Email Authentication Masterclass

Focused skills. One thing, learned properly.

Learn to deploy SPF, DKIM, and DMARC at enforcement — the configuration that makes your domain unspoofable. Every protocol from the DNS record up, with the deployment methodology that reaches p=reject without breaking legitimate mail flow.

Start Skill View Pricing

Content last updated: April 2026

Why take this course

For M365 administrators, email engineers, and security practitioners owning email security. You finish able to design and deploy SPF, DKIM, and DMARC to enforcement — the discipline that closes email spoofing as an attack surface and satisfies most regulatory email-auth requirements.

What this skill teaches

Email authentication is three protocols working together: SPF validates the sending server's IP, DKIM validates the message integrity with a cryptographic signature, and DMARC ties them together with a policy that tells receiving servers what to do when both fail. Each protocol has implementation details that most guides gloss over — SPF lookup limits, DKIM key rotation, DMARC aggregate vs forensic reports, alignment modes, and the interactions between them that cause legitimate mail to fail authentication.

This skill teaches every protocol at the DNS record level. You'll read raw TXT records, understand every field, diagnose failures from message headers, and deploy enforced policies in M365 and Google Workspace.

What you will be able to do

1. Write SPF records that authorize every legitimate sending source for your domain — including third-party services — without exceeding the 10-lookup limit that silently breaks authentication.

2. Configure DKIM signing in M365 or Google Workspace with custom selectors, and understand key rotation, selector management, and what happens when a DKIM signature fails verification.

3. Deploy DMARC from p=none (monitoring) through p=quarantine to p=reject (enforcement), using aggregate reports to identify legitimate senders before tightening the policy.

4. Diagnose authentication failures from email message headers — read Authentication-Results, identify which check failed and why, and fix the root cause in DNS or platform configuration.

5. Audit any domain's email authentication posture in under 5 minutes using DNS queries and header analysis — and produce a remediation plan with specific DNS records to add or modify.

Skill at a glance

Format: Ridgeline Skill — focused, practical, one topic

Sections: 5 content sections + guided lab

Tier: Premium subscription

Prerequisites: Basic understanding of DNS (what a TXT record is). If you've ever added a DNS record for a website or email service, you have enough. The Endpoint Security course covers Defender for Office 365 policies that complement email authentication.

Typical pace: 1-2 weeks at a few hours per week

What you leave with

DNS record templates: Production-ready SPF, DKIM, and DMARC records for M365, Google Workspace, and hybrid environments — copy, adapt the domain, deploy.

Header analysis playbook: A step-by-step method for reading Authentication-Results headers and diagnosing exactly which check failed and why — the troubleshooting skill you'll use every time a vendor says "our emails are being blocked."

DMARC deployment roadmap: The phased approach from p=none to p=reject with specific milestones, report analysis steps, and go/no-go criteria at each phase.

What this course does NOT cover

Deliberate scope boundaries. If any of these is your primary need, the sibling course is the better fit.

Broader M365 email security and DFIR — see Practical Incident Response: Windows & M365
Entra ID identity hardening — see Microsoft Entra ID Security

Sections

Five focused sections plus a guided audit lab. Every record and header example uses Northgate Engineering's domain.

EA0.1

SPF: How It Works and How to Get It Right — The envelope sender, return-path, and how SPF validates the sending IP against the domain's TXT record. Record syntax: ip4, include, a, mx, redirect, all. The 10-lookup limit and why exceeding it silently breaks SPF. Flattening, nested includes, and the third-party sender problem. NE scenario: build the SPF record for northgateeng.com with M365, Mailchimp, and a ticketing system.

EA0.2

DKIM: Signing, Selectors, and Key Management — How DKIM signs outbound mail with a private key and publishes the public key in DNS. Selectors, canonicalization (relaxed vs simple), header fields signed, body hash. Key sizes (1024 vs 2048), key rotation, and selector naming. What breaks DKIM: mailing lists, forwarding services, message modification. NE scenario: enable DKIM signing in M365 with custom selectors for northgateeng.com.

EA0.3

DMARC: Policy, Reporting, and the Road to p=reject — How DMARC uses SPF and DKIM alignment to make a pass/fail decision. Alignment modes: strict vs relaxed. Policy levels: p=none, p=quarantine, p=reject. Subdomain policy with sp=. Aggregate reports (rua) and forensic reports (ruf): what they contain, how to read them, and free tools for analysis. The phased deployment: none → quarantine 10% → quarantine 50% → quarantine → reject. NE scenario: deploy DMARC from monitoring to enforcement over 8 weeks.

EA0.4

Troubleshooting and Real-World Failures — Reading Authentication-Results headers field by field. SPF failures: too many lookups, missing include, wrong IP. DKIM failures: key mismatch, selector not found, body modification. DMARC failures: alignment mismatch (SPF passes but domain doesn't align). The forwarding problem: why forwarded mail breaks SPF and how ARC (Authenticated Received Chain) addresses it. 10 real-world failure scenarios with diagnosis and fix.

EA0.5

M365 and Google Workspace Implementation — Platform-specific deployment for the two most common business email platforms. M365: Exchange Online SPF, DKIM signing with custom domains, DMARC record, Defender for Office 365 anti-spoofing policies, and how authentication results feed into the Defender threat protection stack. Google Workspace: SPF for Google's sending IPs, DKIM key generation and DNS publishing, DMARC setup, and Gmail's authentication indicators. Third-party senders: Mailchimp, HubSpot, Salesforce, ticketing systems — adding each to SPF and DKIM without exceeding limits.

Lab

Guided Lab: Audit and Fix Northgate Engineering's Email Authentication — Northgate Engineering's current email setup has gaps: an SPF record with 12 lookups (over the limit), no DKIM signing, and DMARC at p=none for 18 months. Audit the current DNS records. Identify every failure. Write the corrected SPF record (flattened to under 10 lookups), enable DKIM, and deploy DMARC with a phased enforcement timeline. Produce an audit report suitable for presenting to the CISO.

Where email authentication fits

Email authentication is the first line of defence against domain spoofing — the technique behind BEC, credential phishing, and brand impersonation. It complements Defender for Office 365 anti-phishing policies (covered in Endpoint Security), email threat investigation (covered in Practical IR), and M365 security posture (covered in M365 Security Operations).

What this skill is not

This is not a general email security course. It doesn't cover anti-malware scanning, attachment sandboxing, URL detonation, or email DLP. Those are platform features covered in the full courses. This skill covers the DNS-based authentication layer specifically — the protocol-level controls that determine whether a receiving server trusts that a message actually came from your domain.