Email Security Control Best Practices: What Is DMARC, SPF, and DKIM Do—and Where They Fall Short

Why Email Remains the #1 Attack Vector

Email continues to be the most effective and widely used entry point for cyberattacks. Industry data consistently shows that the vast majority of successful breaches begin with an email, whether it's a phishing message, a business email compromise (BEC) attempt or a malware-laden attachment. According to recent FBI reporting, BEC attacks alone account for billions of dollars in annual losses, underscoring just how costly email-based threats can be.

The reason email remains so effective isn't a lack of security controls. It's the opposite. Organizations have invested heavily in filtering, authentication and detection technologies, but attackers have shifted their approach to target the one layer that's hardest to secure: people.

The human factor is now the primary vulnerability. Employees operate in fast-paced environments, processing hundreds of emails a day. That creates the perfect conditions for attackers to exploit trust, urgency and routine workflows.

Compounding the problem is the increasing sophistication of attacks. Generative AI has made it easier to produce convincing phishing emails at scale, eliminating the grammatical errors and awkward phrasing that once served as red flags. At the same time, attackers continue to use domain spoofing, lookalike domains and advanced social engineering techniques to make malicious emails indistinguishable from legitimate ones.

This is the environment in which email security controls like DMARC, SPF, and DKIM operate. They are essential, but they are not enough on their own.

Understanding Core Email Security Controls and Authentication Protocols

Before diving into their limitations, it's important to understand what DMARC, SPF and DKIM are designed to do. These protocols form the foundation of modern email authentication. They help verify that emails are associated with legitimate domains and reduce the risk of direct domain spoofing.

However, they are only foundational controls and not comprehensive security solutions, never intended to stop all forms of phishing or social engineering.

What Is SPF (Sender Policy Framework)?

SPF is an email authentication method that verifies whether a sending mail server is authorized to send emails on behalf of a specific domain. It works by checking the sender's IP address against a list of approved IP addresses published in the domain's DNS records.

When an email is received, the receiving server looks up the SPF record for the domain and determines whether the sending server is allowed. If it is, the message passes SPF. If not, it fails.

The strength of SPF lies in its ability to prevent unauthorized systems from sending emails that appear to come directly from your domain. This makes it an effective control against basic spoofing attempts.

However, SPF has limitations. It can break in legitimate scenarios such as email forwarding, where the forwarding server is not included in the original domain's SPF record. It also does not validate the integrity or content of a message, meaning it cannot determine whether the email itself is malicious. Additionally, SPF is easily bypassed by attackers who use lookalike domains that they control and configure properly.

What Is DKIM (DomainKeys Identified Mail)?

DKIM takes a different approach by using cryptographic signatures to verify email authenticity. When an email is sent, the sending server attaches a digital signature using a private key. The receiving server then uses the corresponding public key—published in the domain's DNS records—to verify that the message has not been altered and is associated with the sending domain. This ensures message integrity. If any part of the email is modified in transit, the signature will fail validation.

DKIM's strength is its ability to confirm that the message has not been tampered with. However, it does not confirm whether the sender is trustworthy or whether the message is safe. A phishing email can be properly signed and still pass DKIM validation without issue.

What Is DMARC (Domain-based Message Authentication, Reporting & Conformance)?

DMARC builds on SPF and DKIM by adding policy enforcement and reporting capabilities. It allows domain owners to specify how receiving systems should handle emails that fail authentication checks, whether to do nothing (none), send them to spam (quarantine) or reject them outright.

In addition to enforcement, DMARC provides visibility through reporting. Organizations receive feedback on how their domains are being used, including information about authentication failures and potential abuse.

When properly implemented, DMARC is highly effective at preventing direct domain spoofing and improving visibility into email activity. It also strengthens trust in outbound email communications.

However, DMARC has important limitations. It does not protect against lookalike or typosquatted domains. It cannot stop attacks originating from compromised accounts. And it does nothing to prevent social engineering tactics that rely on deception rather than spoofing. It also requires careful configuration and ongoing management. Misconfigurations are common and can weaken its effectiveness.

The Gaps: What DMARC, SPF and DKIM Don't Protect Against

While these authentication protocols are valuable, they leave significant gaps that attackers actively exploit.

One major gap is display name spoofing. Email authentication does not validate the "Friendly From" field (the display name users see in their inbox). Attackers can impersonate executives or colleagues using trusted names while sending from unrelated domains that still pass authentication.

Lookalike or cousin domains are another common tactic. Attackers register domains that closely resemble legitimate ones and configure authentication correctly. These emails pass SPF, DKIM and DMARC checks, even though the domain itself is fraudulent.

Business Email Compromise attacks often bypass authentication entirely. Instead of spoofing a domain, attackers rely on social engineering by using context, timing and persuasion to trick recipients into taking action.

Account takeover attacks present another challenge. When a legitimate account is compromised, any email sent from that account will pass authentication checks by default.

Malicious links and attachments also fall outside the scope of authentication. DMARC does not analyze URLs or files, meaning it cannot detect payload-based threats.

Finally, AI-generated phishing emails have raised the bar for realism. These messages are often well-written, contextually relevant and highly convincing, thereby making them difficult for both users and traditional controls to detect.

Ultimately, authentication does not equal intent verification. Just because an email passes authentication does not mean it is safe.

Why Attackers Still Win: The Human Layer

At the end of the day, email attacks succeed or fail based on human decisions. The user is the final control point.

Attackers understand this and design their campaigns accordingly. They exploit cognitive overload, knowing that employees are processing large volumes of information under time pressure. They leverage trust by impersonating familiar names and brands and create urgency to push users into acting quickly without verifying.

Real-world phishing emails often pass all technical checks and still succeed because they look legitimate and align with expected workflows. An invoice request from a "vendor," a password reset notification, or a message from "IT support" can all appear routine.

This is where human risk management (HRM) becomes critical. Instead of treating users as a weak link, organizations must actively measure and improve user behavior. Understanding how employees interact with threats, and where risky behaviors occur, allows organizations to reduce the likelihood of successful attacks.

Moving Beyond Authentication: A Layered Email Security Strategy

To effectively reduce email risk, organizations need to move beyond a single-control mindset and adopt a layered strategy that combines technical defenses with human-focused risk reduction. Authentication protocols like DMARC, SPF and DKIM establish a necessary foundation, but they don't evaluate intent, context or user behavior. That's where additional layers come into play.

A mature email security program doesn't rely on any one control to "solve" phishing. Instead, it integrates prevention, detection, response and behavioral reinforcement into a continuous cycle. The goal is not just to stop more threats at the gateway, but to reduce the likelihood that any threat results in a costly mistake.

At the center of this strategy is a shift in thinking: from blocking emails to managing risk across both technology and people.

Security Awareness Training

Modern security awareness training (SAT) has evolved significantly from the compliance-driven programs of the past. Annual training modules and checkbox exercises are no longer sufficient in a threat landscape where attacks are dynamic, personalized, and often indistinguishable from legitimate business communication.

Today's effective SAT programs are designed around behavior change, not just knowledge transfer.

Rather than simply telling users what phishing looks like, modern training immerses them in realistic scenarios that mirror the types of attacks they are most likely to encounter. Phishing simulations play a central role here, exposing users to lookalike domains, impersonation attempts, credential harvesting pages and urgent business requests in a controlled environment.

This experiential approach matters. People don't build strong security instincts by reading policies, they build them through repetition, feedback and real-world context. When users interact with simulated threats and receive immediate guidance, they begin to recognize patterns, question suspicious requests and slow down decision-making at critical moments.

Over time, this leads to measurable improvements in behavior. Organizations can track key indicators such as:

• Reduced click rates on phishing simulations
• Increased reporting of suspicious emails
• Faster response times when threats are identified

These metrics provide more than just visibility—they create accountability and allow organizations to identify where risk is concentrated.

Equally important is personalization. Not all users carry the same level of risk, and not all roles face the same types of threats. Finance teams may be targeted with invoice fraud, executives with impersonation attacks and IT staff with credential harvesting campaigns. Effective SAT programs tailor training based on role, behavior and risk level, ensuring that reinforcement is relevant and impactful.

