Intermediate

The complete guide to email authentication

SPF, DKIM, and DMARC are the three records that prove your email really came from you. This guide explains exactly how each one works, how they fit together, and how to set up all three in the right order so your mail reaches the inbox.

18 min readUpdated June 2026

Email authentication is a set of three DNS based standards, SPF, DKIM, and DMARC, that let a receiving server confirm a message genuinely came from your domain and was not forged in transit. Together they decide whether your mail is trusted enough to reach the inbox instead of the spam folder or a hard rejection.

Email was built in an era of trust, with no way to verify who actually sent a message. To this day, anyone can put your domain in the visible From line of an email they send. Authentication closes that gap. SPF publishes the list of servers allowed to send for your domain, DKIM adds a tamper proof signature to every message, and DMARC ties both checks to the address your recipients actually see and tells receivers what to do when something does not line up.

Key takeaway

The three records are not interchangeable layers of the same thing. SPF says who may send, DKIM proves the message is genuine, and DMARC connects those answers to the visible From address and sets the policy. You need all three, and DMARC is what makes the other two stop spoofing.

Why email authentication is now mandatory

Since February 2024, the largest mailbox providers require authentication from bulk senders. Any domain sending more than 5,000 messages a day to Gmail or Yahoo, and to consumer Outlook addresses since 2025, must publish SPF, DKIM, and a DMARC record or watch its mail get filtered or rejected.

5,000
messages a day that make you a bulk sender
3
records every domain needs: SPF, DKIM, DMARC
10
max DNS lookups an SPF record may trigger
2048-bit
recommended DKIM key length
0.3%
Gmail spam complaint hard ceiling

The Google and Yahoo bulk sender guidelines, published in 2024, set the baseline that the rest of the industry now follows. Bulk senders must authenticate with SPF and DKIM, publish a DMARC policy of at least p=none, pass DMARC alignment, support one click unsubscribe through the List-Unsubscribe header, and keep spam complaints low. Google asks senders to stay under 0.1% complaints and treats 0.3% as a hard ceiling that triggers filtering. Microsoft extended the same expectations to high volume senders into consumer Outlook in 2025.

The threshold catches more senders than people expect, and the bar keeps moving toward enforcement. Even if you send far fewer than 5,000 messages a day, missing authentication caps how high your reputation can climb and leaves your domain open to being spoofed in phishing attacks against your own customers. There is no real downside to authenticating, and a large one to skipping it.

How SPF, DKIM, and DMARC work together

When a server receives your message it runs three checks in sequence. SPF asks whether the sending IP is authorized, DKIM verifies the cryptographic signature, and DMARC asks whether an authenticated domain matches the visible From address. The message passes when SPF or DKIM aligns and passes; if both fail, your DMARC policy decides what happens.

How a message is authenticated
Message arrives

The receiver reads your domain from the headers.

SPF check

Is the sending IP on your authorized list?

DKIM check

Does the signature verify against your public key?

DMARC alignment

Does an authenticated domain match the visible From?

Deliver or reject

Pass earns the inbox. Fail follows your policy.

The reason DMARC matters is that SPF and DKIM each leave a gap on their own. SPF checks the hidden Return-Path address used during delivery, not the From address your recipient reads, so a spoofer can pass SPF with their own domain while displaying yours. DKIM proves a message was signed and unchanged, but on its own it carries no instruction for what a receiver should do when the signature is missing or broken. DMARC fixes both by requiring that whatever passed, SPF or DKIM, lines up with the visible From domain, and by publishing a clear policy. That single requirement, called alignment, is what turns two useful checks into real protection against someone forging your address.

SPF: which servers may send as your domain

SPF, the Sender Policy Framework defined in RFC 7208, is a single DNS TXT record that lists every server allowed to send mail for your domain. When a message arrives, the receiver compares the sending IP against that list and the check passes only if it matches.

