SPF, DKIM, and DMARC Explained (Email Authentication Guide)

What SPF, DKIM, and DMARC do, how they work together, and a step-by-step setup guide to protect your domain from spoofing.

V
Written byVijay
Read Time9 min read
PublishedApril 5, 2026
Digital security shield — email authentication protection

The Three Pillars of Email Authentication

Email authentication is how you prove to receiving mail servers that your emails are legitimate — not spoofed, not forged, and actually sent by you. Three protocols work together to make this happen: SPF, DKIM, and DMARC.

Without authentication, anyone can send email claiming to be from your domain. ISPs know this, which is why unauthenticated email gets filtered, quarantined, or rejected outright.

Since late 2024, Google and Yahoo require all bulk senders to have SPF, DKIM, and DMARC configured. Microsoft followed in early 2025. This isn't optional anymore — it's table stakes for email deliverability.

SPF: Who's Allowed to Send

What SPF Does

Sender Policy Framework (SPF) publishes a list of IP addresses and servers authorized to send email on behalf of your domain. When a receiving server gets an email from you@yourdomain.com, it checks your domain's SPF record to verify the sending server is on the approved list.

How SPF Works

  1. You publish a DNS TXT record listing your authorized senders
  2. Someone sends an email "from" your domain
  3. The receiving server looks up your SPF record
  4. If the sending server's IP matches your SPF record, the check passes
  5. If not, the email fails SPF

Setting Up SPF

Add a TXT record to your domain's DNS:

v=spf1 include:_spf.google.com include:sendgrid.net include:mailchimp.com -all

Breaking this down:

  • v=spf1 — Version identifier
  • include:_spf.google.com — Authorize Google Workspace
  • include:sendgrid.net — Authorize SendGrid
  • include:mailchimp.com — Authorize Mailchimp
  • -all — Reject everything else (strict). Use ~all for soft fail during testing.

SPF Limitations

  • 10 DNS lookup limit — Each include: triggers a lookup. Complex setups hit this quickly.
  • Forwarding breaks SPF — When emails are forwarded, the sending IP changes but the "from" domain doesn't, causing SPF failures.
  • Only checks the envelope sender — Not the "From" header that users see.

DKIM: Is the Email Tampered?

What DKIM Does

DomainKeys Identified Mail (DKIM) adds a cryptographic signature to every email you send. The receiving server uses your public key (published in DNS) to verify the signature. If the email was modified in transit, the signature won't match.

How DKIM Works

  1. Your email server generates a public/private key pair
  2. You publish the public key as a DNS TXT record
  3. When sending, your server signs the email headers and body with the private key
  4. The receiving server retrieves your public key from DNS
  5. It verifies the signature — if valid, the email hasn't been tampered with

Setting Up DKIM

Most ESPs handle DKIM key generation. You typically add a CNAME or TXT record:

selector._domainkey.yourdomain.com  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."

The selector is provider-specific — Google uses google, SendGrid uses s1 and s2, etc. Your ESP's documentation will give you the exact records.

DKIM Best Practices

  • Use 2048-bit keys (1024-bit is considered weak)
  • Rotate keys annually
  • Sign both headers and body
  • Don't over-sign — stick to critical headers (From, To, Subject, Date)

DMARC: What Happens When Checks Fail

What DMARC Does

Domain-based Message Authentication, Reporting, and Conformance (DMARC) ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It also provides reporting so you can see who's sending email as your domain.

How DMARC Works

  1. You publish a DMARC policy in DNS
  2. An email arrives claiming to be from your domain
  3. The receiving server checks SPF and DKIM
  4. If both fail, DMARC tells the server what to do: nothing (none), quarantine, or reject
  5. The receiving server sends you aggregate reports about pass/fail rates

DMARC Policies

| Policy | DNS Value | Effect | |--------|-----------|--------| | Monitor | p=none | No action on failures, just reports | | Quarantine | p=quarantine | Failed emails go to spam | | Reject | p=reject | Failed emails are blocked entirely |

Setting Up DMARC

Start with monitoring, then tighten over time:

Week 1-4: Monitor

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100"

Month 2-3: Quarantine

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100"

Month 4+: Reject

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100"

DMARC Alignment

DMARC requires "alignment" — the domain in the "From" header must match the domain authenticated by SPF or DKIM:

  • SPF alignment: The Return-Path domain matches the From domain
  • DKIM alignment: The DKIM signing domain matches the From domain

At least one must align for DMARC to pass.

