Email Security Explained Simply: Lessons from Securing Sneos.com
While implementing email security for Sneos.com, I realized how confusing these acronyms (SPF, DKIM, DMARC) can be. Here’s what I learned, explained in a way that actually makes sense.
Think of Email Like Physical Mail
Imagine sending a letter through the postal service. Email security works remarkably similar, just with digital equivalents of real-world security measures.
SPF (Sender Policy Framework): “Who’s Allowed to Send Mail from Your Address?”
SPF is like telling the post office: “Only the Google post office can send letters with my sneos.com return address.”
When you set up SPF, you’re creating a list of authorized mail servers. If someone tries to send fake emails pretending to be from your domain using a different server, recipients will know it’s fake.
Real-world equivalent: It’s like having an official stamp that only certain post offices can use for your company’s mail.
1
v=spf1 include:_spf.google.com ~all
This simple line tells the world: “Only Google’s servers can send email for sneos.com.”
DKIM (DomainKeys Identified Mail): “Your Personal Wax Seal”
Remember how kings used to seal letters with wax and their signet ring? DKIM is exactly that for email.
Every email gets a special invisible signature - a cryptographic hash that proves:
- The email really came from you
- Nobody tampered with it during delivery
When someone receives your email, their server checks this signature against your public key (published in your DNS). If it matches, they know the email is authentic and unchanged.
Real-world equivalent: A wax seal that breaks if anyone opens the letter before it reaches its destination.
DMARC (Domain-based Message Authentication): “What to Do with Fake Letters”
DMARC is your instruction manual for other email servers: “If you get a suspicious letter claiming to be from me, here’s what to do.”
You can set three policies:
- p=none: “Just tell me about suspicious emails” (monitoring mode)
- p=quarantine: “Put suspicious emails in spam”
- p=reject: “Delete suspicious emails completely”
For sneos.com, I started with p=none to monitor what’s happening:
1
v=DMARC1; p=none; rua=mailto:hello@sneos.com
This means I’ll get reports about any suspicious activity without blocking legitimate emails while I fine-tune the settings.
How They Work Together
These three technologies form a security team:
- SPF checks if the sender is authorized to send from your domain
- DKIM verifies the email wasn’t tampered with during transit
- DMARC decides what happens to emails that fail these checks and sends you reports
Together, they create a powerful defense against:
- Email spoofing (someone pretending to be you)
- Phishing attacks using your domain
- Business email compromise
- Brand reputation damage
The Implementation Journey
Setting this up for sneos.com taught me that email security isn’t just about preventing bad actors - it’s about building trust. When users see emails from sneos.com, they can be confident they’re genuine.
The reports I receive at hello@sneos.com show attempted spoofing attempts (thankfully rare), misconfigurations I need to fix, and give me peace of mind that our email infrastructure is secure.
Key Takeaways
- Start with monitoring (p=none in DMARC) before enforcing strict policies
- SPF is easiest - just list your authorized email servers
- DKIM requires setup on your email provider’s side (usually automatic with services like Google Workspace)
- DMARC ties it together and gives you visibility into what’s happening
Email security might seem complex, but it’s really just digital versions of security measures we’ve used for centuries. Once you understand the concepts, implementation becomes straightforward.
Your users deserve to know that emails from your domain are genuine. These three protocols make that guarantee possible. 🔒