SPF record syntax

An SPF record lives as a TXT record at your domain root. It always begins with v=spf1 and ends with an all mechanism that sets the default for anything not explicitly listed.

v=spf1 include:_spf.google.com include:_spf.yourprovider.com ip4:203.0.113.50 -all

Reading that record left to right:

  • v=spf1 is the version tag. It is required and must come first.
  • include:_spf.google.com authorizes every server listed in another provider's SPF record, used here for a hosted mail platform.
  • include:_spf.yourprovider.com adds a second sending service, such as a marketing or transactional platform.
  • ip4:203.0.113.50 authorizes one specific IPv4 address, such as your own server.
  • -all hard fails everything else, meaning no other server is allowed to send as your domain.

SPF mechanisms

MechanismExampleWhat it doesCosts a lookup?
ip4ip4:203.0.113.0/24Authorize an IPv4 address or rangeNo
ip6ip6:2001:db8::/32Authorize an IPv6 address or rangeNo
includeinclude:_spf.google.comPull in another domain's SPF recordYes
aa:mail.example.comAuthorize the IPs in a domain's A recordYes
mxmxAuthorize the IPs of the domain's MX serversYes
all-allMatch everything else, used as the final ruleNo

The qualifier on all

The character before all decides what happens to mail from a server that is not on your list:

  • -all is a hard fail. Unauthorized mail should be rejected. This is the recommended setting once your record is complete.
  • ~all is a soft fail. Unauthorized mail is accepted but marked as suspect. Use it while you are still finding all your senders.
  • ?all is neutral. It makes no assertion at all and offers no protection.
  • +all passes everything. Never use it; it authorizes the entire internet to send as your domain.
The 10 DNS lookup limit

RFC 7208 caps an SPF evaluation at 10 DNS lookups. Every include, a, mx, ptr, exists, and redirect term counts; ip4, ip6, and all do not. Go over and SPF returns a permerror, which most receivers treat as a failure. Confirm your count with the SPF Checker before you publish.

DKIM: cryptographic proof the message is genuine

DKIM, DomainKeys Identified Mail from RFC 6376, adds a digital signature to every message you send. Your server signs each email with a private key, the matching public key is published in DNS, and the receiver uses it to confirm the message really came from your domain and was not altered along the way.

DKIM uses public key cryptography. The signature covers a defined set of headers, typically From, Subject, and Date, along with the body of the message. If any signed part is changed after sending, the signature no longer verifies and DKIM fails. That is what makes it tamper evident rather than just an identity claim.

The DKIM signature

The signature travels with the message as a header. A simplified example looks like this:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=example.com; s=selector1; h=from:to:subject:date;
  bh=<body-hash>; b=<signature>

The fields that matter most:

  • d= is the signing domain. It must align with your From domain for DMARC to count the DKIM result.
  • s= is the selector, which tells the receiver where in DNS to find the public key.
  • a= is the algorithm, normally rsa-sha256.
  • h= lists the headers the signature protects.
  • b= is the signature itself, and bh= is the hash of the body.

The DKIM DNS record and selectors

A selector lets one domain publish several keys at once, which is what makes key rotation and multiple sending services possible. The public key is published as a TXT record at selector._domainkey.yourdomain.com:

; published in DNS for selector "selector1"
selector1._domainkey.example.com.  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqG..."

Here v=DKIM1 is the version, k=rsa is the key type, and p= holds the base64 encoded public key. An empty p= value means the key has been revoked.

Modern guidance, set out in RFC 8301, is to use a 2048-bit RSA key as the default and to treat 1024 bits as the bare minimum. A 2048-bit key is too long to fit in a single 255 character DNS string, so it is split across multiple quoted strings inside the same record; most DNS hosts handle that automatically. Rotate your keys periodically by publishing a new selector and switching your signing to it, so a leaked key has a limited useful life.

Pro tip

Each sending service signs with its own selector, so you can have several DKIM records live at the same time. Confirm each one is published correctly and using an adequate key length with the DKIM Checker.

DMARC: alignment, policy, and reporting

DMARC, defined in RFC 7489, ties SPF and DKIM to the address your recipients see and tells receivers what to do when a message fails. It adds three things the other two lack: alignment with the visible From domain, an enforcement policy, and reports that show you exactly who is sending mail as your domain.