How They Work Together

Think of it as a three-layer security system:

  • SPF = "This server is authorized to send for us" (identity)
  • DKIM = "This email hasn't been tampered with" (integrity)
  • DMARC = "If SPF and DKIM both fail, here's what to do" (policy)

An email passes DMARC if either SPF or DKIM passes with alignment. Both don't need to pass — but having both configured provides redundancy.

Testing Your Setup

Free Testing Tools

  • MXToolboxmxtoolbox.com/spf.aspx for SPF, DKIM, and DMARC lookups
  • mail-tester.com — Send a test email and get a score with specific fix suggestions
  • Google Admin Toolboxtoolbox.googleapps.com/apps/checkmx/ for Google-specific checks
  • DMARC Analyzer — Parse your DMARC aggregate reports into readable dashboards

Quick DNS Checks

Check your records are published correctly:

# Check SPF
dig +short TXT yourdomain.com | grep spf

# Check DKIM (replace 'google' with your selector)
dig +short TXT google._domainkey.yourdomain.com

# Check DMARC
dig +short TXT _dmarc.yourdomain.com

Common Mistakes

SPF Mistakes

  • Too many DNS lookups — Exceeding the 10-lookup limit causes SPF to permanently fail
  • Using +all — This authorizes everyone, defeating the purpose entirely
  • Forgetting third-party senders — Each service that sends on your behalf needs an include:

DKIM Mistakes

  • Using 1024-bit keys — Upgrade to 2048-bit
  • Not rotating keys — Compromised keys mean anyone can sign as you
  • Wrong selector — The selector in DNS must match what your email server uses

DMARC Mistakes

  • Jumping straight to p=reject — Start with p=none to monitor, or you'll block legitimate email
  • Ignoring aggregate reports — The reports show you unauthorized senders you didn't know about
  • Not setting up rua — Without a reporting address, you're flying blind

Authentication's Impact on Deliverability

Proper authentication doesn't guarantee inbox placement, but missing authentication nearly guarantees spam folder placement. Here's what the data shows:

  • Emails with SPF + DKIM + DMARC have 10-15% higher inbox placement than unauthenticated email
  • Google's 2024 bulk sender requirements mean unauthenticated email from high-volume senders is rejected outright
  • DMARC p=reject protects your domain from phishing, which ISPs reward with higher trust scores

Authentication is step one. List verification and engagement optimization are the other pieces of the deliverability puzzle.

Action Plan

  1. Check your current setup — Use MXToolbox to audit SPF, DKIM, and DMARC
  2. Fix gaps — Add missing records, ensure all senders are authorized in SPF
  3. Start DMARC at p=none — Monitor for 4 weeks before tightening
  4. Review DMARC reports — Look for unauthorized senders and fix alignment issues
  5. Tighten to p=reject — Once you're confident all legitimate senders pass
  6. Verify your list — Authentication protects your domain; list verification protects your reputation

Ready to verify your email list?

Start with 100 free credits. No credit card required.

Start Verifying Free
PreviousNext
Keep Reading

Related Articles

Expand your knowledge with these hand-picked posts.

Data analytics charts — bounce rate monitoring
April 2, 2026
Deliverability

Email Bounce Rate: What It Is and How to Fix It

Your bounce rate affects sender reputation. Learn what causes bounces, industry benchmarks, and actionable fixes to reduce them.

VijayRead more: Email Bounce Rate: What It Is and How to Fix It
Server infrastructure — DNS and MX record concept
April 4, 2026
Deliverability

MX Record Lookup: What It Tells You About Email Deliverability

MX records are the backbone of email routing. Learn how to look them up, interpret results, and what they reveal about a domain.

VijayRead more: MX Record Lookup: What It Tells You About Email Deliverability
Checklist and notepad — step-by-step process
April 5, 2026
Deliverability

Email List Cleaning: Step-by-Step Guide for Marketers

A practical, step-by-step guide to cleaning your email list — when to clean, what to look for, and how to handle the results.

VijayRead more: Email List Cleaning: Step-by-Step Guide for Marketers
Email deliverability dashboard showing inbox placement metrics

Get deliverability intel before your next send.

Join senders and ops teams who read our weekly breakdown of what's landing in inboxes — and what isn't.

Start Verifying FreeSee Pricing