by Charles Oropallo | Sep 18, 2025 | Email, Security
Think your business emails are secure? Think again. Every day, cybercriminals send millions of fake emails pretending to be from legitimate businesses. Without proper email authentication, your company name could be next.
Here's the scary truth: anyone can send an email that appears to come from your domain. Your customers won't know the difference until it's too late. That's where SPF, DKIM, and DMARC come in.
These three protocols work like a security team for your email. Each one handles a different job, and you need all three to properly protect your business reputation.
What Is SPF (Sender Policy Framework)?
SPF acts like a bouncer at an exclusive club. It tells the world exactly which mail servers are allowed to send emails on behalf of your domain.
When you set up SPF, you're essentially creating a list that says "These servers, and only these servers, can send emails from mydomain.com." Any email claiming to be from your domain but sent from an unauthorized server gets flagged as suspicious.
Here's how it works in practice. Let's say someone tries to send a fake email from your domain using their personal Gmail account. The receiving email server checks your SPF record and sees that Gmail isn't on your approved list. Red flag raised.
But SPF has one major weakness: email forwarding breaks it completely. When someone forwards your legitimate email to another address, the forwarding server becomes the new sender. Since that server isn't on your SPF list, the email fails authentication even though it's genuine.
That's why SPF alone isn't enough. You need backup.
Understanding DKIM (DomainKeys Identified Mail)
DKIM works like a tamper-proof seal on a package. Every email gets a unique digital signature that proves two things: the message came from an authorized server, and nobody changed the content during delivery.
Think of DKIM as invisible ink that only special equipment can read. Your mail server adds this signature using a private key that only you control. The receiving server uses a public key (stored in your DNS records) to verify the signature.
If someone intercepts your email and changes even one character, the signature breaks. The receiving server immediately knows something fishy happened.
Unlike SPF, DKIM survives email forwarding because the signature travels with the message. But DKIM has its own blind spot: it doesn't check if the "From" address matches the domain that signed the email.
A scammer could send an email that appears to come from your domain in the "From" field while actually signing it with their own domain's DKIM key. The signature would be valid, but the email would still be fake.
DMARC: The Missing Link
DMARC (Domain-based Message Authentication, Reporting & Conformance) is the quarterback that makes SPF and DKIM actually work together effectively.
DMARC connects the dots by checking something called "alignment." It verifies that the domain in the "From" address matches the domain that passed SPF or DKIM authentication.
But DMARC's real power lies in policy enforcement. You tell DMARC exactly what to do when an email fails authentication:
- None: Just monitor and report (perfect for testing)
- Quarantine: Send suspicious emails to spam folders
- Reject: Block fake emails completely
DMARC also sends you detailed reports about who's sending emails using your domain. These reports help you catch both legitimate configuration issues and malicious activity.
How the Three Work as a Team
Think of email authentication like airport security. You need multiple checkpoints to catch different types of threats.
When an email arrives, the receiving server performs this security screening:
- SPF Check: Is this email coming from an authorized server?
- DKIM Check: Is the digital signature valid and unaltered?
- DMARC Check: Do the domains align properly, and what should I do if they don't?
DMARC requires that at least one of the other protocols (SPF or DKIM) passes AND shows proper alignment. If both fail, DMARC policies kick in to protect the recipient.
This layered approach covers all the bases. Even if SPF breaks due to forwarding, DKIM can still authenticate the email. If DKIM fails for some reason, SPF might still pass.
Why All Three Are Non-Negotiable
You might think "Can't I just use one or two?" Unfortunately, no. Each protocol plugs holes that the others can't handle.
Here's what happens with incomplete protection:
SPF only: Scammers can still forge your domain in the "From" address while sending from their own authenticated servers. Customers see your name and trust the email.
DKIM only: Criminals can use your domain name in emails while signing with their own valid DKIM signature. The technical authentication passes, but the email is still fraudulent.
SPF + DKIM without DMARC: You have no enforcement mechanism. Email providers might ignore your SPF and DKIM records because there's no policy telling them what to do with failures.
The harsh reality? Without all three protocols properly configured, up to 76% of your legitimate business emails could end up in spam folders or get rejected outright.
The Business Impact Is Real
Major email providers aren't playing games anymore. Starting in February 2024, Google and Yahoo made SPF, DKIM, and DMARC mandatory for anyone sending over 5,000 emails per day.
But compliance isn't the only concern. Business Email Compromise (BEC) scams cost U.S. victims $2.9 billion in 2024 alone. When criminals can easily impersonate your business, your customers become targets.
Consider what's at stake when someone spoofs your domain:
- Customer trust: People stop opening emails from your business
- Brand reputation: Your company name gets associated with scams
- Financial liability: Customers might hold you responsible for losses
- Email deliverability: Legitimate emails get blocked or filtered
One major breach can take years to recover from. Prevention costs far less than damage control.
Getting Started: Your Next Steps
Don't let the technical details intimidate you. Most hosting providers and email services can help you implement these protocols correctly.
Start by checking your current status. Tools like MXToolbox or DMARC Analyzer can show you what records already exist for your domain.