A DMARC record is a TXT record published at _dmarc.yourdomain.com. A monitoring record looks like this:

_dmarc.example.com.  TXT  "v=DMARC1; p=none; rua=mailto:dmarc@example.com; adkim=r; aspf=r; pct=100"

DMARC tags

TagRequiredValuesPurpose
vYesDMARC1Version identifier, must come first
pYesnone, quarantine, rejectPolicy for mail that fails DMARC
ruaNomailto:you@example.comWhere to send aggregate XML reports
rufNomailto:you@example.comWhere to send failure reports
adkimNor relaxed, s strictDKIM alignment mode
aspfNor relaxed, s strictSPF alignment mode
pctNo0 to 100, default 100Share of failing mail the policy applies to
spNonone, quarantine, rejectPolicy for subdomains

The policy ladder

The p= tag is the heart of DMARC. You climb it gradually, from monitoring to full enforcement, so you never block legitimate mail by accident:

  • p=none takes no action and simply collects reports. It is where every rollout starts, and it provides no spoofing protection on its own.
  • p=quarantine sends failing mail to the spam or junk folder. It is the safe intermediate step once your reports look clean.
  • p=reject blocks failing mail outright during delivery. This is full protection and the goal of any serious rollout.

Alignment, relaxed and strict

Alignment is the rule that makes DMARC work. A message passes DMARC only when the domain that passed SPF or DKIM lines up with the domain in the visible From header.

  • Relaxed alignment, the default, matches on the organizational domain, so mail.example.com aligns with example.com.
  • Strict alignment requires an exact match, so mail.example.com would not align with example.com.

Reports are the other half of DMARC. Aggregate reports, requested with rua, are daily XML summaries that show every source sending under your domain and whether each one passed. They are the single most useful tool for finding forgotten senders before you tighten your policy. Failure reports, requested with ruf, contain per message detail and are rarely sent today because of privacy concerns, so most senders rely on aggregate reports alone.

Do not stay on p=none forever

A record stuck at p=none satisfies the letter of the bulk sender rules but stops no spoofing at all, and roughly half of DMARC enabled domains never move past it. Monitor for a few weeks, fix the senders that fail, then climb to quarantine and finally reject. The DMARC Generator builds a correct record for whichever stage you are at.

SPF vs DKIM vs DMARC at a glance

SPF checks the sending IP, DKIM signs the message, and DMARC ties both to the visible From address and sets the policy. They protect different things and you need all three, because each one covers a gap the others leave open.

AspectSPFDKIMDMARC
What it checksThe sending server's IPA cryptographic signatureAlignment with the visible From
What it protectsWho is allowed to sendMessage integrity in transitYour visible domain from spoofing
StandardRFC 7208RFC 6376RFC 7489
DNS recordOne TXT at the rootTXT at selector._domainkeyTXT at _dmarc
Counts an SPF lookup?Yes, against the limitNoNo
Stops From spoofing alone?NoNoYes, at enforcement
SPF and DKIM tell a receiver your mail is legitimate. DMARC is the only one of the three that stops someone forging the address your customers actually read.

How to set up SPF, DKIM, and DMARC in the right order

Set them up in sequence: inventory your senders, publish one SPF record, enable DKIM on each service, then add a DMARC record in monitoring mode and tighten it only after the reports come back clean. Rushing straight to enforcement is the fastest way to block your own mail.

Inventory every sending source

List every service that sends mail as your domain: your primary mail platform, marketing and transactional tools, your CRM, helpdesk software, and any servers of your own. You cannot authenticate what you have not accounted for.

Publish one SPF record

Create a single v=spf1 TXT record that includes every source from your inventory, and end it with ~all while you test. Keep it under the 10 lookup limit and verify it with the SPF Checker.

Enable DKIM on each service

Turn on DKIM signing in every platform that sends for you. Each gives you a selector and a record to publish, and they sign independently, so several DKIM records will be live at once. Confirm each with the DKIM Checker.

Add DMARC in monitoring mode

Publish a _dmarc record with p=none and an rua address so reports start flowing without affecting delivery. