Email security essentials

Tim Taylor says why SPF, DKIM and DMARC matter now more than ever.

Tim Taylor

Email remains the cornerstone of business communication – but it is also one of the most commonly exploited channels for cybercrime.

Increasingly sophisticated phishing attempts, domain spoofing, and business email compromise (BEC) attacks are targeting New Zealand businesses of all sizes, causing financial loss, reputational damage, and compliance headaches.

Cybercriminals no longer need to break into your systems. They simply impersonate your domain, trick your clients or staff into trusting a fraudulent message, and wait for the fallout. Without the right protections in place, even a reputable company can be misused as a weapon in someone else’s scam.

This is where three critical email authentication protocols come into play: SPF, DKIM and DMARC. Together, they act as a digital security checkpoint, protecting your business from being misrepresented – and ensuring legitimate messages reach inboxes as intended.

SPF – Controlling who can send on your behalf

SPF, or Sender Policy Framework, lets you define which mail servers are allowed to send emails using your domain name.

When someone receives an email that claims to be from your business, their email provider checks your SPF record to validate the source.

This helps reduce domain spoofing, but it does not protect against forged sender names that may still look convincing to recipients.

DKIM – Verifying that messages are untampered
DKIM, or DomainKeys Identified Mail, adds an encrypted signature to your outgoing emails. This proves that the content has not been altered in transit and confirms that the message genuinely came from your domain.
Correct setup is essential, as it involves managing cryptographic keys and updating DNS records.
DMARC – Setting the rules and gaining visibility
DMARC, or Domain-based Message Authentication, Reporting and Conformance, builds on SPF and DKIM by defining how recipient servers should handle messages that fail authentication. It also enables reporting so you can monitor who is sending emails on your behalf.

This level of visibility is crucial for spotting abuse and improving email security across your organisation.

Why it matters for every business

Implementing these protocols is not simply a technical upgrade – it is a business risk mitigation strategy. They help prevent impersonation, protect customer trust, support regulatory compliance, and improve the deliverability of your genuine business communications.

At Aviation IT, we work with organisations across aviation, retail and professional services to strengthen their cyber resilience. If you are unsure whether your domain is protected, now is the time to check. Because in today’s digital environment, assuming your emails are safe is no longer enough.