The exam asks you to match these three technologies to scenarios or descriptions. They are often confused because all three are DNS TXT records related to email authentication. The differentiation is clean once you internalize one sentence per technology:
- SPF = authorized servers list. “Is this IP allowed to send mail for this domain?” The answer is in the SPF record. It validates the sending server identity. It says nothing about the message content.
- DKIM = digital signature on the message. “Did this domain sign this message, and was it modified in transit?” The answer is in the DKIM signature in the message headers, validated against the public key in DNS. It proves message integrity and server authorization. It says nothing about what to do if validation fails.
- DMARC = policy + reporting. “What should the receiving server do when SPF or DKIM fails, and please tell me about it.” DMARC is not a validation mechanism itself — it uses SPF and DKIM results and adds two things they lack: disposal policy and aggregate reports.
Exam trigger phrases and answers:
- “Authorized sending servers for a domain” → SPF
- “Digital signature on outgoing email; public key in DNS” → DKIM
- “Policy for failing messages; compliance reports” → DMARC
- “Extension of SPF and DKIM” → DMARC
- “None/quarantine/reject options” → DMARC
The exam occasionally tests whether candidates understand the dependency chain. DMARC is described as “an extension of SPF and DKIM” — this means it consumes their results. It does not perform authentication itself.
- If SPF is not configured: DMARC has no SPF result to work with. The SPF alignment check fails by default.
- If DKIM is not configured: DMARC has no DKIM result to work with. The DKIM alignment check fails by default.
- If neither is configured: DMARC is essentially useless as an enforcement mechanism, even if the DMARC record exists. All messages will fail DMARC alignment and be subject to the policy — but you also have no way to identify which failures are legitimate.
The dependency direction:
- DMARC requires SPF and DKIM to be deployed first
- SPF works independently of DKIM and DMARC
- DKIM works independently of SPF and DMARC
Common wrong answer to reject: “Deploy DMARC with p=reject to stop phishing immediately without needing SPF or DKIM first.” This is wrong: p=reject without SPF/DKIM in place will indiscriminately block or discard all email from the domain since nothing will ever pass alignment checks.
The exam presents scenarios where a security professional wants to immediately deploy the strongest email protection. The tempting answer is “deploy DMARC with p=reject immediately.” This is almost always wrong in a real-world scenario and the exam expects you to know why.
The problem with p=reject on day one: Most organizations have multiple systems that send email using their domain — CRM platforms, marketing tools, HR notifications, ticketing systems, cloud services. These may not all be in the SPF record or configured with DKIM keys. If DMARC p=reject is enforced before they are identified, legitimate business email from these services is discarded by receiving servers worldwide.
p=none first, always:
- p=none causes no enforcement action — all email is delivered regardless of SPF/DKIM results
- But receiving servers still send DMARC aggregate reports
- The administrator reviews these reports to find every IP sending email claiming to be from the domain
- Known legitimate services that fail authentication are added to SPF and configured with DKIM
- Only after the pass rate in reports is high is it safe to escalate to p=quarantine and then p=reject
The exam tests whether candidates know what DMARC reports actually contain and what they reveal. DMARC aggregate reports are one of the most operationally valuable tools a domain owner has — they provide a global view of who is sending email using the domain name.
What the reports show: Each report includes the sending IP, the SPF result, the DKIM result, the DMARC policy that was applied, and the message count. Reports come from every mail server that received messages claiming to be from the domain.
What authentication failure patterns mean:
- Many failures from known legitimate IPs: those IPs are not in SPF or not configured with DKIM — fix the configuration
- Many failures from unknown IPs worldwide: those are attackers spoofing the domain in phishing campaigns — evidence of active domain abuse
The exam scenario: “A domain owner reviews DMARC reports and sees thousands of failed messages from IPs they do not own.” The answer involves two things: this is evidence of domain spoofing, and escalating DMARC policy to p=reject instructs all receiving servers to discard these messages before they reach victims.