Email Authentication

Definition

Email authentication is the set of standards a receiving server uses to verify that a message genuinely came from the domain it claims to be from, rather than a spoofer. In practice it means three layers working together: SPF authorises sending servers, DKIM signs each message, and DMARC ties both to the visible From: address and sets policy. Without it, anyone can forge your name.

  • Verifies the claimed sender of a message, the foundation of inbox trust
  • Built from three DNS-based layers: SPF, DKIM, and DMARC
  • SPF and DKIM are the checks; DMARC is the policy and reporting layer on top
  • Required for bulk senders to Gmail and Yahoo since February 2024
At a glance
Core layers SPF · DKIM · DMARC
Published in DNS records
Optional layers ARC · BIMI
Verifies The claimed sending domain
Required by Gmail & Yahoo bulk senders (Feb 2024)
Key concept Alignment with the From: domain

Why email needs authentication

The original email protocol, SMTP, was built on trust: any server could claim to be sending for any domain, and nothing checked that claim. That is what makes spoofing and phishing so easy. Email authentication is the layer added on top to close that hole, giving receivers a way to ask “is this message really from who it says it is?” and act on the answer.

The answer comes from three DNS-published standards that build on each other. None is sufficient alone, which is why modern guidance treats them as a single stack rather than independent options.

The three layers

  • SPF lists which servers may send for your domain. The receiver checks the connecting IP against that list. It validates the envelope (Return-Path) domain.
  • DKIM attaches a cryptographic signature to each message so the receiver can confirm it was authorised by your domain and not altered in transit.
  • DMARC sits on top: it requires that a passing SPF or DKIM result align with the visible From: domain, tells receivers what to do when neither does, and emails you reports on who is sending as you.

The shorthand is that SPF checks where a message came from, DKIM checks that it was not tampered with, and DMARC checks who it claims to be from and decides the outcome. Two further standards extend the stack: ARC preserves results across forwarding, and BIMI rewards full authentication with a brand logo in the inbox.

The piece that ties it together: alignment

The reason all three are needed is a concept called alignment. SPF and DKIM each authenticate a domain, but not necessarily the one your recipient sees. SPF validates the Return-Path; DKIM validates whatever domain signed the message. Either can pass while the visible From: belongs to someone else entirely, which is exactly how a convincing spoof slips through.

DMARC fixes this by requiring that a passing check share an organizational domain with the From: address. Only then does the message pass DMARC. This is why “SPF passes but my mail still fails DMARC” is such a common situation: authentication and alignment are two different tests, and you need both.

How the authentication stack evaluates a message

A message arrives claiming to be from your domain
SPF checks the sending IP and DKIM checks the signature
SPF: is the IP authorised? DKIM: is the signature valid?
Does a passing check align with the visible From: domain?
If it aligns, the message passes DMARC
If not, your DMARC policy decides
none: monitor quarantine: spam reject: block

SPF vs DKIM vs DMARC

SPF DKIM DMARC
What it checks Which servers may send The message is signed and unaltered That SPF or DKIM aligns with From:
Mechanism DNS list of IPs Cryptographic signature DNS policy + reports
Sees the From: address? No No Yes, through alignment
Role A check A check The policy layer

By the numbers

3
The core authentication layers every sender should deploy: SPF, DKIM, and DMARC.
5,000+/day
The bulk-sender threshold at which Gmail and Yahoo mandate authentication, since February 2024.
0.3%
The Postmaster Tools spam-complaint rate Google asks bulk senders to stay under alongside authentication.

Common mistakes

Deploying only one layer
SPF alone breaks on forwarding, DKIM alone does not check the From address, and neither stops visible spoofing without DMARC. The three are designed to be used together, not chosen between.
Confusing authentication with alignment
A green SPF or DKIM result is not the same as a DMARC pass. The authenticated domain must also align with the visible From:, a separate test that trips up many senders.
Setting DMARC to p=none and stopping
Monitoring is the starting line. A policy of none reports who is spoofing you but does nothing to stop them; you have to ramp to quarantine and reject for real protection.

Frequently asked questions

What are the three email authentication protocols?
SPF, DKIM, and DMARC. SPF publishes which servers may send for your domain, DKIM signs each message so receivers can verify it was authorised and unaltered, and DMARC requires that one of those passes and aligns with the visible From address, then tells receivers what to do when neither does. ARC and BIMI are optional extensions on top.
Is email authentication required?
For bulk senders, yes. Since February 2024 Google and Yahoo require any domain sending 5,000 or more messages a day to their users to authenticate with SPF and DKIM and publish DMARC, and Microsoft applied the same baseline to large Outlook and Hotmail senders in 2025. Smaller senders are not mandated but are strongly advised to authenticate to avoid spam-foldering and spoofing.
How do I check if my email is authenticated?
Inspect the Authentication-Results header of a message you sent to yourself, where receivers record the SPF, DKIM, and DMARC outcomes, or run your domain through dedicated SPF, DKIM, and DMARC lookups. Free tools such as the SPF, DKIM, and DMARC checkers on this site report what you have published and flag misconfigurations.
Reviewed by Jennifer Jackson, Email Deliverability Analyst · June 2026 ← Back to glossary