legitimacy. SPF, DKIM, and DMARC close that gap and reduce business email compromise risk. They also improve deliverability for legitimate mail, including invoices, proposals, and appointment reminders.

SPF: Define Who Can Send Mail for Your Domain

SPF (Sender Policy Framework) publishes which servers are allowed to send mail for your domain. Receivers compare the sending server IP to your SPF DNS record. If a service is missing from SPF, legitimate mail can be marked suspicious or rejected. If SPF is too permissive, attackers can spoof your domain more easily. Best practices for SPF:

  • Include only approved platforms such as Microsoft 365, Google Workspace, CRM, ticketing, and marketing tools.
  • Keep one SPF record per domain and use include: mechanisms carefully.
  • End with -all once you are confident every sender is accounted for.
  • Revisit SPF whenever a new SaaS tool sends mail on your behalf.

DKIM: Prove Messages Were Not Altered

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outbound messages. The private key signs the email; the public key in DNS lets recipients validate it. A valid DKIM signature confirms the message content was not modified in transit. It also ties the message to an authenticated sending domain. Best practices for DKIM:

  • Enable DKIM on every platform that sends as your domain, not just your primary mailbox provider.
  • Use 2048-bit keys where supported.
  • Rotate keys on a defined cadence and after major vendor changes.
  • Remove unused selectors to reduce confusion and risk.

DMARC: Enforce Policy and Gain Visibility

DMARC tells receiving servers how to handle SPF/DKIM failures and where to send reports. Without DMARC, spoofed messages can still reach inboxes even if SPF or DKIM fails. DMARC policies progress from monitoring to enforcement:

  • p=none for report-only visibility.
  • p=quarantine to route suspicious mail to spam.
  • p=reject to block unauthenticated spoofed mail. Start with none, fix legitimate failures, then move to quarantine and reject in phases. Include both aggregate (rua) and forensic (ruf, if supported) reporting mailboxes.

Alignment: The Technical Detail Most Teams Miss

DMARC passes only when SPF or DKIM aligns with the visible From domain. Example: mail sent from [email protected] should authenticate as yourcompany.com. If a third-party system signs with its own domain, DMARC can fail even when mail is legitimate. Alignment is why “we enabled SPF and DKIM” is not the same as “we are protected.” During onboarding, require vendors to document exactly how their sender domain aligns. Test with real workflows: invoices, HR notices, calendar invites, forms, and marketing blasts. Fixing alignment early prevents outages when you tighten DMARC policy.

Phishing Prevention Beyond DNS Records

SPF, DKIM, and DMARC reduce spoofing, but attackers also compromise real accounts. Effective phishing prevention layers people, process, and technical controls:

  • Enforce MFA everywhere, especially email admin roles and finance approvers.
  • Block impossible travel sign-ins and legacy authentication protocols.
  • Require out-of-band verification for payment changes and sensitive data requests.
  • Add banner warnings for external senders and lookalike domains.
  • Run short, recurring phishing simulations with targeted coaching for repeat failures.
  • Deploy mailbox threat detection for QR phishing, thread hijacking, and credential theft links.

A Practical 90-Day Rollout for LA SMBs

Week 1-2: inventory all services that send email as your domain. Week 3-4: correct SPF and enable DKIM on each sender platform. Week 5-6: publish DMARC at p=none and start collecting reports. Week 7-8: remediate alignment failures and remove unauthorized senders. Week 9-10: move to p=quarantine for lower-risk subdomains first. Week 11-12: enforce p=reject on primary domains once false positives are resolved. For multi-location teams across Los Angeles and Orange County, assign one owner for DNS and one for incident response. Document emergency rollback steps before each policy change.

What to Monitor Monthly to Keep Protection Strong

Track DMARC pass rates by source and investigate any sudden drop. Review newly added SaaS tools before marketing or operations teams start sending mail. Audit inactive mailboxes, forwarding rules, and shared inbox permissions. Validate executive and finance impersonation attempts in your secure email gateway logs. Re-run phishing exercises after major staffing changes or seasonal hiring spikes. Treat email security as an operating discipline, not a one-time setup. Strong authentication plus user-aware controls lowers both fraud risk and operational disruption. Need help hardening your domain and reducing phishing exposure? We Solve Problems can design, implement, and manage an email security program built for Los Angeles businesses.

Related Services

AI & Automation Cybersecurity Services
Back to all posts