Explain how SPF, DKIM, and DMARC work together to prevent email spoofing.
Short answer
SPF publishes which IPs may send mail for a domain. DKIM adds a cryptographic signature so the receiver can verify the message was not altered and came from the domain. DMARC ties SPF/DKIM results to the visible From: header via 'alignment', tells receivers what to do on failure (none/quarantine/reject), and sends reports. SPF and DKIM alone do not protect the From a user sees — DMARC is what enforces that.
Email was built with no sender authentication, so anyone can forge the From: address. SPF, DKIM, and DMARC are three DNS-published layers that, together, let a receiving server decide whether mail claiming to be from your domain is legitimate. Interviewers want to know you understand they are complementary, not interchangeable.
SPF — who is allowed to send
Sender Policy Framework is a DNS TXT record listing the IP addresses and hosts authorized to send mail for a domain. The receiver checks the connecting server's IP against the record. SPF validates the envelope (return-path) domain, not the header the user sees, and it breaks on forwarding because the relaying IP changes.
DKIM — was the message tampered with
DomainKeys Identified Mail signs selected headers and the body with a private key; the public key lives in DNS. The receiver verifies the signature, proving the message is unaltered and genuinely associated with the signing domain. Because the signature travels with the message, DKIM usually survives forwarding.
DMARC — tie it to the visible From
DMARC is the glue. It requires that a passing SPF or DKIM result aligns with the domain in the visible From: header — closing the gap where SPF/DKIM pass for an attacker-controlled domain while the user sees yours. It also publishes a policy (p=none, quarantine, or reject) telling receivers what to do on failure, and produces aggregate reports so you can see who sends as you.
Why this matters
A clean answer: SPF = authorized IPs, DKIM = integrity signature, DMARC = alignment + enforcement + visibility. Mention that p=none blocks nothing but gives you the reporting needed to safely ramp to reject. That progression is exactly what blue teams roll out in practice.
Likely follow-ups
- What does DMARC 'alignment' mean and why can SPF/DKIM pass while DMARC fails?
- Why is a DMARC policy of p=none useless for blocking but still valuable?
- How does DKIM survive a forwarded email when SPF often breaks?