SPF, DKIM, DMARC: protecting your payroll emails from spoofing
Why your domain is a target
Your HR SaaS sends emails that employees open without thinking: "your payslip is available", "approve this leave request", "complete your onboarding file". That's exactly what an attacker dreams of. If they can send an email that appears to come from notifications.your-saas.com, they get click rates no ordinary phishing campaign can match.
And if your domain isn't properly protected, they don't even need to compromise anything: they simply spoof the sender address.
The three mechanisms, in plain terms
SPF: who is allowed to send
A DNS record listing the servers authorized to send email for your domain. If you use a sending service (Brevo, SendGrid, Postmark, Resend), its servers must be listed — and nothing else.
Classic mistake: a +all or ?all at the end of the record, which in practice authorizes anyone. End with ~all (softfail) or -all (strict reject).
DKIM: the message wasn't tampered with
A cryptographic signature added to every outgoing email. The recipient verifies it against a public key published in your DNS. Without DKIM, even a correct SPF doesn't protect the message content.
Classic mistake: 1024-bit keys generated in 2019 and never rotated. Move to 2048 bits and plan a yearly rotation.
DMARC: what to do on failure
DMARC tells receiving servers what to do when SPF or DKIM fail: nothing (p=none), quarantine (p=quarantine) or reject (p=reject).
Classic mistake — by far the most frequent one we see in audits: a DMARC record stuck at p=none for years. p=none protects nothing. It's an observation mode, not a policy.
The realistic migration path
p=none with a rua address to receive aggregate reportsp=quarantine with pct=25, then ramp up graduallyp=rejectExpect 4 to 8 weeks for a SaaS vendor with several sending flows. It's slow, but every step is reversible.
Quick checklist
~all or -all, fewer than 10 DNS lookupsp=quarantine minimum, with rua reports actually reviewedmail.your-saas.com for transactional)p=reject (verified logo in inboxes)A CleanIssue First Review includes a check of your email posture: DNS configuration, flow alignment, and real exposure to spoofing. Verdict in 48h.
Go further
Related articles
Three adjacent analyses to keep exploring the same attack surface.
MFA in HR SaaS: why 62% of French vendors still don't offer it
Multi-factor authentication is a standard. Yet the majority of French HR SaaS products don't offer it to their users. Analysis of barriers and solutions.
File uploads in an HRIS: a practical security guide
File upload features are everywhere in HR SaaS. They're also one of the most underestimated attack vectors.
Zero Trust for a small SaaS team: where to start
Zero Trust isn't reserved for large enterprises. Here's how a team of 5 to 30 can apply Zero Trust principles without heavy infrastructure.
Sources
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.