Email Authentication Records: SPF, DKIM, and DMARC

Protect yourself from phisihg syndicates in South Africa

Sophisticated, at least from a social engineering point of view, syndicates operate in South Africa bombarding organisations with fake government tender or courier emails, often sending multiple scams daily. This two-part series explores how to protect your organisation from these, and other fraudulent emails.

In Part 1, we focus on email authentication protocols—SPF, DKIM, and DMARC—and reveal their strengths and weaknesses. Part 2 will cover non-authentication indicators of scams, such as suspicious links and behavioural patterns as well as some disturbing indication of compromised government servers or their users.

Cybersecurity Consulting

Expert services to protect your business.

Cybersecurity Training
CEH & DDevSecOps certifications and more.

SPF: Sender Policy Framework

SPF is a DNS TXT record listing authorised email servers for a domain. When an email arrives from [email protected], the receiving server checks the SPF record against the sending server’s IP, using the MAIL FROM or Return-Path address—not the "From" address shown in email clients.

Senders can configure SPF to reject unauthorised emails or flag them as a soft fail. Without SPF, servers may trust the sender or use greylisting, increasing spam risks.

To check a domain’s SPF record, use:

dig -t TXT google.com

Look for a record starting with v=spf1, like:

v=spf1 include:_spf.google.com ~all

Note: SPF doesn’t verify the displayed "From" address, which spammers can spoof.

DKIM: DomainKeys Identified Mail

DKIM ensures email integrity using public/private key pairs. The sender’s public key resides in a DNS TXT record. The sending server signs headers (e.g., To, Subject, Date) and the email body, embedding a hash in the DKIM-Signature header.

The bh= tag confirms the body’s integrity. While the From header is often signed, DKIM doesn’t validate its authenticity.

Here’s an example DKIM signature from Google:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1744370196; x=1744974996; darn=jumpingbean.co.za;
        h=to:from:subject:message-id:list-id:feedback-id:precedence
         :list-unsubscribe:reply-to:date:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=UcP3oq8NmmBzZQi2XhAhYnWWRmOQ4WATXuFEpb6k+ww=;
        b=TxAXhYUdqgP0RFnLjMMPj9Hr8C2JRyKFrBypBtNqln+i/B3WRx+f/AGlUxxlNEuLNZ...

To retrieve the public key, query the domain (d=google.com) and selector (s=20230601):

dig 20230601._domainkey.google.com TXT

This returns:

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4zd3nfUoLHWFbfoPZzAb8bvjsFIIFsNypweLuPe4M+vAP1YxObFxRnpvLYz7Z+bORKLber5aGmgFF9iaufsH1z0..."

Note: DKIM allows spoofed "From" addresses to pass if the signed headers and body are intact.

DMARC: Domain-based Message Authentication

DMARC aligns SPF and DKIM results with the "From" domain. For example, an email claiming to be from example.com must have MAIL FROM (SPF) and DKIM domains matching example.com.

A strict DMARC policy (p=reject) blocks misaligned emails, even if SPF or DKIM pass for another domain. DMARC also provides reports to monitor authentication issues.

Check a DMARC policy with:

dig _dmarc.google.com TXT

Example response:

"v=DMARC1; p=reject; rua=mailto:[email protected]"

ARC: Authenticated Received Chain

ARC tracks SPF, DKIM, and DMARC results for emails passing through intermediaries like mailing lists, preserving their authenticity. We won’t cover ARC in detail here.

Limitations of Email Authentication

SPF, DKIM, and DMARC reduce email spoofing, but they rely on proper configuration. Missing DMARC records or misconfigured DNS entries allow spammers to fake the "From" address, bypassing SPF and DKIM unless DMARC enforces alignment.

Case Studies: South Africa Scam Emails

Examples use sanitized headers, but authentication details are accurate.

