Inbound SPF, DKIM and DMARC: How to Stop Spoofed Emails Reaching Your Inbox

Most businesses think of SPF, DKIM and DMARC as outbound controls — records you publish to stop others spoofing your domain. But these same standards are just as powerful when applied to incoming mail. If your mail server isn't actively enforcing them on the way in, spoofed messages impersonating your bank, IRD, suppliers or even your own CEO can slip straight through to your team.

This guide explains how inbound SPF, DKIM and DMARC checks work, and how to configure your mail platform to reject spoofed domains before they cause damage.

Why Inbound Authentication Matters

Phishing and business email compromise (BEC) remain the top cyber threats facing New Zealand businesses, according to CERT NZ. A common tactic is domain spoofing — where an attacker sends email pretending to be from ird.govt.nz, @yourbank.co.nz, or a trusted supplier.

If the sending domain has published SPF, DKIM and DMARC records (as most reputable NZ organisations now do), your mail server can:

  • Verify the message genuinely came from an authorised server

  • Detect tampering in transit

  • Reject or quarantine messages that fail authentication

Without inbound enforcement, you're relying purely on spam filters and user vigilance — neither of which is enough.

How the Three Standards Work on Inbound Mail

SPF (Sender Policy Framework)

SPF lets a domain owner list which IP addresses are allowed to send mail on their behalf. On inbound, your mail server checks the sender's MAIL FROM domain against its published SPF record. If the sending IP isn't authorised, SPF returns a fail or softfail.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to each outgoing message. Your inbound server fetches the sender's public key from DNS and verifies the signature. A failed DKIM check means the message was either forged or modified in transit.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC ties SPF and DKIM together with an alignment check — making sure the authenticated domain matches the visible From: address. It also tells receivers what to do when checks fail: none, quarantine, or reject.

DMARC is the piece that actually stops spoofing, because SPF and DKIM alone don't validate the visible sender.

Step-by-Step: Enabling Inbound Enforcement

1. Check Your Mail Platform

Most modern platforms perform SPF, DKIM and DMARC checks by default — but often in monitor-only mode. You need to verify enforcement is actually switched on.

  • Microsoft 365 / Exchange Online: Anti-spam and anti-phishing policies in Defender

  • Google Workspace: Gmail advanced settings → Safety → Spoofing and authentication

  • Self-hosted (Postfix, Exim, etc.): Use opendmarc, opendkim and Postfix's built-in SPF policy daemon

2. Enforce DMARC Policy on Inbound Mail

In Microsoft 365, navigate to the Microsoft Defender portal and set anti-phishing policy to honour the sender's DMARC policy:

  • If DMARC p=quarantine → move to Junk or Quarantine

  • If DMARC p=reject → reject the message outright

In Google Workspace, enable:

  • Protect against domain spoofing based on similar domain names

  • Protect against spoofing of employee names

  • Protect against inbound emails spoofing your domain

  • Apply the action: Move to spam / Quarantine

3. Postfix Example (Self-Hosted)

If you run your own mail server, here's a minimal inbound SPF + DMARC configuration using postfix-policyd-spf-python and opendmarc:

# /etc/postfix/main.cf
smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    check_policy_service unix:private/policyd-spf,
    reject_rbl_client zen.spamhaus.org

policyd-spf_time_limit = 3600

# Milters for DKIM + DMARC
smtpd_milters = inet:localhost:8891, inet:localhost:8893
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

And in /etc/opendmarc.conf:

RejectFailures true
SPFSelfValidate true
RequiredHeaders true
AuthservID HOSTNAME

RejectFailures true is the critical line — it tells OpenDMARC to honour p=reject policies from sending domains.

4. Handle Your Own Domain Carefully

A common mistake: forgetting to authorise legitimate inbound sources of your own domain. For example, if staff send email from a marketing platform to internal distribution lists, those messages may fail DMARC alignment.

Fix this by:

  • Adding the sending platform to your own SPF record

  • Enabling DKIM signing on that platform

  • Or routing internal-to-internal traffic through your primary mail host

5. Monitor with DMARC Reports

Even on inbound, reviewing DMARC aggregate reports (from outbound) helps you spot spoofing attempts against your domain. A typical DMARC record to publish for your own domain:

_dmarc.yourbusiness.co.nz.   TXT   "v=DMARC1; p=reject; rua=mailto:dmarc@yourbusiness.co.nz; adkim=s; aspf=s"

Strict alignment (adkim=s; aspf=s) gives the tightest protection against lookalike subdomains.

Common Pitfalls to Avoid

  • Leaving DMARC at p=none: This is monitor-only. Attackers can still spoof your domain to your own staff.

  • Whitelisting by sender address: Allow-listing @ird.govt.nz in your spam filter effectively disables DMARC enforcement for that domain — exactly what attackers want.

  • Ignoring subdomains: Add sp=reject to cover subdomains your business doesn't use for email.

  • Forwarding breaks SPF: If staff auto-forward mail, use ARC-aware platforms (M365 and Google Workspace support this natively).

Quick Checklist

  1. ✅ Inbound SPF checks enabled, softfail/fail rejected or quarantined

  2. ✅ DKIM signature verification enabled

  3. ✅ DMARC policy honoured (quarantine/reject actions applied)

  4. ✅ Your own domain's DMARC set to p=reject

  5. ✅ Internal spoofing protection enabled (display-name and lookalike domains)

  6. ✅ DMARC aggregate reports monitored weekly

Test Your Configuration with xteam MailCheck

Not sure whether your inbound mail flow is actually rejecting spoofed messages? Our free xteam MailCheck tool analyses your domain's SPF, DKIM and DMARC records, highlights misconfigurations, and shows you exactly how a spoofed message would be handled.

Built specifically for New Zealand businesses, MailCheck gives you a clear, jargon-free report in seconds — so you can close the gaps before attackers find them.

👉 Run a free MailCheck scan now and see how well your domain is protected against spoofing.