Email Security Audit Checklist: SPF, DKIM, DMARC, and Beyond

Email security breaches cost organizations an average of $4.88 million per incident, yet many companies still operate with incomplete or misconfigured email authentication protocols. Whether you're conducting quarterly security reviews or investigating suspicious email activity, a systematic approach to email security auditing can mean the difference between catching threats early and dealing with costly breaches.

This comprehensive checklist walks you through auditing the core pillars of email security: SPF, DKIM, DMARC, and emerging standards like BIMI. You'll learn not just what to check, but how to interpret the results and prioritize fixes that actually reduce your attack surface.

Pre-Audit Preparation

Before diving into DNS records and authentication protocols, gather the essential information that will guide your audit:

Domain Inventory

• Primary sending domains
• Subdomain configurations
• Third-party services authorized to send email
• Legacy domains that might still be active

Current Email Infrastructure

• Email service providers (Office 365, Google Workspace, etc.)
• Marketing automation platforms
• Transactional email services
• Any custom SMTP configurations

Previous Audit Results

• Historical SPF/DKIM/DMARC configurations
• Known issues from previous reviews
• Changes made since the last audit

This preparation prevents surprises mid-audit and ensures you're checking all domains that could impact your organization's email security posture.

SPF Record Validation

Sender Policy Framework (SPF) acts as your first line of defense against email spoofing. A properly configured SPF record tells receiving mail servers which IP addresses are authorized to send email on behalf of your domain.

SPF Record Structure Check

Start by retrieving the SPF record for each domain:

dig TXT example.com | grep "v=spf1"

Essential SPF Components to Verify:

• Version declaration: Must start with v=spf1
• Mechanism order: More specific mechanisms should appear before general ones
• All mechanism: Should end with -all (hard fail) or ~all (soft fail)
• Include statements: Verify each included domain has valid SPF records

Common SPF Misconfigurations

DNS Lookup Limit Violations SPF records are limited to 10 DNS lookups. Count each include:, a:, mx:, exists:, and redirect: mechanism. Exceeding this limit causes SPF validation to fail entirely.

Overly Permissive Records Records ending with +all or containing broad IP ranges like ip4:0.0.0.0/0 essentially disable SPF protection.

Outdated Include Statements Third-party services change their sending infrastructure. Verify that each include: statement still points to active, legitimate services.

SPF Validation Testing

Test SPF validation from multiple angles:

1. Authorized sender test: Send from a legitimate IP and verify SPF passes
2. Unauthorized sender test: Attempt to send from an unlisted IP and confirm SPF fails
3. Subdomain inheritance: Check if subdomains without explicit SPF records properly inherit parent domain policies

DKIM Key Inspection

DomainKeys Identified Mail (DKIM) provides cryptographic proof that emails haven't been tampered with in transit. Unlike SPF, DKIM travels with the email itself through digital signatures.

DKIM Signature Analysis

Examine email headers for DKIM signatures:

DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1;

Critical DKIM Elements:

• Algorithm (a=): RSA-SHA256 is current standard; SHA1 is deprecated
• Domain (d=): Should match or be a parent of the From domain
• Selector (s=): Points to the public key DNS record
• Body hash (bh=): Cryptographic hash of email body
• Header list (h=): Specifies which headers are signed

DKIM Public Key Verification

Retrieve and analyze DKIM public keys:

dig TXT selector1._domainkey.example.com

Key Security Checks:

• Key length: 1024-bit minimum, 2048-bit recommended
• Key rotation: Keys should be rotated annually
• Selector management: Inactive selectors should be removed from DNS
• Multiple selectors: Verify all active selectors have valid keys

DKIM Implementation Gaps

Missing Critical Headers DKIM should sign essential headers like From, To, Subject, and Date. Headers not included in the signature can be modified without breaking DKIM validation.

Weak Canonicalization The canonicalization algorithm determines how whitespace and line endings are handled. "Relaxed" canonicalization is more forgiving but potentially less secure than "simple."

DMARC Policy Analysis

Domain-based Message Authentication, Reporting, and Conformance (DMARC) builds on SPF and DKIM to provide policy enforcement and reporting capabilities.

DMARC Record Structure

v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

Core DMARC Policy Elements:

• Policy (p=): none, quarantine, or reject
• Subdomain policy (sp=): Separate policy for subdomains
• Alignment (adkim/aspf): strict or relaxed alignment requirements
• Reporting addresses (rua/ruf): Aggregate and forensic report destinations
• Failure options (fo=): When to generate forensic reports

DMARC Alignment Verification

DMARC requires either SPF or DKIM to pass AND align with the From domain:

SPF Alignment

• Relaxed: Return-Path domain must be organizational domain of From domain
• Strict: Return-Path domain must exactly match From domain

DKIM Alignment

• Relaxed: DKIM signing domain must be organizational domain of From domain
• Strict: DKIM signing domain must exactly match From domain

DMARC Reporting Analysis

Regular analysis of DMARC reports reveals authentication failures and potential threats:

Aggregate Reports (RUA)

• Identify legitimate senders failing authentication
• Spot spoofing attempts and their sources
• Monitor authentication success rates over time

Forensic Reports (RUF)

• Detailed analysis of individual authentication failures
• Sample headers and content from failed messages
• Privacy considerations for sensitive email content

Advanced Email Security Configurations

BIMI Implementation

Brand Indicators for Message Identification (BIMI) displays your brand logo in email clients when DMARC is properly configured.

BIMI Prerequisites:

• DMARC policy must be set to quarantine or reject
• Domain must have consistent DMARC enforcement
• Logo must meet specific format requirements (SVG Tiny P/S)

BIMI Record Format:

v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/certificate.pem

MTA-STS Configuration

Mail Transfer Agent Strict Transport Security (MTA-STS) prevents man-in-the-middle attacks by enforcing encrypted connections.

MTA-STS Policy Requirements:

• Policy hosted at https://mta-sts.example.com/.well-known/mta-sts.txt
• DNS TXT record at _mta-sts.example.com
• Valid TLS certificate for mail servers
• Policy specifies authorized MX hosts

TLS-RPT Implementation

TLS Reporting (TLS-RPT) provides visibility into TLS connection failures and security issues.

TLS-RPT Configuration:

v=TLSRPTv1; rua=mailto:[email protected]

Reports reveal:

• Failed TLS connections
• Certificate validation issues
• Policy violations
• Connection security statistics

Email Security Grading and Risk Assessment

Raw authentication data tells only part of the story. Effective email security auditing requires interpreting results within broader risk contexts.

Risk Scoring Framework

High Risk Indicators:

• SPF records ending with +all
• Missing DMARC policies on primary domains
• DKIM keys shorter than 1024 bits
• No monitoring of authentication failures

Medium Risk Indicators:

• DMARC policy set to p=none for extended periods
• SPF records approaching DNS lookup limits
• Inconsistent subdomain policies
• Delayed response to authentication failures

Low Risk Indicators:

• Properly configured authentication protocols
• Regular monitoring and policy updates
• Coordinated incident response procedures
• Proactive threat intelligence integration

Automated Security Assessment

Manual auditing becomes impractical as domain portfolios grow. Modern email security tools provide interpreted results rather than raw DNS data, enabling faster risk assessment and prioritized remediation.

The CyrusX Email Header Analyzer transforms complex email authentication data into actionable security grades, helping security professionals quickly identify high-risk configurations across multiple domains. Instead of manually parsing SPF records and calculating DNS lookup limits, you get immediate risk scores and specific remediation guidance.

Remediation Priority Matrix

Not all email security issues require immediate attention. Use this matrix to prioritize fixes based on risk level and implementation complexity:

Immediate Action Required

• Domains with no SPF records
• DMARC policies allowing 100% spoofing
• Expired or compromised DKIM keys
• Critical third-party services failing authentication

Short-term Improvements (1-4 weeks)

• DMARC policy progression from none to quarantine
• SPF record optimization to reduce DNS lookups
• Implementation of missing authentication protocols
• Enhanced monitoring and alerting

Long-term Strategic Initiatives (1-6 months)

• BIMI implementation for brand protection
• MTA-STS deployment for transport security
• Comprehensive subdomain policy management
• Integration with threat intelligence platforms

Ongoing Monitoring and Maintenance

Email security auditing isn't a one-time activity. Establish regular review cycles and automated monitoring to maintain strong security postures.

Monthly Review Tasks

• DMARC report analysis
• Authentication failure trend analysis
• Third-party service configuration changes
• New domain and subdomain inventory

Quarterly Deep Audits

• Complete SPF/DKIM/DMARC validation
• Risk assessment updates
• Policy effectiveness evaluation
• Incident response procedure testing

Annual Strategic Reviews

• Authentication protocol updates
• Emerging threat landscape assessment
• Technology stack evaluation
• Compliance requirement changes

Conclusion

Email security auditing requires systematic attention to technical details and strategic risk assessment. This checklist provides the framework for comprehensive email authentication reviews, but the real value comes from consistent application and continuous improvement.

Strong email security isn't just about implementing SPF, DKIM, and DMARC—it's about understanding how these protocols work together to protect your organization and monitoring their effectiveness over time. Regular auditing catches configuration drift before it becomes a security incident.

Ready to streamline your email security auditing process? Use the CyrusX Email Header Analyzer to audit SPF, DKIM, and DMARC records for any domain and get instant security grades with specific remediation guidance.