Spoofed Fastway.co.za Phishing Email


X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mailserver1.recipient-domain.com (localhost [127.0.0.1])
    by mailserver1.recipient-domain.com (Postfix) with ESMTP id CFED3B829E3
    for <[email protected]>; Sun, 13 Apr 2025 07:45:41 +0000 (UTC)
Received: from webserver1.sender-hosting.com [176.31.78.120]
    by mailserver1.recipient-domain.com with POP3 (fetchmail-6.4.38)
    for <[email protected]> (single-drop); Sun, 13 Apr 2025 07:45:41 +0000 (UTC)
Received: from vps21150.dreamhostps.com (vps21150.dreamhostps.com [69.163.197.224])
    by webserver1.sender-hosting.com (Postfix) with ESMTPS id EBE7A16E02CA
    for <[email protected]>; Sun, 13 Apr 2025 08:45:06 +0100 (BST)
Authentication-Results: webserver1.sender-hosting.com;
    dkim=none;
    spf=pass (webserver1.sender-hosting.com: domain of [email protected] designates 69.163.197.224 as permitted sender) [email protected];
    dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
    d=signing-domain.com; s=mail; t=1744530307;
    h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
     to:to:cc:content-type:content-type;
    bh=kr/tXZjETnxLC9CK82Dp+VNXBQQgOR10CK28LSxzjNA=;
    b=tIWZANiYUPoYUsp96EsByFCxEtwQ5bP9Gm0aUe086x5OdDygpCaO/lT/v7UEyE6LfOCtsc
    6UMTlOxtn63xGyf5zo6BGx9keD9LzdvAgGtpCPwYgUjQ6R7E9Q5cOA0hbIQ4i7doJJED2J
    Wg3FinBm+0z2YerOn7/K9kOh/rAclzQ=
ARC-Authentication-Results: i=1;
    webserver1.sender-hosting.com;
    dkim=none;
    spf=pass (webserver1.sender-hosting.com: domain of [email protected] designates 69.163.197.224 as permitted sender) [email protected];
    dmarc=none
ARC-Seal: i=1; s=mail; d=signing-domain.com; t=1744530307; a=rsa-sha256;
    cv=none;
    b=H2Q6K2fIhxLyjvHXi52wFP31veFojhXRvspFrKM/qWSCmhSL9Q1TfWQ7BXFtoRKPbUrIUr
    lU1PRxaugc744ocBPLzwWNhFN5MECENbuc2AQx88+MR2zhT+nzMzvDOfTYVeiGq4vtSPnS
    6yOk4xXo8RKxWLSMb8Vwquujwl7GxSc=
Received: by vps21150.dreamhostps.com (Postfix, from userid 6739095)
    id 4Zb1nS3r7FzRN7g8m; Sun, 13 Apr 2025 00:11:56 -0700 (PDT)
To: [email protected]
Subject: Your Shipment is on Hold
X-PHP-Originating-Script: 6739095:send.php
From: Fastway couriers <[email protected]>
Content-Type: text/html; charset=UTF-8
Message-Id: <[email protected]>
Date: Sun, 13 Apr 2025 00:11:56 -0700 (PDT)
X-Spam-Status: Yes, score=11.66
X-Spam-Level: ***********
X-Spamd-Bar: +++++++++++
X-Spam: Yes

Analysis

This email claimed to be from

From: Fastway couriers <[email protected]>

It passed the SPF check against domain of [email protected]

Authentication-Results: webserver1.sender-hosting.com;
    dkim=none;
    spf=pass (webserver1.sender-hosting.com: domain of [email protected] designates 69.163.197.224 as permitted sender) [email protected];
    dmarc=none

Why did the email server validate it against domain of [email protected]? Because of the Return-Path header:

Return-Path: <[email protected]>

No DKIM signature was presented by vps21150.dreamhostps.com so it could't be checked for integrity so maybe someone altered the email text along the way. Someone like another, more sophisticated spammer I suppose. Lastly since fasttway.co.za lacks a DMARC policy record it couldn't be used to detected the spoofed mail.

