Email Authentication
Email authentication is the set of standards a receiving server uses to verify that a message genuinely came from the domain it claims to be from, rather than a spoofer. In practice it means three layers working together: SPF authorises sending servers, DKIM signs each message, and DMARC ties both to the visible From: address and sets policy. Without it, anyone can forge your name.
- Verifies the claimed sender of a message, the foundation of inbox trust
- Built from three DNS-based layers: SPF, DKIM, and DMARC
- SPF and DKIM are the checks; DMARC is the policy and reporting layer on top
- Required for bulk senders to Gmail and Yahoo since February 2024
Why email needs authentication
The original email protocol, SMTP, was built on trust: any server could claim to be sending for any domain, and nothing checked that claim. That is what makes spoofing and phishing so easy. Email authentication is the layer added on top to close that hole, giving receivers a way to ask “is this message really from who it says it is?” and act on the answer.
The answer comes from three DNS-published standards that build on each other. None is sufficient alone, which is why modern guidance treats them as a single stack rather than independent options.
The three layers
- SPF lists which servers may send for your domain. The receiver checks the connecting IP against that list. It validates the envelope (Return-Path) domain.
- DKIM attaches a cryptographic signature to each message so the receiver can confirm it was authorised by your domain and not altered in transit.
- DMARC sits on top: it requires that a passing SPF or DKIM result align with the visible
From:domain, tells receivers what to do when neither does, and emails you reports on who is sending as you.
The shorthand is that SPF checks where a message came from, DKIM checks that it was not tampered with, and DMARC checks who it claims to be from and decides the outcome. Two further standards extend the stack: ARC preserves results across forwarding, and BIMI rewards full authentication with a brand logo in the inbox.
The piece that ties it together: alignment
The reason all three are needed is a concept called alignment. SPF and DKIM each authenticate a domain, but not necessarily the one your recipient sees. SPF validates the Return-Path; DKIM validates whatever domain signed the message. Either can pass while the visible From: belongs to someone else entirely, which is exactly how a convincing spoof slips through.
DMARC fixes this by requiring that a passing check share an organizational domain with the From: address. Only then does the message pass DMARC. This is why “SPF passes but my mail still fails DMARC” is such a common situation: authentication and alignment are two different tests, and you need both.
How the authentication stack evaluates a message
From: domain?SPF vs DKIM vs DMARC
| SPF | DKIM | DMARC | |
|---|---|---|---|
| What it checks | Which servers may send | The message is signed and unaltered | That SPF or DKIM aligns with From: |
| Mechanism | DNS list of IPs | Cryptographic signature | DNS policy + reports |
Sees the From: address? |
No | No | Yes, through alignment |
| Role | A check | A check | The policy layer |
By the numbers
Common mistakes
From:, a separate test that trips up many senders.p=none and stoppingnone reports who is spoofing you but does nothing to stop them; you have to ramp to quarantine and reject for real protection.