Another critical component is continuous education. Threats evolve quickly, and attackers constantly refine their tactics. A one-time training session, or even an annual requirement, cannot keep pace. Instead, training must be ongoing, adaptive and integrated into the employee experience. Short, frequent touchpoints combined with real-time coaching when risky behavior is detected, reinforces good habits without overwhelming users.

Ultimately, the goal of SAT is not just to reduce clicks. It's to build a workforce that can act as an active detection and response layer—that recognizes suspicious activity, reports it quickly and helps stop attacks before they spread. This is essential in a landscape where many phishing emails pass technical controls.

Cloud Email Security Platforms

Cloud email security platforms play a critical role in closing the gaps left by authentication protocols. While DMARC, SPF and DKIM validate domain ownership, they do not analyze the content, context or behavior of an email. Cloud email security solutions are designed to address this problem by identifying malicious intent even when an email appears technically legitimate.

Unlike traditional secure email gateways, which primarily inspect messages before delivery, modern cloud email security platforms often use API-based integrations with platforms like Microsoft 365. This approach provides deeper visibility into the email environment, allowing security teams to analyze messages before, during and after delivery. It also enables continuous monitoring, rather than a single inspection point at the gateway.

This distinction matters. Many modern attacks are designed to evade perimeter defenses or weaponize content after delivery. API-based solutions are better positioned to catch these threats because they operate inside the environment where users interact with email.

At a functional level, these platforms bring several advanced detection and response capabilities:

• Content and payload analysis is a core component. Cloud email security platforms inspect email bodies, headers, links and attachments to identify indicators of compromise. This includes detecting phishing language patterns, suspicious formatting and mismatches between displayed and actual URLs.
• URL rewriting and click-time protection add another critical layer. Instead of simply scanning links at the time of delivery, these systems rewrite URLs and analyze them when a user clicks. This is important because attackers often use delayed weaponization, where a benign link becomes malicious hours or days after the email is delivered. Click-time analysis ensures that threats can still be blocked even after they initially bypass detection.
• Attachment sandboxing provides protection against file-based threats. Suspicious attachments are detonated in a secure, isolated environment where their behavior can be analyzed. If the file attempts to execute malicious actions, such as installing malware or reaching out to command-and-control servers, it can be blocked before causing harm.
• AI-driven anomaly detection enhances the ability to identify sophisticated attacks. By analyzing patterns in communication, such as who typically emails whom, how often and in what tone, these systems can flag unusual activity. For example, an email requesting a wire transfer from an executive account at an unusual time or with atypical language can trigger an alert, even if it passes authentication checks.
• Internal threat detection is another key advantage. Traditional defenses often focus on inbound email, but many attacks originate from within the environment after an account has been compromised. API-based platforms can identify suspicious lateral movement, such as phishing emails sent from one internal user to others, helping contain threats before they spread.

These platforms also enable post-delivery remediation, which is essential in today's threat landscape. If a malicious email is discovered after it reaches inboxes, security teams can automatically remove it across all affected users. This significantly reduces dwell time and limits the impact of successful phishing attempts.

In addition to detection and response, cloud email security solutions provide valuable visibility and intelligence. Security teams gain insights into attack patterns, user behavior and emerging threats targeting their organization. This data can be fed back into training programs and policy decisions, creating a continuous improvement loop.

Ultimately, cloud email security platforms extend protection beyond what authentication can offer. They focus not just on where an email comes from, but on what it does, how it behaves, and whether it poses a risk to the organization. In an environment where many malicious emails pass DMARC checks, this level of analysis is essential for identifying and stopping modern threats.

The HRM Approach

At its core, HRM treats human risk the same way organizations treat technical risk. It is identified, measured, prioritized and actively managed. Instead of viewing users as a generalized "weak link," HRM recognizes that risk varies across individuals, roles and behaviors—and that it can be improved with the right data and interventions.

The first step in an HRM approach is visibility. Organizations need to understand how employees are interacting with email threats in real-world conditions. This goes beyond simple phishing simulation results. It includes analyzing patterns such as who is clicking on links, who is entering credentials, who is reporting suspicious emails, and how quickly those reports are submitted.

These behavioral signals provide a much clearer picture of where risk actually exists. For example, two users may both complete the same training, but one consistently clicks on phishing simulations while the other reliably reports them. From a compliance standpoint, they look identical. From a risk standpoint, they are not.