Dreamhostps SPF

We can check vps21150.dreamhostps.com SPF record with:

dig -t TXT vps21150.dreamhostps.com

This results in a record which tell us to check netblocks.dreamhost.com's SPF record:

vps21150.dreamhostps.com. 300 IN TXT "v=spf1 mx include:netblocks.dreamhost.com -all"

You can check netblocks.dreamhost.com records with:

dig -t TXT netblocks.dreamhostps.com

Fastways SPF & DMARC

We can check fastway.co.za SPF record with:

dig -t TXT fastway.co.za

This results in :

fastway.co.za. 300 IN TXT "v=spf1 mx ip4:103.61.69.0/24 ip4:101.0.80.178/32 ip4:101.0.80.179/32 ip4:101.0.80.180/32 ip4:101.0.80.181/32 ip4:192.168.32.165/24 include:spf.protection.outlook.com -all"

But as explained this was never looked up. We can check fastway.co.za doesn't have a DMARC record with:

dig -t TXT _dmarc.fastway.co.za

This results in an empty response. So DMARC is not configured at the time of writing.

Not Mail Authentication Indicator of Phishing

The email body included a suspicious link (https://swingzbegonacervera.com/test), further indicating spam. I might do another article on this at some future date. The syndicates operating in South Africa has a particular set of techniques and tactics that they follow that can be used to identify phishing emails.