If you're sending business emails without proper authentication, you're essentially driving without insurance. The question isn't whether something will go wrong: it's when.
For comprehensive email security guidance tailored to your business needs, our email security services can help you implement all three protocols correctly.
The investment in proper email authentication pays dividends in protected reputation, improved deliverability, and peace of mind. Your customers: and your bottom line: will thank you for taking email security seriously.
Don't wait for a crisis to take action. Email authentication isn't just about preventing attacks; it's about ensuring your legitimate business communications actually reach their intended recipients.
by Charles Oropallo | Jun 30, 2022 | Do-It-Yourself, Email, Internet, Passwords, Security, Website Updates, WordPress
We at CharlesWorks are often asked by our web clients if their site is protected from malware and getting hacked. They also want to know if there site IS hacked, whether there be a charge to fix it.
The totally hack-proof website
The totally hack proof website has no access to it. So it’s not connected to the Internet. No one can view it. Such a website doesn’t sound like its of much use if no one can see it.
So, let’s agree that it is unrealistic to believe that a publicly accessible website can be totally hack-proof. Any website that is accessible via the public Internet is consistently subjected to attempts to break into it. Believe it or not, that’s the norm as opposed to the anomaly.
That being said, however, there ARE things you can do to mitigate website hacks. I have to stress the word mitigate here. Mitigation is defined as the action of reducing the severity, seriousness, or painfulness of something.
Site hacks are based on odds
My goal here is to simply remind you of what you most likely already know: that we can reduce the probability – the odds – of your site being hacked. We at CharlesWorks want that probability to be so low that it hopefully it doesn’t ever happen to you.
The major hacking causes
I have been operating CharlesWorks since 1998. In my experience, there appear to be two major reasons why sites get hacked:
-
- The access credentials/passwords have been compromised.
- The software that operates them wasn’t kept up to date.
Lets take a look at each of these below.
Compromised Access Credentials
Compromised passwords and bad actors gaining access to website login credentials is the major reason we see sites hacked. Think about this in terms of your car. You could have alarms on it. But if you make a copy of your car key and give it to someone, they can do whatever they like with the car. Whether its a drive along the beach or to rob a bank, your car is theirs to use with the key you gave them. Credentials – log in and passwords – work pretty much the same way.
CharlesWorks has many clients who want to be able to do things themselves. We are strong proponents of doing it yourself when it’s feasible and convenient. This is especially true for adding posts or page materials. It also makes sense when making other changes or modifications to your site. It is, after all, YOUR website.
However, many people fall prey to phishing schemes. Directly or indirectly, they usually end up tricked into giving out their website access credentials (as well as credentials to everything else they own). This is especially true if your email account is hacked and the hackers are able to access emails containing your website’s (and other) login credentials.
This problem is exacerbated if you have shared your website’s administrative or other access with others. Think of your emails containing various authorizations or login information as a potential weak link in a chain. If you have shared that information with others you have now created more weak links. This increases the odds of a potential compromise.
One of the best ways to mitigate these situations is to change your site’s access passwords so they are different than those possibly stored in your emails. And, to hope that anyone you may have shared your website access with has done the same.
Obviously, should site access be gained in such a manner, it would be your burden to have the site restored. I’ll expound upon this a little more at the end of this article.
Out of Date Security/Software Updates
Malware and virus protection on home computers operates a little differently than the same types of protection on servers. Website servers operate in the publicly accessible Internet. This results in many more entry points for potential issues. There are a number of very standard server protections available (which we utilize here at CharlesWorks).
After bad actors getting (or guessing) your passwords, the next major reason sites get hacked surrounds unapplied security updates and other software update issues. At CharlesWorks we mitigate such issues by running anti-malware software on our servers. Also, WordPress sites hosted on our servers are kept up to date automatically via automatic updating of the WordPress core as well as automatic updating of the the website’s plugins and themes.
There are literally thousands of individual pieces of software that must work in unison to operate most websites. These are developed by many more thousands of developers around the world. Unfortunately, no company can guarantee that a website will never get hacked. They can only mitigate security compromises and hope against the worst.
Restoring your Website
Regardless of which of the two situations above may have led to your website’s issues, your website will most likely need to be restored. That’s because after a bad actor or a hack back doors into the site will most likely have been installed for the bad actors to gain access again.
Many Internet companies claim to have automatic backups. In most of those, those backups are accessible to the user in their account. If the account is hacked, how safe do you suppose that is?
Some Internet companies delete and account upon a website being hacked. In those cases I have seen many left with no website or backup as a result.
What I believe is most important regarding this topic is the manner in which our WordPress sites are backed up every day for 30 days. Our backups are made to separate servers – external to those your the site operates on. For security reasons, the site administrators do not have access to these backups. So even with a site administrator’s compromised passwords there is no access to the backups. With these backups we can usually restore an average site in about 10-30 minutes if it needs restoring. And we can go back as far back as 30 days. We would only bill our web client for the 10-30 minutes (again – for an average website) which results in only a minor charge to restore it. Note that some websites are extremely large and require much more time to restore but these are very rare).
In my experience running CharlesWorks since 1998, we’ve built and handled more than 5,000 websites. At this point in time, I do not recall the last time a website we built and totally maintained was hacked (unfortunately I recall several instances of sites maintained by others that failed to ensure the site was updated and/or had their passwords compromised).
Sites getting hacked for out of date software happens far less frequently (if at all) when security updates are kept up to date and bad actors are kept out.
I hope this helps you understand a little more about this topic.
by Charles Oropallo | May 13, 2020 | Email, Internet, Monadnock Shopper News, Security, Shopper News, The CW Corner
The pandemic we are dealing with doesn’t always bring out the best in human nature. Such times are when scammers are more apt to take advantage of people. Many people are feeling anxious and helpless. Add economic issues and it’s clearly a recipe for depression and uncertainty.
Most small business owners have heard of PPP (Payroll Protection Program) loans. These are to help businesses stay alive and keep people employed during this pandemic. There are incredible numbers of scams involving PPP loans.
Most scams come through email. They also happen over the phone. Unbelievably, calls and email are great mediums for scammers. Emails trick people into loading viruses onto their computers. Both manipulate people into volunteering personal information! The result is identity fraud and/or account thefts.
Internet and telephone scams have one important factor in common: instill a sense of urgency in the mark. If the scammer can make you think you need to act on this right away, you probably will.
I suggest you:
1) Deal with bankers/lenders at respected institutions you actually know. Use the drive-through window if you must to set up an appointment.
2) Call your banker/lender if you get an email or phone call offering their help with the PPP loan – even if the email or phone call appears to be from a legitimate source.
3) Understand that emails and phone numbers can be spoofed – made to look like they’re from a legitimate source.
Be cautious and you won’t have to regret the unimaginable headaches that those who have suffered identity theft and other losses have experienced.
by Charles Oropallo | Feb 5, 2020 | Do-It-Yourself, Email, Internet, Monadnock Shopper News, Passwords, Security, Shopper News, The CW Corner, Website Development
I’ve written several articles about specific scams that are occurring on a regular basis on the Internet. They seem to subside for a short time – a very short time – and then a wave of them happens again.
One of the worst – as far as I am concerned – are the ones where the email recipient is being told they must verify their email. These have some common traits with most Internet scams:
1) A sense of urgency – they want you to take care of this immediately
2) A time limit – they give you within 24 hours to act
3) A threat – they tell you your email will be locked.
The first thing you have to understand is that nearly everyone gets these on occasion. I have received them myself in which they are made to look like they are from CharlesWorks. So when our clients get these they tend to become very worried very quickly.
I can’t stress enough that most legitimate companies will not send out messages like these. To fall prey to these can be a real nightmare. With access to one’s email these days the bad guys can wreak havoc in one’s life. The worst cases are called identity theft!
Don’t be the unfortunate one who falls prey to these scammers. If you have been “notified” of something serious – call your provider up and speak with a representative. Just like at my company – it’s a lot easier for us to allay your fears than to have to try to clean up the mess that can happen with compromised accounts.
by Charles Oropallo | Oct 30, 2019 | Email, Internet, Monadnock Shopper News, Shopper News, The CW Corner
It’s Halloween time again so I thought I’d mention Halloween Spoofs! Well, actually email spoofing happens year round.
An example of spoofing is when emails are sent that are addressed from you (and maybe to you) but you didn’t send them. In that case your address has been “spoofed”.
Spammers and scammers alike do this. There are a couple reasons it’s done.
Sometimes it is malicious. Let’s say someone goes onto numerous websites to sign up for information as XYZ Company. So a ton of spam is sent to XYZ. XYZ finds itself barraged with email and phone spam – wasting lots of their time.
More often XYZ is spoofed to appear to be the sender of spam. Folks local to XYZ are more likely to open the spoofed emails. The spam really isn’t from XYZ – just made to look like it is. So recipients think XYZ is spamming them. They’re annoyed with XYZ and report them as spammers and complain and so on.
Fortunately, spoofing doesn’t account for most Internet issues. It just makes life miserable for XYZ – the target – for a while.
The good news is that usually spoofing usually only lasts a few days. The actual sending server is identified and blocked or shut down.
Always report these issues to your email administrator. Early intervention saves lots of headaches in the long term.
by Charles Oropallo | Jul 17, 2019 | Do-It-Yourself, Email, Internet, SEO, The CW Corner, Website Development, Website Updates, WordPress
This week is a closely related follow up to last week’s article. As I mentioned then about a lack of a phone number, it seems like it would go without saying that a website trying to sell something should have an email contact someplace on it.
Last week I was referring to a web developer’s website with no telephone number or email address on it. Some developers put forms on their sites to try to get out of displaying an email address. The main issue with forms – besides the fact that form output is more often than not considered spam by many mail servers – is that people generally don’t want to fill them out. It’s much easier these days to click on an email link and send off an email saying exactly what you want to say. Of course you can speak it even more clearly but email may be the next best thing.
If you can’t find an email address to contact someone, my advice is to just move along to the next prospective web developer on your list. You want to deal with a web development company that makes it easy to be reached.
European Union General Data Protection Regulation Compliant