This post explains how to configure SPF, DKIM and DMARC to satisfy Essential Cybersecurity Controls (ECC – 2 : 2024) Control 2-4-2 for email authentication, with practical DNS examples, procedural steps for small businesses, monitoring and compliance evidence that align to the Compliance Framework.
Why this control matters and the implementation approach
ECC – 2 : 2024 Control 2-4-2 requires demonstrable controls to protect email authenticity and reduce phishing, spoofing and business email compromise (BEC). The practical implementation is straightforward: publish a correct SPF DNS record, deploy DKIM signing for every sending domain, and publish a DMARC policy with reporting enabled. The recommended approach for compliance is phased: discover all senders, establish monitoring (DMARC p=none with RUA), validate messages and third-party configurations, then progressively enforce (p=quarantine -> p=reject) while documenting each step for auditors.
Step 1 — SPF: authorizing senders (technical details)
SPF lists the mail servers allowed to send on behalf of your domain. For Compliance Framework evidence, keep a single canonical SPF TXT record at the zone apex and show change control history. Example SPF records and notes:
Example for small business using Google Workspace + SendGrid:
v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.45 -all
Notes:
- Use "-all" (fail) when you are confident; "~all" (softfail) during testing.
- Avoid multiple TXT SPF records; consolidate into one.
- Respect the 10 DNS-lookup limit for mechanisms like include, a, mx.
Operational tips: enumerate all services (marketing, CRM, SaaS transactional email), use provider docs for include values (e.g., _spf.google.com, spf.protection.outlook.com, include:sendgrid.net, include:servers.mcsv.net), and use SPF flattening or subdomain delegation if you exceed DNS lookup limits—document any flattening as a temporary workaround in your compliance evidence.
Step 2 — DKIM: signing messages (key management and DNS)
DKIM adds a cryptographic signature to headers so receivers can verify mail integrity and origin. For Compliance Framework implementation notes: publish the public key in a DNS TXT record under the chosen selector, retain the private key in a secured key store, and keep key rotation documentation. Example DKIM DNS entry (selector "s1", 2048-bit key):
Host (DNS): s1._domainkey.example.com
Type: TXT
Value:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFA...base64-public-key...IDAQAB
Technical guidance: use 2048-bit keys where possible, rotate keys annually or when personnel change, and verify signing for each sending service—many providers (Google Workspace, Microsoft 365, SendGrid, Mailchimp) offer DKIM key generation and provide the exact selector/DNS text to publish. Log DKIM verification results in your mail gateway or SIEM as compliance evidence.
Step 3 — DMARC: policy, alignment and reporting
DMARC tells receivers how to handle messages that fail SPF/DKIM and provides reporting so you can prove monitoring and enforcement. Start with a monitoring policy then move to enforcement after you have clean data. Example DMARC record to begin monitoring:
Host (DNS): _dmarc.example.com
Type: TXT
Value:
v=DMARC1; p=none; rua=mailto:dmarc-agg@example.com; ruf=mailto:dmarc-forensic@example.com; pct=100; adkim=s; aspf=s
Implementation notes specific to the Compliance Framework: retain DMARC aggregate (RUA) reports for the audit retention period defined by your policy, parse reports automatically with an aggregator (dmarcian, DMARC Analyzer, open-source parsers) and capture evidence of progressive policy changes from none -> quarantine -> reject with timestamps and justification. Use strict alignment (adkim=s, aspf=s) when your business needs to block forwarded or spoofed mail more aggressively; document why strict vs relaxed was chosen.
Real-world small business scenario and third-party senders
Example: a small e-commerce firm uses Google Workspace for staff mail, SendGrid for order confirmations, and Mailchimp for marketing. Implementation steps: (1) identify IPs and provider includes, (2) create one SPF record with include:_spf.google.com include:sendgrid.net include:servers.mcsv.net and your mail server IPs, (3) configure DKIM for google (customer-managed or Google-managed), obtain DKIM keys from SendGrid and Mailchimp and publish selectors, (4) publish a DMARC record set to p=none with RUA to collect at least 30 days of data, then tighten to p=quarantine for two weeks and p=reject when false positives fall below your acceptable threshold. Keep screenshots of provider DKIM dashboards and DNS changes as compliance artifacts.
Monitoring, evidence and risk of non-implementation
Monitor DMARC aggregate reports daily/weekly, review forensic reports for active attacks, and log all changes in your change management system. Compliance evidence should include DNS record snapshots, DMARC report summary charts, policy change approval records and retention logs. Risks of not implementing these controls include increased phishing and BEC successful attempts, reputational damage, blocked email delivery, potential regulatory penalties depending on sector, and failure during compliance audits because the control requires demonstrable email authentication and monitoring.
Compliance tips and best practices
Best practices: start with p=none and RUA enabled, move to p=quarantine/reject gradually; publish aggregate addresses on a mailbox that accepts DMARC reports or use a third-party aggregator; use 2048-bit DKIM keys and rotate them; keep SPF under the 10-lookup limit and document any flattening; apply an sp= policy for subdomains if needed; record evidence of all DNS changes, test using tools (MXToolbox, DMARC Inspector, Google Postmaster Tools) and keep logs for the Compliance Framework retention period. Assign a dedicated owner, create runbooks for onboarding new senders, and include DMARC review in your quarterly security review to remain compliant with Control 2-4-2.
Summary: To meet ECC – 2 : 2024 Control 2-4-2, implement a controlled, auditable rollout of SPF, DKIM and DMARC—discover senders, publish consolidated SPF; enable DKIM with secure key management; deploy DMARC with reporting and a staged enforcement plan—while retaining evidence, monitoring reports, and documenting decisions and approvals. Following these steps reduces phishing risk, improves deliverability and provides the demonstrable controls auditors expect under the Compliance Framework.