Once this data is available, organizations can move to risk segmentation. Users can be grouped based on their behaviors, roles and exposure levels. High-risk users can be prioritized because they are both more targeted and more impactful if compromised. Similarly, users who demonstrate risky behaviors can be identified for additional support. This leads to one of the most important elements of HRM: personalization.

Rather than delivering the same training to everyone, HRM enables targeted interventions based on actual behavior. A user who struggles with identifying phishing links might receive focused training on URL analysis. Someone who fails simulations involving impersonation attacks might receive additional coaching on verifying sender identity and handling urgent requests.

This approach is not about punishing users but rather meeting them where they are and helping them improve in the areas that matter most.

Another critical component is continuous monitoring and reinforcement. Human behavior is not static. It changes over time based on experience, workload and evolving threats. HRM programs continuously track key metrics such as click rates, reporting rates, time-to-report and repeat susceptibility.

These metrics create a closed feedback loop. Training influences behavior, behavior generates data and that data informs the next round of training and controls. Over time, this loop drives measurable improvement, reducing both the likelihood and impact of successful attacks.

Importantly, HRM also integrates with broader security operations. For example, users who consistently report suspicious emails can become an early warning system for emerging threats. High-risk users can be prioritized for additional protections, such as stricter access controls or enhanced monitoring. Behavioral data can also inform policy decisions, helping organizations align security controls with real-world risk.

HRM also helps organizations move from reactive to proactive security. Instead of waiting for an incident to occur, teams can identify risky patterns early and intervene before those behaviors lead to compromise. This shift is critical in a landscape where attackers are constantly adapting and exploiting human decision-making.

Ultimately, HRM bridges the gap between technical controls and human behavior. It acknowledges that even the best technology cannot stop every threat, and that people will always play a role in security outcomes. By making human risk measurable and manageable, organizations can transform users from a potential vulnerability into a resilient, adaptive layer of defense.

How These Layers Work Together

Effective email security isn't built on a single control but rather on how multiple controls work together. A true defense-in-depth model integrates authentication, detection, response and human behavior into a continuous, reinforcing system. Each layer addresses a different failure point, and more importantly, each layer assumes that another layer will eventually miss something. That assumption is critical because in modern environments, something always gets through.

At the foundation are authentication protocols like SPF, DKIM and DMARC. These establish trust at the domain level by verifying that an email is associated with the domain it claims to be from. They reduce direct domain spoofing, protect brand integrity and provide visibility into how domains are being used or abused. However, they do not assess whether a message is malicious. They answer "Is this from this domain?"—not "Should this be trusted?"

That's where the next layer comes in.

Cloud email security platforms build on that foundation by analyzing the content, context and behavior of emails. They inspect links, attachments, headers and communication patterns to identify threats that pass authentication. This includes phishing emails sent from lookalike domains, compromised accounts or trusted third-party services. These platforms also operate continuously—before delivery, at the time of user interaction, and after delivery—to ensure that threats can be detected even if they evolve over time.

But detection alone isn't enough. Speed matters.

That's why response mechanisms are a critical layer in the model. When a threat is identified, whether by automated systems or reported by a user, organizations need the ability to act quickly and at scale. This includes capabilities like automated email removal from inboxes, alert prioritization and incident triage. User-reported emails feed directly into this process, turning individual observations into organization-wide protection. A single reported phishing email can trigger analysis and remediation across thousands of inboxes within minutes.

This is where the human layer becomes a force multiplier.

Security awareness training and HRM transform users from passive recipients into active participants in security. Trained users are more likely to recognize suspicious emails, avoid risky actions and report threats quickly. HRM takes this further by measuring user behavior and using that data to continuously improve outcomes.

The interaction between these layers is what creates real resilience. For example, an attacker may send a phishing email from a properly authenticated domain. Authentication allows it through. A cloud email security platform may flag it as suspicious but not definitively malicious, allowing it to reach the inbox with a warning. A trained user notices something unusual and reports it. That report triggers automated analysis, confirms the threat and initiates remediation—removing the email from other inboxes and updating detection models to prevent similar attacks.

In this scenario, no single layer "stopped" the attack. But together, they prevented it from becoming a breach.

