Back to blog
guidetechnicalHR Tech

SPF, DKIM, DMARC: protecting your payroll emails from spoofing

Published on 2026-06-127 min readCleanIssue

Why your domain is a target

Your HR SaaS sends emails that employees open without thinking: "your payslip is available", "approve this leave request", "complete your onboarding file". That's exactly what an attacker dreams of. If they can send an email that appears to come from notifications.your-saas.com, they get click rates no ordinary phishing campaign can match.

And if your domain isn't properly protected, they don't even need to compromise anything: they simply spoof the sender address.

The three mechanisms, in plain terms

SPF: who is allowed to send

A DNS record listing the servers authorized to send email for your domain. If you use a sending service (Brevo, SendGrid, Postmark, Resend), its servers must be listed — and nothing else.

Classic mistake: a +all or ?all at the end of the record, which in practice authorizes anyone. End with ~all (softfail) or -all (strict reject).

DKIM: the message wasn't tampered with

A cryptographic signature added to every outgoing email. The recipient verifies it against a public key published in your DNS. Without DKIM, even a correct SPF doesn't protect the message content.

Classic mistake: 1024-bit keys generated in 2019 and never rotated. Move to 2048 bits and plan a yearly rotation.

DMARC: what to do on failure

DMARC tells receiving servers what to do when SPF or DKIM fail: nothing (p=none), quarantine (p=quarantine) or reject (p=reject).

Classic mistake — by far the most frequent one we see in audits: a DMARC record stuck at p=none for years. p=none protects nothing. It's an observation mode, not a policy.

The realistic migration path

  • Publish DMARC at p=none with a rua address to receive aggregate reports
  • Analyze 2–4 weeks of reports: identify every legitimate sender (marketing, transactional, CRM, invoicing tool…)
  • Align SPF and DKIM for each of them
  • Move to p=quarantine with pct=25, then ramp up gradually
  • End goal: p=reject
  • Expect 4 to 8 weeks for a SaaS vendor with several sending flows. It's slow, but every step is reversible.

    Quick checklist

  • [ ] SPF present, ends with ~all or -all, fewer than 10 DNS lookups
  • [ ] 2048-bit DKIM on all sending flows (transactional AND marketing)
  • [ ] DMARC at p=quarantine minimum, with rua reports actually reviewed
  • [ ] Separate sending subdomains (e.g. mail.your-saas.com for transactional)
  • [ ] BIMI considered once DMARC reaches p=reject (verified logo in inboxes)
  • A CleanIssue First Review includes a check of your email posture: DNS configuration, flow alignment, and real exposure to spoofing. Verdict in 48h.

    Go further

    Related articles

    Three adjacent analyses to keep exploring the same attack surface.

    Sources

    Written by CleanIssue
    Reviewed on 2026-06-12

    Related services

    If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit