Protecting your email domain from spoofing

Find out what the SPF, DMARC, and DKIM protocols are and how they can keep your emails secure.

How to secure your email domain

There are a number of ways kura and schools can become verified senders by securing their email domain.

To ensure that bulk emails – such as your school newsletter – doesn’t end up as spam, and continues to reach parents, caregivers and whānau. Schools and kura will need to put in place the following email security protocols.

For all kura and schools

  • Set up SPF email authentication for your domain.
  • The Ministry strongly recommends adding DMARC to help you track that your emails reach their intended audience; or troubleshoot any issues.

For kura or schools with a roll over 2,500 (or sends 5,000+ emails a day)

  • Set up SPF and DKIM email authentication for your domain.
  • Set up a DMARC policy (can be set to p=none).

We recommend all schools and kura have the SPF protocol in place.

Support is available through the following options:

1. Get support from your IT provider

If your kura or school has an IT support provider – they will be able to help you to make these changes on your school’s domain. Your IT provider will know your IT environment well, and they are best positioned to make these changes for your school.

2. Join SchoolDNS

If you do not have an IT support provider, Liverton Security can help you move to SchoolDNS and implement SPF and DMARC at the same time. Learn more about the Ministry’s domain name registration and hosting service 


By transferring your school’s domain name(s) hosting and registration to SchoolDNS, we will cover the cost for your school’s annual renewal of your domain. Domains will be renewed by default. Email Liverton Security and request to transfer your domain to SchoolDNS and set up SPF (along with DKIM and DMARC if required). This service is available to state and state-integrated schools only.

3. Make changes to secure your email domain on behalf of your kura or school

If the above two options are not viable for your kura or school. Check out our guidance on setting up SPF for your domain which contains step-by-step information on how to make these changes. Please note – the guidance provided is technical and will require some IT capability and knowledge.

Additional guidance

Guidance for schools with Google Workspace

View our Google Workspace health check video(external link) which outlines how to set up SPF on your school’s domain (created in collaboration with Google).

Technical Google support(external link) 

Guidance for schools with Microsoft Office 365

Set up SPF to help prevent spoofing – Microsoft Learn(external link)

Use DMARC to validate email, setup steps – Microsoft Learn(external link)

Background information: email security protocols

To ensure that emails sent by your kura or school continue to reach parents, caregivers and whānau, it’s important to set up authentication protocols like SPF, DKIM and DMARC (see descriptions below). If your domain doesn’t currently have SPF, DMARC or DKIM security protocols set, it enables easy access for an attacker to spoof your email. Setting up these protocols will also ensure that your legitimate emails don’t end up as spam or junk. 

There are key security protocols you can set up to improve the security of your email, prevent spoofing, and verify that the emails you send are marked as legitimate (and not spam). The key protocols are: 

  • SPF (Sender Policy Framework): SPF is an email authentication standard that domain owners use to specify the email servers they send email from, so receivers know the email is from a legitimate source. It tells recipients, my emails should only come from these (listed) IP addresses.  
  • DKIM (Domain Keys Identified Mail): DKIM is a standard email authentication method that adds a digital signature to your outgoing messages. It uses a cryptographic key to prove you are who you say you are.

DKIM process infographic

  • DMARC (Domain-based Message Authentication, Reporting and Conformance): DMARC is  an authentication, policy, and reporting protocol. It builds on SPF and DKIM, by telling email providers what they should do with emails that don’t match the SPF or DKIM records – allow, quarantine (often into spam or junk), or block. It also sends reports to the domain owner to tell them which servers are sending mail for your domain, and how many are passing or failing DMARC. 

DMARC process infographic

What is email spoofing?

Email spoofing happens when an attacker sends an email appearing to come from your organisation’s domain. To prevent spoofing, it’s essential that kura and schools protect their communications sent via email with security protocols.

Benefits of securing your school or kura's email domain

  • SPF, DMARC, and DKIM help verify that emails come from the domain they’re saying they are from. Without them, anyone can send an email that pretends to be from your domain. In addition, these protocols are important to help prevent spam and phishing emails. 
  • Any bulk emails your kura or school sends externally, in particular, emails to parents, caregivers, whānau will continue to be received. Not setting up these protocols can result in emails ending up in spam or junk folders.
  • SPF and DMARC provides great protection against fraudulent emails. The implementation of DMARC on school's email lists will allow key audiences such as parents and caregivers to receive emails from the school as they will be considered verified senders. Unmarked SPF emails are likely sent to spam or show as undelivered.  
  • SPF and DMARC stop many attacks before they reach an inbox. 

For more information on mail service providers who require email security protocols, view the support websites below:

More information

For any more questions about SPF, DKIM or DMARC, email

Last reviewed: Has this been useful? Give us your feedback