How can companies effectively protect their email communications from manipulation and misuse?
Most email systems were developed at a time when security was not yet a central concern. They are based on an open protocol that neither clearly verifies the sender address nor protects the content. Attackers deliberately exploit these vulnerabilities by, for example, using fake sender addresses (spoofing) or placing fraudulent content to manipulate recipients. It is therefore essential for companies and organizations to rely on modern protection mechanisms to ensure the authenticity and integrity of email communication. Four key technologies offer protection here: SPF, DKIM, DMARC, and S/MIME. These pursue different approaches – and can be optimally combined.
1. SPF (Sender Policy Framework)
SPF is one of the first lines of protection against email spoofing. Companies or organizations specify in their DNS records which mail servers are authorized to send emails on behalf of their domain. The receiving mail server checks incoming messages to see if the sender’s IP matches an authorized source. If this is not the case, the email is rejected or flagged. SPF thus prevents unauthorized servers from appearing on behalf of your domain. However, the check is limited to the sender’s domain—the content of the message is not verified.
2. DKIM (DomainKeys Identified Mail)
DKIM complements SPF with a type of digital signature. When the email is sent, it is provided with a cryptographic signature that covers certain content of the message. The public key for verifying this signature is published in the domain’s DNS. The recipient can thus determine whether the message has been altered during transport. DKIM does not directly confirm the sender, but it ensures the integrity of the email content. A major advantage: tampering can be subsequently detected.
3. DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC builds on SPF and DKIM and acts as a checkpoint. Companies use it to define a policy for how receiving servers should handle emails that fail SPF or DKIM checks. At the same time, DMARC requires that the domain in the visible sender address must match the domain used in SPF/DKIM (so-called alignment). Companies can also request reports to gain an overview of misuse of their domains. DMARC is therefore not only a protection mechanism but also a valuable analytical tool.
4. S/MIME (Secure/Multipurpose Internet Mail Extensions)
While SPF, DKIM, and DMARC operate at the domain level, S/MIME works directly at the user level. Each person receives a unique digital certificate with which they can sign and encrypt emails. This allows the recipient to clearly identify whether the message originates from the actual sender and whether the content has been altered since it was sent. Additionally, S/MIME uses encryption to protect emails from unauthorized interception. This end-to-end encryption makes S/MIME particularly attractive for industries with high data protection requirements, such as healthcare, the financial sector, or public administration.
Why S/MIME is an essential component of modern email security
Unlike SPF, DKIM, and DMARC, which only confirm the authenticity of the sender and the integrity of the message, S/MIME offers a holistic solution: It encrypts the entire email content and ensures that only authorized recipients have access. This protection is particularly essential in professional contexts or in the healthcare sector, where confidential information is exchanged daily. zertmail. supports companies and organizations with the simple and fully automated integration of S/MIME certificates. Your employees receive maximum security without any additional technical effort – including automatic certificate renewal and centralized administration.
How can I verify the authentication of an email?
Many common email clients allow you to access the technical email header by clicking “Show original” or “Show details.” There, you can see whether a message has successfully passed SPF, DKIM, and DMARC—typically with entries like “spf=pass,” “dkim=pass,” or “dmarc=pass.” This information indicates whether the message originates from an authorized server and has not been tampered with. This requires domain owners to configure their DNS records correctly—otherwise, even legitimate emails can be blocked or marked as spam.
The signature technologies DKIM vs. S/MIME in comparison
| DKIM | S/MIME | |
| Certificate issuer | self-signed | CA |
| Signer | any | Sender |
| Scope | only domain | Domain / Email address |
| Signing email content | optional | always |
| Guard | via DNSSec, DMARC | integral |
Important differences at a glance:
- SPF: Protects against spoofed sender IP addresses – but doesn’t help with manipulated content
- DKIM: Provides a verifiable signature for content, preventing undetected changes
- DMARC: Leverages SPF & DKIM, providing policies and comprehensive control
- S/MIME: Encrypts and signs emails directly at the sender – ideal for data protection and compliance
Conclusion: What makes sense for your company?
Strong email protection relies on a combination of measures rather than individual ones. SPF, DKIM, and DMARC are essential to protect your domain from misuse and ensure the deliverability of your messages. For particularly sensitive content, we recommend using S/MIME as an additional protection.
With zertmail., using S/MIME is particularly easy: Certificates are automatically created, renewed, and managed and can be used on any device – for legally compliant email delivery without IT effort.