Cybersquatting: dsd-govtenders.online

-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from sanitised-domain-two.com (localhost [127.0.0.1])
    by sanitised-domain-two.com (Postfix) with ESMTP id 2562EB82933
    for <[email protected]>; Fri, 11 Apr 2025 14:25:14 +0000 (UTC)
Received: from sanitised-domain-three.com [176.31.78.120]
    by sanitised-domain-two.com with POP3 (fetchmail-6.4.38)
    for <[email protected]> (single-drop); Fri, 11 Apr 2025 14:25:14 +0000 (UTC)
Received: from JN3P275CU003.outbound.protection.outlook.com (mail-southafricanorthazon11021136.outbound.protection.outlook.com [40.107.141.136])
    by sanitised-domain-three.com (Postfix) with ESMTPS id DFEE016E00AD
    for <[email protected]>; Fri, 11 Apr 2025 15:24:18 +0100 (BST)
Authentication-Results: sanitised-domain-three.com;
    dkim=none;
    arc=pass ("microsoft.com:s=arcselector10001:i=1");
    dmarc=none;
    spf=pass (sanitised-domain-three.com: domain of [email protected] designates 40.107.141.136 as permitted sender) [email protected]
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed;
    d=sanitised-domain-one.com; s=mail; t=1744381460;
    h=from:from:reply-to:subject:subject:date:date:message-id:message-id:to:
     cc:mime-version:mime-version:content-type:content-type;
    bh=yoYEgrf3l9z7INabfXJ2vAybE/abtR7hsVhzvUAXyhU=;
    b=sPHUeukaI4QDAbQj7SrrEwXy9KZqOEA7oX62U+R8DbHY2oK13zb4UgRsNXV7V0PpVtL/ZR
    dzpyMoqmZZcp3AwATLLQPnn8VjIfFqhb0x4Geb5u8/zdoQjsPx1euvL4DKJh0GBN7VkKDW
    FYqe397t2QJg4vnc+Lpk4FlkJ4G1ue4=
ARC-Authentication-Results: i=2;
    sanitised-domain-three.com;
    dkim=none;
    arc=pass ("microsoft.com:s=arcselector10001:i=1");
    dmarc=none;
    spf=pass (sanitised-domain-three.com: domain of [email protected] designates 40.107.141.136 as permitted sender) [email protected]
ARC-Seal: i=2; s=mail; d=sanitised-domain-one.com; t=1744381460; a=rsa-sha256;
    cv=pass;
    b=dPxdGRXIPqX9DRI9BtVDjm8Ls786WtX/jpIVw2w1diHOJqkDRhx8L/C19SN1VOvF4UQ75p
    wnPo3TKJO0Vb7RaxCil9K9ATA1vvck9jcfD0ZtRIX9vLu1SIjcvdjz1RYsVCGBFUjXY9j+
    C9SOi8u9iH7OSjQKVtEPH3S0jiaKMos=
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=HyyhvFKT/a2UUfqs+55LVKYjvoKN7+9RGfT45R3SJwHb0PMCVjw0WyuOhTDrxpCSV1vNJV2b9/jW0xAA5lsy1PUlJdL9Rmv4sQNlCgRRKQNuGSTmfLGV9VPdY3WWGTZFD9bt3wEWmhEdQhy6lou4Q3POUsbOxyGrdeFB/iI5D8DeA8acE7Tnhx/St4df75nT8pbUv5nnY4GAyEwPCoyk/DtD77frDlLEzsP63FJpvzEvSwvXU1OAaJRY4D7AuA8H99SM2RVRtx77q5rUUumVp7aTFi2v82afkzTcTNMfdTe6HBjoEoYpWyF6oECEiiCvRSMH/mvFKH6V2opBqcwwMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=yoYEgrf3l9z7INabfXJ2vAybE/abtR7hsVhzvUAXyhU=;
 b=MTZfy3Ru/T0IUPJjyIJhKg/kDWn/5e4DZkIksEGOuNXAMlPsClgA8kKnsEUc6NvJba3++MhPcxzVjvT56PgX1xtFz83PavCMk8e78WHKgEdTNYmHj3M6r6sZFVWXoHOF+qSD84ouVCGSrAQqMVDDR7n8ANwXj1SzS7TaUrnI5XBMpBukxeNzpop1x/1EFdxc2sk08WPEqgwVkiTwgFuXEWrSbQYB81J+3Po2vBOq3mw7T8pPJPoNjZu54I/rMKl/OuTTVagU/OKrB1kJXiGlcH5BGMQ5WNhK3LrM55c783+DhqzGxjMdjAqsw5MVciWgQrt4FI5PQiDm150pkl6Kvw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=dsd-govtenders.online; dmarc=pass action=none
 header.from=dsd-govtenders.online; dkim=pass header.d=dsd-govtenders.online;
 arc=none
Received: from CP7P275MB1559.ZAFP275.PROD.OUTLOOK.COM (2603:1086:100:3e::11)
 by JN3P275MB2712.ZAFP275.PROD.OUTLOOK.COM (2603:1086:0:bb::5) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.8632.27; Fri, 11 Apr 2025 14:08:57 +0000
Received: from CP7P275MB1559.ZAFP275.PROD.OUTLOOK.COM
 ([fe80::2910:b44a:8e71:32d3]) by CP7P275MB1559.ZAFP275.PROD.OUTLOOK.COM
 ([fe80::2910:b44a:8e71:32d3%7]) with mapi id 15.20.8632.025; Fri, 11 Apr 2025
 14:08:57 +0000
From: zikhona sodika <[email protected]>
Subject: Seeking Immediate Service Provider
Thread-Topic: Seeking Immediate Service Provider
Thread-Index: AQHbquq6V9sN+KEKtEiv7XNhKuBfLQ==
Date: Fri, 11 Apr 2025 14:08:57 +0000
Message-ID:
 <CP7P275MB1559C0F9FD8A280351263C30C1B62@CP7P275MB1559.ZAFP275.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CP7P275MB1559:EE_|JN3P275MB2712:EE_
x-ms-office365-filtering-correlation-id: 8222b1d6-6690-4ae6-b6e6-08dd790266a1
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam:
 BCL:0;ARA:13230040|7416014|376014|1800799024|366016|7055299006|10085299006|8096899003|4053099003|38070700018|27013499003;
x-microsoft-antispam-message-info:
 =?iso-8859-1?Q?AxjxpuYCDzACm2gNeLj/BnAgl1OM/ytXBKbgUBdnMhwUYfA26pWOjj8wDr?=
 =?iso-8859-1?Q?TJxAj5xC3SRATsgMHIgk793p/4gXaylW6WUNP7yJWoBL3rTitRj7wW55k9?=
 =?iso-8859-1?Q?QUo1Za6O2VRX4vR/xG+vCSFCyhb9v9xyCqqR6Q3kT5WRBRUhkUCi5ebap7?=
 =?iso-8859-1?Q?YQ1hji8zSk38HVYpT9uBAz3EYaw449CzJhO4krqdDdM6NPvCHLDnyzqu2g?=
 =?iso-8859-1?Q?wcF9sCC/mkXa2CHUlYq2Dp3x2YC3l/e4xgwLrb7uOXIk+DLG/iZCweT9yn?=
 =?iso-8859-1?Q?VHsxyvFaNdeQhkEZ33tAjQe3074EFrHJy8KWN62LhLTYKeg+Gbmn0sDAE8?=
 =?iso-8859-1?Q?lg39svLPGn9WtXP8iG3alSqo75EB7jvytLcC7+W/+V9lZYbi+8QtAj8jiG?=
 ...(edited)
x-forefront-antispam-report:
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CP7P275MB1559.ZAFP275.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(7416014)(376014)(1800799024)(366016)(7055299006)(10085299006)(8096899003)(4053099003)(38070700018)(27013499003);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0:
 =?iso-8859-1?Q?0RR4dLnFtVa6l9QD5Tpv9ekvnvy2FTzNyR8akfH+be3QnwSCGUEZ4eXfXi?=
 =?iso-8859-1?Q?aZJJObThtTk9Pt+CmijcRVBd3iMorsQt5X+zsptyfH7Ph4KcvPY85ZSH4l?=
 ...(edited)
Content-Type: multipart/mixed;
    boundary="_004_CP7P275MB1559C0F9FD8A280351263C30C1B62CP7P275MB1559ZAFP_"
MIME-Version: 1.0
X-OriginatorOrg: dsd-govtenders.online
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CP7P275MB1559.ZAFP275.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 8222b1d6-6690-4ae6-b6e6-08dd790266a1
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Apr 2025 14:08:57.5088
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9a580612-8441-4101-9b38-0037105854c3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: l0CMIWIqn/mxzNqrfAaeHucbnB7k8AqY0/JD7yiFFYIT1pVEc6OhvUUaXp7qBgmJIf2OeOiilUfDDCgFofU93fo27V14SGx0G24aWdTzbj23HU/6uZVaCoSit8GrwHGa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: JN3P275MB2712
X-Spam-Status: Yes, score=8.10
X-Spamd-Bar: ++++++++
X-Spam-Level: ********
X-Spam: Yes

