DNS Misconfiguration
detect, understand, remediate
DNS misconfigurations (missing or incorrect SPF, DKIM, and DMARC records) allow attackers to spoof your domain in phishing emails, damaging reputation and enabling social engineering.
No credit card required. Free plan available forever.
What is DNS misconfiguration (SPF/DKIM/DMARC)?
DNS misconfiguration in the context of email authentication refers to missing or improperly configured SPF, DKIM, and DMARC records. These DNS-based protocols work together to verify that emails are legitimately sent from authorised servers and have not been tampered with in transit. Without them, attackers can spoof your domain to send phishing emails that appear to come from your organisation.
SPF (Sender Policy Framework) specifies which mail servers are authorised to send email for your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails. DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together with a policy that tells receiving servers how to handle messages that fail authentication.
When these records are missing, misconfigured, or set to permissive policies, your domain becomes a tool for attackers. Business email compromise (BEC) attacks that spoof trusted domains cost organisations billions annually, and proper email authentication is the primary defence.
How it works
Missing or weak records
The target domain has no SPF record, an overly permissive SPF (+all), no DKIM signing, or a DMARC policy set to p=none.
Attacker spoofs the domain
The attacker sends emails with a forged "From" address matching the target domain using any mail server they control.
Email passes checks
Without proper SPF/DKIM/DMARC enforcement, receiving mail servers accept the spoofed email as legitimate.
Phishing succeeds
Recipients trust the familiar domain and fall victim to phishing, credential harvesting, wire fraud, or malware delivery.
Common causes
No SPF record configured
The domain has no SPF TXT record at all, meaning any server can send email claiming to be from the domain without restriction.
SPF too permissive (+all)
An SPF record ending in +all explicitly allows all servers to send email for the domain, completely defeating its purpose.
No DKIM signing
Outgoing emails are not signed with DKIM, so recipients cannot verify that messages were sent by an authorised server and were not altered.
DMARC set to p=none
A DMARC policy of p=none only monitors failures without taking action. Spoofed emails still reach recipients' inboxes.
How to detect it
Automated detection
- SecPortal's DNS scanner automatically queries SPF, DKIM, and DMARC records and flags missing or misconfigured entries
- SPF record analysis detects overly permissive mechanisms (+all), excessive DNS lookups, and syntax errors
- DMARC policy evaluation flags domains with p=none or missing rua/ruf reporting addresses
Manual testing
- Query DNS TXT records for _spf, _dkim, and _dmarc subdomains to verify their presence and configuration
- Send test emails from an unauthorised server and check if they are delivered, quarantined, or rejected
- Review DMARC aggregate reports to identify unauthorised senders and authentication failures
How to fix it
Configure strict SPF with -all
Publish an SPF record that lists only your authorised mail servers and ends with -all (hard fail) to reject unauthorised senders.
Enable DKIM signing for all outbound email
Configure DKIM on your mail servers to cryptographically sign all outgoing messages, allowing recipients to verify authenticity.
Deploy DMARC with p=reject
Start with p=none for monitoring, then progress to p=quarantine and finally p=reject once you confirm legitimate mail passes authentication.
Monitor DMARC reports regularly
Configure rua and ruf reporting addresses in your DMARC record and review aggregate and forensic reports to identify issues and abuse.
Implement DNSSEC
Enable DNSSEC to protect your DNS records from tampering, ensuring that SPF, DKIM, and DMARC records cannot be spoofed at the DNS level.
Compliance impact
Related vulnerabilities
Check your DNS security
SecPortal analyses SPF, DKIM, DMARC, and DNSSEC records in every external scan. Try our free DNS Analyzer or start scanning.
No credit card required. Free plan available forever.