Stop Scammers from Impersonating Your Pastor: Email Authentication Explained
Someone could send emails that appear to come from your pastor's real email address. Learn how SPF, DKIM, and DMARC protect your church from email impersonation.
Mission Guard Team
January 4, 202610 min read
Stop Scammers from Impersonating Your Pastor: Email Authentication Explained
Category: Fundamentals Author: Mission Guard Team Summary: Someone could send emails that appear to come from your pastor's real email address—and your congregation might never know the difference. Learn how SPF, DKIM, and DMARC protect your church from email impersonation.
The Threat You Didn't Know Existed
Imagine a member of your congregation receives an email from pastor@yourchurch.org asking them to purchase gift cards for a family in need. The email looks legitimate—it comes from the pastor's actual email address, not some suspicious Gmail account. They buy the cards and send the codes.
But your pastor never sent that email.
This isn't hypothetical. Email "spoofing"—where attackers forge the sender address to impersonate someone else—is one of the most common ways churches get targeted. Without proper protections, anyone in the world can send emails that appear to come from your church's domain.
The good news? Three free technologies—SPF, DKIM, and DMARC—can stop this. They're already built into Google Workspace and Microsoft 365. You just need to turn them on.
Understanding Email Authentication (The Simple Version)
Think of email like sending a letter. Without authentication, anyone can write your church's name as the return address. These three technologies work together to verify that emails actually come from your organization:
SPF (Sender Policy Framework)
What it does: Creates a list of servers that are allowed to send email on behalf of your domain.
Analogy: It's like telling the post office, "Only letters dropped off at these specific mailboxes are really from us."
DKIM (DomainKeys Identified Mail)
About Mission Guard Team
What it does: Adds a digital signature to every email your church sends, proving it hasn't been tampered with.
Analogy: It's like a wax seal on a letter. If the seal is broken or missing, you know something's wrong.
What it does: Tells receiving email servers what to do when an email fails SPF or DKIM checks—and sends you reports about attempted abuse.
Analogy: It's your policy that says, "If a letter doesn't have our seal or didn't come from an approved mailbox, reject it and let us know someone tried."
All three work together. SPF and DKIM verify legitimacy; DMARC enforces the policy and provides visibility.
Why This Matters for Churches
Churches are frequent targets because:
Trust relationships: Congregations trust emails from staff
Limited IT oversight: Many churches don't have dedicated IT staff to catch anomalies
Financial activity: Donation requests, payroll, and vendor payments are common
Public contact info: Church staff emails are often published on websites
Without email authentication, attackers can:
Send fake donation requests to your entire congregation
Impersonate the pastor asking for gift cards or wire transfers
Send malicious links that appear to come from trusted staff
Damage your church's reputation when members fall victim
How to Set Up Email Authentication
Below are step-by-step instructions for the two most common nonprofit email platforms. You'll need access to:
Your email admin console (Google Workspace or Microsoft 365)
Your domain's DNS settings (usually through your domain registrar like GoDaddy, Namecheap, Cloudflare, or your web host)
⚠️ Important: DNS changes can take 24-48 hours to fully propagate. Don't panic if things don't work immediately.
Google Workspace for Nonprofits
Step 1: Verify SPF is Configured
Google Workspace typically guides you through SPF during setup, but let's verify it's correct.
Host/Name: @ (or leave blank, depending on provider)
Type: TXT
Value:v=spf1 include:_spf.google.com ~all
TTL: 3600 (or default)
💡 Already have an SPF record? Don't create a second one—you can only have one SPF record per domain. Instead, add include:_spf.google.com to your existing record before the ~all or -all.
Progress to quarantine, then reject over 4-6 weeks as described in the Google section above.
Don't Forget Third-Party Services
Here's where many churches run into trouble: you set up SPF, DKIM, and DMARC for Google or Microsoft, then your weekly newsletter from Mailchimp starts landing in spam—or gets rejected entirely.
Why? Any service that sends email "from" your church's domain needs to be authenticated. If Planning Center sends a "from: office@yourchurch.org" email but isn't in your SPF record, it fails authentication.
Common Church Services That Send Email
Review this list and identify which ones your church uses:
Service Type
Common Platforms
Church Management
Planning Center, Breeze, ChurchTrac, Realm, Elvanto
Email Newsletters
Mailchimp, Constant Contact, Emma
Donations/Giving
Tithe.ly, Pushpay, Subsplash Giving
Event Registration
Eventbrite, SignUpGenius, Planning Center
Accounting/Payroll
QuickBooks, Gusto, ADP
Website Forms
Your web host, Squarespace, Wix
Mass Texting (with email)
Clearstream, Text In Church
How to Add Third-Party Services to SPF
Each service has a specific "include" statement for SPF. Here are the most common ones for churches:
# Planning Center include:_spf.planningcenteronline.com
⚠️ SPF Lookup Limit: SPF has a maximum of 10 DNS lookups. Each "include" typically counts as 1-2 lookups. If you exceed 10, SPF fails entirely. Most churches won't hit this limit, but if you use many services, check with MXToolbox SPF Lookup to verify you're under the limit.
Finding SPF/DKIM Settings for Any Service
If you use a service not listed above:
Search their help documentation for "SPF," "DKIM," "email authentication," or "DNS records"
Check their admin settings for a "Domain Authentication" or "Sending Domain" section
Contact their support and ask: "What DNS records do I need for SPF and DKIM to send emails from my own domain?"
Setting Up DKIM for Third-Party Services
Many services also support DKIM signing. This typically requires:
Going to the service's settings (often under "Email Settings" or "Domain Authentication")
Finding their DKIM setup section
Adding the CNAME or TXT records they provide to your DNS
Verifying the setup in their admin panel
Priority services for DKIM: Focus on high-volume senders first—your church management system and newsletter platform are usually the most important.
A Practical Workflow
Before enforcing DMARC (moving to p=quarantine or p=reject):
List every service that sends email using your church's domain
Check each service's documentation for required DNS records
Add all SPF includes to your single SPF record
Configure DKIM for services that support it
Monitor DMARC reports for 2-4 weeks at p=none
Look for failures from legitimate services you may have missed
Only then move to p=quarantine and eventually p=reject
Verify Your Setup
After making changes, verify everything is working:
Forgetting third-party senders: If you use Mailchimp, Constant Contact, Planning Center, or other services that send email "from" your domain, you must include them in your SPF record and may need to configure DKIM for each.
Going straight to "reject": Always start with p=none to monitor, then p=quarantine, then p=reject. Jumping straight to reject can block your own legitimate emails.
Not monitoring DMARC reports: The reports tell you if legitimate services are failing authentication. Services like DMARC Digests (free tier available) can convert the XML reports into readable summaries.
Don't Have Admin Access?
If you use Google Workspace or Microsoft 365 but aren't the administrator:
Identify who manages your church's email (often whoever set up the accounts)
Share this article with them
Request they implement these protections
If your church uses a basic email setup through your web host (like cPanel), the concepts are the same, but the admin interfaces will differ. Check your hosting provider's documentation for "email authentication" or "SPF/DKIM setup."
Take Action Today
Email authentication is free, built into the platforms most churches already use, and provides significant protection against impersonation attacks. Here's your action plan:
This week: Check your current email authentication status using MXToolbox
If missing protections: Follow the setup guide above for your email platform
After setup: Start with DMARC monitoring (p=none) and review reports for 2-4 weeks
Gradually enforce: Move to p=quarantine, then p=reject
Your congregation trusts emails from your church. Email authentication helps ensure that trust isn't exploited by scammers impersonating your staff.
