How to Set Up Email Spoofing Protection with SPF, DKIM, and DMARC for SMB Clients

Email spoofing, where attackers forge sender addresses to launch phishing and impersonation scams, is a top threat that targets small and mid-sized businesses (SMBs). These attacks often succeed simply because essential email authentication records are missing or misconfigured.

In this guide, we will help you implement vital email spoofing protection, which includes SPF, DKIM, and DMARC, to secure both your outbound and inbound mail for your Windows-based SMB clients.

Methods to protect businesses from email spoofing

SPF, DKIM, and DMARC are the essential trio that authenticate senders and stop domain spoofing. Configuring them correctly prevents attackers from impersonating your business or partners.

📌Use case: Implement these protection tools for your business email to prevent email spoofing, stop phishing, protect your brand, and ensure only legitimate emails reach your inbox.

📌Prerequisites: Before starting, make sure you have:

• Administrative access to your domain’s DNS
• An email service supporting DKIM
• Ability to add/update DNS TXT records
• Basic understanding of DNS records
• And, tools like PowerShell, mail testing tools (e.g., MXToolbox), and Command Prompt

We recommend checking ⚠️ Things to look out for before proceeding.

📌 Recommended deployment strategies:

How to configure the SPF record in DNS

Sender Policy Framework (SPF) configuration is your first critical step in declaring legitimate email sources and preventing domain spoofing. It publishes a DNS “allowed sender list” for your domain. Receiving servers verify that incoming mail truly originates from your approved servers.

📌 Use case: Set up SPF now if your domain sends any email (via Microsoft 365, an on-prem server, a website, or marketing tools). Every domain needs SPF to establish basic sender legitimacy and improve deliverability.

Step-by-step procedure:

1. List your authorized senders:
   • Identify every service that sends emails as @yourdomain.com, such as:
     • Your email provider (e.g., Microsoft 365, Google Workspace)
     • Your website/server (if it sends notifications)
     • Marketing tools (e.g., Mailchimp, Constant Contact)
     • CRMs (e.g., Salesforce, Hubspot)
     • On-prem mail servers

💡 Tip: Check your vendor documents for their required SPF include: value. For instance, Microsoft 365 uses spf.protection.outlook.com.

2. Build your SPF record:
   • Create a TXT record using this syntax:

• •  Examples:
    • Microsoft 365 only: v=spf1 include:spf.protection.outlook.com -all
    • Microsoft 365 + website server (IP 192.0.2.10): v=spf1 ip4:192.0.2.10 include:spf.protection.outlook.com -all
    • Microsoft 365 + Salesforce: v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com -all

spf.protection.outlook.com is a Microsoft-managed DNS domain that publishes the official SPF record for Microsoft 365’s outbound email infrastructure. It contains the authoritative list of mail servers and IP ranges that Microsoft 365 is allowed to use when sending email on behalf of customer domains

⚠️ Warning: Always end the syntax with -all for hard fail enforcement. This actively blocks unauthorized senders.

3. Publish the DNS record:
   • Log in to your DNS server (e.g., GoDaddy, Cloudflare, etc.).
   • Create a new TXT record.
   • Set the Host field to @ (or your root domain name).
   • Paste your SPF record (from the previous step) into the Value/Content field.
   • Save changes.
4. Verify:
   • Open Command Prompt or Windows Terminal (Win + X).
   • Then run this command:

• • Check the output for your SPF record.
  • Confirm with MX Toolbox SPF Checker.

Within 24-48 hours, legitimate mail from your services will pass the SPF checks, and spoofed emails should fail the SPF authentication process. You will see SPF results, showing pass/fail in the email headers.

How to enable DKIM signing

DKIM (DomainKeys Identified Mail) adds a unique digital signature to your outgoing emails. This signature is generated by the sending mail server using a private cryptographic key.

The corresponding public key is published in DNS as a DKIM record. When a receiving server gets the email, it retrieves the public key from DNS and uses it to validate the signature.

📌 Use case: Enable DKIM immediately if you send business email, whether transactional, marketing, or internal. It’s required for DMARC enforcement and prevents attackers from manipulating your messages.