--_004_CP7P275MB1559C0F9FD8A280351263C30C1B62CP7P275MB1559ZAFP_
Content-Type: multipart/alternative;
    boundary="_000_CP7P275MB1559C0F9FD8A280351263C30C1B62CP7P275MB1559ZAFP_"

--_000_CP7P275MB1559C0F9FD8A280351

This email used a "fake" domain, dsd-govtenders.online with request to quote on a fake tender hoping that the recipient doesn't look to closely at the sending email domain. The domain dsd-govtenders.online is a "legitimate" domain owned by the scammer. Since they own the domain they can generate SPF, DMARC and DKIM records for the domain. They hope that the SPF passing is enough to convince you it is legitimate.

Despite this the Authentication-Results show that there is no dkim nor dmarc set up:

Authentication-Results: sanitised-domain-three.com;
    dkim=none;
    arc=pass ("microsoft.com:s=arcselector10001:i=1");
    dmarc=none;
    spf=pass (sanitised-domain-three.com: domain of [email protected] designates 40.107.141.136 as permitted

This is only slightly better than some who try to set it up DKIM and DMARC but get it wrong. The syndicates like using godaddy hosting which is a common indicator of these tender scam emails.

The use of exchange by godaddy may also give the email a false sense of legitimacy. I mean Exchange's anti-spam test passes with flying colours right? The fact that one needs a credit card and other identification to register with godadddy makes it even more perplexing why law-enforcement can't seem to stop these criminals.

We can checking the SPF records for dsd-govtenders.online :

dig dsd-govtenders.online TXT

We get the response:

dsd-govtenders.online. 3600 IN TXT "v=spf1 include:secureserver.net -all"

All the servers are owned by godaddy. There is no DKIM header and there is no DMARC:

dig _dmarc.dsd-govtenders.online TXT

No DNS records are returned. Looking at when the domain was resisted with:

whois dsd-govtenders.online

We can extract the following date:
Creation Date: 2025-02-06T17:12:24.0Z

Hmmm doesn't look legite.

Conclusion

SPF, DKIM, and DMARC are critical for combating email spoofing, but they’re only effective when properly configured. South Africa’s tender scam syndicate exploits missing DMARC records and lax configurations to deceive organisations. By analysing email headers and DNS records, you can identify these scams. Stay tuned for Part 2, where we’ll explore additional red flags like suspicious links and social engineering tactics.

0 Comments

Type your comment here.

Email Authentication Explained