Email remains the most important communication channel for Swiss businesses — and at the same time one of the most popular attack targets. Phishing, Business Email Compromise (BEC), and email spoofing cause billions in damages worldwide. The good news: with the three DNS standards SPF, DKIM, and DMARC, email spoofing can be effectively prevented. The bad news: many SMEs have not configured these standards or have configured them incorrectly.<\/p>\n
Email spoofing means that an attacker sends emails that appear to come from your domain. The sender displays “info@yourcompany.ch” — but the email comes from a completely unrelated server. Without appropriate protective measures, there is no technical way for the recipient to detect the forgery.<\/p>\n
The consequences can be severe:<\/p>\n
In Switzerland, the BACS (Federal Office for Cybersecurity, formerly NCSC) has been observing an increase in BEC attacks specifically targeting Swiss SMEs for years. The damage per incident ranges from a few thousand to several hundred thousand francs.<\/p>\n
SPF is the simplest of the three standards. An SPF record is a DNS entry (TXT record) that defines which servers are allowed to send emails on behalf of your domain.<\/p>\n
A typical SPF record looks like this:<\/p>\n
v=spf1 include:_spf.google.com include:spf.hostpoint.ch ip4:203.0.113.5 -all<\/strong><\/p>\n This record says: “Only Google Workspace, Hostpoint mail servers, and the server with IP 203.0.113.5 are allowed to send emails for this domain. All others will be rejected.”<\/p>\n Common SPF mistakes:<\/p>\n DKIM goes a step further than SPF: it signs every outgoing email with a cryptographic key. The receiving server verifies the signature using a public key that is also stored as a DNS record.<\/p>\n DKIM offers two advantages over SPF:<\/p>\n Setting up DKIM requires collaboration with your email provider: the provider generates the key pair, signs outgoing emails, and provides the public key that must be entered as a DNS record.<\/p>\n DMARC is the crucial piece of the puzzle. It defines what should happen to emails that fail both SPF and DKIM — and delivers reports about them.<\/p>\n A DMARC record looks like this:<\/p>\n v=DMARC1; p=reject; rua=mailto:dmarc@yourcompany.ch; ruf=mailto:dmarc@yourcompany.ch; adkim=s; aspf=s<\/strong><\/p>\n The key parameters:<\/p>\n The following guide describes the setup with the most common Swiss hosting providers.<\/p>\n Before making any changes, check the current state of your DNS records. An automated DNS scanner will immediately show whether SPF, DKIM, and DMARC are present and correctly configured. Many SMEs discover during this process that SPF exists but is faulty — or that DMARC is completely missing.<\/p>\n List all services that send emails on behalf of your domain:<\/p>\n At Hostpoint:<\/strong> Log in to the Control Panel, navigate to “Domains” then your domain then “DNS Editor”. Create a TXT record for the main domain with the SPF value. Hostpoint typically uses: include:spf.hostpoint.ch<\/strong><\/p>\n At Infomaniak:<\/strong> Under “Web & Domain” then “DNS Zone” then “Add Entry”. Infomaniak uses: include:_spf.infomaniak.ch<\/strong><\/p>\n At cyon:<\/strong> Under “my.cyon.ch” then “Domains” then “DNS\/Nameserver”. cyon uses: include:spf.cyon.ch<\/strong><\/p>\n DKIM activation depends heavily on the provider:<\/p>\n Always start in monitoring mode (p=none) to see which emails pass SPF and DKIM and which do not.<\/p>\n Create a TXT record for _dmarc.yourdomain.ch<\/strong> with the value:<\/p>\n v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.ch<\/strong><\/p>\n Keep this mode active for 2 to 4 weeks and evaluate the incoming reports. The reports show which servers are sending emails for your domain and whether they pass SPF\/DKIM. This allows you to identify whether any servers are missing from the SPF record before switching to “quarantine” or “reject”.<\/p>\n After ensuring that all legitimate email sources are correctly authenticated, tighten the DMARC policy gradually:<\/p>\n Make sure to continue monitoring the rua reports to detect issues early.<\/p>\n From practical experience with hundreds of DNS analyses, typical error patterns emerge:<\/p>\n Manually checking SPF, DKIM, and DMARC records is feasible for one domain. But most SMEs operate multiple domains: the main domain, a .com variant, possibly a product domain, or the domain of a subsidiary. Each domain needs its own records, and every change to the email setup (new newsletter provider, new CRM) requires adjustments.<\/p>\n Automated DNS scanners check all of a company’s domains regularly and report:<\/p>\n Setting up SPF, DKIM, and DMARC is not a mammoth project. For a typical SME with one domain and one email provider, the configuration can be completed in a few hours. The effort is entirely disproportionate to the protection these measures provide.<\/p>\n Priority list:<\/p>\n Email spoofing is a solved problem — at least technically. Together, SPF, DKIM, and DMARC provide effective protection against sender forgery. What is missing is consistent implementation. Many Swiss SMEs leave their most important communication infrastructure unprotected, even though the solution is available and free.<\/p>\n ExposIQ automatically checks the email security configuration of your domains as part of every scan: SPF, DKIM, DMARC, MX records, and DNSSEC. Misconfigurations are clearly identified and prioritised. Combined with over 35 additional scan engines for network, web, and infrastructure security. Hosted in Switzerland, nDSG-compliant, from CHF 99 per month. Learn more at exposiq.ch<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" Email remains the most important communication channel for Swiss businesses — and at the same time one of the most popular attack targets. Phishing, Business Email Compromise (BEC), and email spoofing cause billions in damages worldwide. The good news: with the three DNS standards SPF, DKIM, and DMARC, email spoofing can be effectively prevented. The … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"rank_math_focus_keyword":"spf dkim dmarc configuration","rank_math_title":"Email Security: How to Configure SPF, DKIM and DMARC Correctly","rank_math_description":"Email spoofing is a top attack vector. SPF, DKIM and DMARC explained simply with step-by-step guide for Swiss hosting providers.","rank_math_robots":"","rank_math_canonical_url":"","rank_math_primary_category":"","footnotes":""},"categories":[8],"tags":[],"class_list":["post-1164","post","type-post","status-publish","format-standard","hentry","category-it-sicherheit","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-33"],"_links":{"self":[{"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/posts\/1164","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/comments?post=1164"}],"version-history":[{"count":0,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/posts\/1164\/revisions"}],"wp:attachment":[{"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/media?parent=1164"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/categories?post=1164"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/tags?post=1164"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
DKIM (DomainKeys Identified Mail)<\/h3>\n
\n
DMARC (Domain-based Message Authentication, Reporting and Conformance)<\/h3>\n
\n
Step-by-Step Setup<\/h2>\n
Step 1: Check the Current State<\/h3>\n
Step 2: Create or Correct the SPF Record<\/h3>\n
\n
Step 3: Activate DKIM<\/h3>\n
\n
Step 4: Set Up the DMARC Record<\/h3>\n
Step 5: Tighten the Policy<\/h3>\n
\n
Common Mistakes and Pitfalls<\/h2>\n
\n
Automated Checking: Why Manual Verification Does Not Scale<\/h2>\n
\n
What Swiss SMEs Should Do Now<\/h2>\n
\n
Conclusion<\/h2>\n