Step-by-step procedure:

1. Generate your DKIM keys:
   • Your email service creates cryptographic keys automatically:
     • For cloud services: No action is needed since the keys are generated automatically when you enable DKIM.
       1. Microsoft 365: Find the key in Security & Compliance Center > Threat Management > Policy > DKIM.
       2. Google Workspace: Find the key in Admin Console > Apps > Gmail > Authenticate Email.
     • For self-hosted servers: Use tools like OpenSSL or your mail server’s DKIM wizard.
2. Publish DNS records:
   • Get DKIM Record from your email provider:
     • Microsoft 365: CNAME records (see below)
     • Google Workspace: TXT record
     • Others: TXT or CNAME
   • Log in to DNS provider (Cloudflare, GoDaddy, etc.)
   • Add Records:

⚠️ Important: Replace [domain] with your domain and [tenant] with your Microsoft 365 tenant name.

Note: Microsoft 365 uses two DKIM records so that DKIM keys can be rotated transparently, maintaining uninterrupted email authentication and strengthening overall security

3. Verify setup:
   • Open Command Prompt or PowerShell in Windows Terminal (Win + X).
   • For Command Prompt, run:

• • For PowerShell, script:

• • • Look for Enabled: True and Status: CNAMEValid.

• • Email Test: Send an email to [email protected] and inspect reply headers.

After configuration, all outgoing emails should include a DKIM-Signature header within 24 hours. Receivers can validate messages using your DNS public key, and forged or modified emails will fail DKIM checks. DMARC reports should also show dkim=pass for legitimate email.

How to publish DMARC policy

DMARC acts as your domain’s policy enforcer, telling email providers how to handle unverified messages and delivering vital spoofing reports. It’s the final armor in email spoofing protection.

📌 Use case: Deploy DMARC after SPF and DKIM are active. Essential for all domains to block phishing, gain visibility into email traffic, and enforce sender spoof protection.

Step-by-step procedure:

1. Verify SPF and DKIM readiness:
   • Confirm SPF and DKIM (see Methods 1 & 2) are active and passing for all email sources.
     • This is an essential prerequisite for DMARC.
2. Build your DMARC record:
   • Create a TXT record in your domain’s DNS with this syntax:

• • Setting explanation:
    • p= (Policy): Tells receiving servers what to do with unauthenticated mail. Choose one:
      • p=none: Monitor only (start here).
      • p=quarantine: Send failures to spam.
      • p=reject: Block failures outright.
    • rua= (Reporting): Sends you daily aggregate reports, which are essential for spotting spoofing and fixing legitimate mail flow.
  • Optional, useful tags for fine-tuning:
    • pct=5: Apply your policy to only 5% of failing mail (eases enforcement).
    • sp=quarantine: Set a different policy for your subdomains.
    • adkim=r; aspf=r: Use “relaxed” alignment (common for most setups).

3. Publish the DNS record:
   • Log in to DNS provider (Cloudflare, GoDaddy, etc.)
   • Create TXT record:
     • Host: _dmarc
     • Value: Your DMARC policy string
     • TTL: 3600 (1 hour)
4. Verify:
   • Open Command Prompt or Windows Terminal (Win + X).

• • Online check: Use MXToolbox DMARC Lookup

5. Monitor and tighten policy:
   • Analyze reports, which are sent to rua inbox for 2 to 4 weeks.
   • Consistently update SPF and DKIM for legitimate senders.
   • Escalate policy: none > quarantine > reject.

Within 72 hours after configuration, your Daily XML reports should display legitimate and fraudulent senders, SPF and DKIM pass rates, geographic threat hotspots, and which emails were sent to quarantine or rejected.

Use PowerShell for Microsoft 365 DKIM and DMARC management

PowerShell streamlines Microsoft 365 email security management with command-line efficiency. Use it to enforce email spoofing protection faster than GUI tools.

📌 Use case: Ideal for IT admins managing multiple domains, automating deployments, or troubleshooting SPF/DKIM/DMARC logs. Essential for enforcing policies at scale.

Step-by-step procedure:

1. Connect to Exchange Online:
   • Open PowerShell (Admin), then run this script:

2. Enable DKIM signing:
   • Run this script:

• • Verify with this script:

💡 Note: Look for Enabled: True and Status: CNAMEValid

3. Retrieve SPF/DKIM/DMARC logs:
   • Run this script:

• • Output should show authentication results for each sent email.

4. View Detailed Traces (Microsoft Defender):
   • Run this script:

After execution, DKIM signing activates immediately for outbound mail. Logs should reveal SPF and DKIM pass/fail rates, DMARC alignment status, and suspicious senders.

How to do GPO and Registry-based email hardening (Windows clients only)

While SPF/DKIM/DMARC protect servers, hardening Windows email clients adds critical user-layer defenses against spoofing.

📌 Use case: Deploy when employees use Outlook on domain-joined Windows 11 PCs. Essential for finance/HR teams handling sensitive data.

Step-by-step procedure:

Method A: Registry edit (SinglePC)

1. Press Win + R, then type regedit to open Registry Editor.
   • Ensure you have administrative privileges.
2. Go to or paste this in the address bar: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security 
3. Create a new DWORD (32-bit) Value:
   • Name it as ShowSenderAsFrom
   • Set Value data to 1.
     • This forces Outlook to display the mailbox address in the “From” field when emails are sent using Send As or shared mailbox permissions, instead of showing “on behalf of.”

Method B: Group Policy (Domain-wide)

1. Open Group Policy Management Editor.
2. Go to User Configuration > Administrative Templates > Microsoft Outlook 2016 > Security 
3. Enable two policies:
   • Warn about ambigous sender addresses
   • Always show From address in email headers
4. Enforce by running gpupdate /force on client PCs.

After implementation, Microsoft Outlook starts displaying warnings for suspicious sender-reply-to mismatches, full headers are visible without plugins, IT gains visibility on potential spoofing attempts via Event Viewer logs, and successful phishing is reduced by 68%.

⚠️ Things to look out for

This section highlights potential challenges to keep in mind while following this guide.

Tips when setting up email spoofing protection

Follow these practical tips to avoid common pitfalls when deploying email spoofing protection. Optimize your setup for security and deliverability.

SPF’s 10-lookup limit

SPF fails if DNS lookups exceed 10, causing legitimate emails to bounce. Avoid this by Flattening includes: Replace nested include: statements with direct ip4:/ip6: lists.

You can also use SPF macros by consolidating the providers (for example, include:%{i}._spf.example.com). You should ensure to test rigorously with this script:

DMARC: Start Soft, Then Tighten

Never begin with p=reject. It risks blocking valid emails silently. Instead, deploy p=none for 2-4 weeks to gather reports. Then, fix SPF/DKIM gaps for legitimate senders.

You should also escalate to p=quarantine (spam) > p=reject (block). Why? Because, gradual enforcement prevents business disruption while maximizing sender spoof protection.

DKIM: Document Selectors & Rotate Keys

Undocumented key changes break email flow. For bulletproof management, record selectors (e.g., selector1, google) in a password vault, rotate keys every 6 months via your email admin console, and audit quarterly via:

Use hosted tools for SMB efficiency

If manual DNS/PS management overwhelms, adopt MSP-friendly platforms, like PowerDMARC, Proofpoint, or Valimail. It can help auto-configure SPF/DKIM/DMARC, parse reports into plain English, and alert on spoofing attacks in real-time. This is ideal for teams that lack dedicated mail admins or 24/7 monitoring.

Email spoofing protection: Stop phishing before it starts

Configuring SPF, DKIM, and DMARC isn’t optional; it’s your frontline defense against phishing, invoice fraud, and brand impersonation targeting SMBs. By implementing these protocols, you enforce domain trust, block spoofed emails at the server level, and gain critical visibility into attack patterns.

Start with SPF’s -all, layer DKIM’s cryptographic signing, then let DMARC reports guide policy tightening, because one missed spoofed “CEO request” can bankrupt a client.

Related topics

• Understanding and Preventing Email Spoofing Attacks
• What Is Spoofing?
• Phishing Email Examples: How to Identify a Phishing Email
• What is Business Email Compromise (BEC)?
• 10 Email Server Security Best Practices You Need to Know