This layered approach also creates a feedback loop. Data from detection systems informs training, user behavior informs risk scoring and policy adjustments, and incident response outcomes improve future detection. Over time, the system becomes more adaptive, more responsive, and more effective.

Email Security Control Best Practices for Organizations

Organizations that successfully reduce email risk don't rely on a single control or periodic initiative. They take a holistic, programmatic approach that aligns technology, processes and human behavior. The goal isn't just to deploy tools—it's to create a system that continuously reduces the likelihood and impact of email-based threats.

A strong starting point is fully implementing and enforcing DMARC. Many organizations stop at monitoring (p=none), which provides visibility but no protection. Moving to quarantine and ultimately reject policies (once SPF and DKIM are properly aligned) prevents attackers from directly spoofing your domain. This process should be deliberate and phased, with careful validation of legitimate senders to avoid disrupting business operations. DMARC reporting should be actively reviewed, not ignored, as it provides critical insight into unauthorized use of your domains and potential attack patterns.

Alongside DMARC, organizations need to regularly audit SPF and DKIM configurations. These controls are only as effective as their implementation. Over time, environments change as new vendors are added, services are deprecated and IP ranges shift. Without regular audits, SPF records can become overly permissive or outdated, and DKIM keys can expire or be misaligned. Routine reviews help ensure that only authorized senders are included, cryptographic keys are valid and alignment requirements are consistently met.

However, authentication alone is not enough. Organizations should deploy cloud-native email security platforms to add advanced detection and response capabilities. These solutions provide visibility into message content, user behavior and post-delivery threats that authentication cannot address. They also enable faster remediation, allowing security teams to remove malicious emails from inboxes after they've been delivered—which is an essential capability in today's threat landscape.

Equally important is investing in continuous security awareness training. Employees are a primary target for attackers, which makes them a critical line of defense. Training should be ongoing, relevant, and behavior-focused, using real-world simulations to reinforce safe decision-making. Programs should go beyond generic content and adapt to the specific risks users face based on their roles and behaviors.

To make training truly effective, organizations need to measure and manage human risk. This means tracking how users interact with email threats—whether they click, ignore or report suspicious messages—and using that data to guide improvements. High-risk users can receive targeted training, while strong performers can reinforce positive behaviors. Over time, this creates a feedback loop that continuously strengthens the organization's human layer.

Another key best practice is to make reporting suspicious emails simple and accessible. The faster users can report potential threats, the faster security teams can investigate and respond. One-click reporting mechanisms integrated directly into the email client reduce friction and increase participation. When reporting is easy, it becomes part of the workflow rather than an afterthought.

Organizations should also integrate detection and response processes to reduce dwell time. Automated workflows that analyze reported emails, prioritize threats and initiate remediation help contain attacks before they spread. This includes removing malicious messages from all affected inboxes, blocking related indicators, and feeding intelligence back into detection systems.

Access control is another important consideration. Applying the principle of least privilege limits the potential impact of a compromised account. Combined with strong authentication measures like multi-factor authentication (MFA), this reduces the likelihood that stolen credentials can be used to escalate attacks.

Finally, organizations should treat email security as a continuous improvement process, not a one-time deployment. Threats evolve, user behavior changes, and business environments shift. Regular assessments, testing, and adjustments are necessary to maintain effectiveness. This includes reviewing metrics, updating policies, and refining both technical and human-focused controls.

Individually, each of these practices adds value. But their real strength comes from how they work together. When implemented as part of an integrated strategy, they create a layered defense that is far more resilient than any single control on its own.

Conclusion: From Technical Controls to True Risk Reduction

DMARC, SPF, and DKIM are essential components of modern email security. They play a critical role in preventing domain spoofing and improving trust in email communications.

But they are not a complete solution.

Attackers have adapted by using authenticated domains, compromising legitimate accounts, and relying on social engineering to bypass technical controls. As a result, organizations must move beyond authentication and adopt a broader approach.

The future of email security lies in combining technical defenses with human risk management. It requires not only securing systems, but also empowering people to make better decisions.

Because in today's threat landscape, real security isn't just about stopping bad emails. It's about reducing the risk that any email—no matter how convincing—can succeed.