SMTP — the protocol that carries email — was designed in 1982 with no mechanism for verifying that a sender is who they claim to be. Anyone with a mail server can send an email claiming to be from president@whitehouse.gov , ceo@yourbank.com , or any address on any domain. SPF, DKIM, and DMARC are the retrofit that closes most of that gap. Here's how they actually work. Email spoofing — sending a message that falsely claims a sender address — has existed for as long as email itself. It's the enabling mechanism for a significant fraction of phishing, business email compromise, and brand impersonation. The three email authentication standards built to address it each solve a different piece of the problem, and they layer together in a specific way. SPF: Authorizing Sending Servers Sender Policy Framework (SPF) is the simplest of the three standards. A domain owner publishes a DNS TXT record listing which IP addresses and mail servers are authorized to send email on behalf of that domain.…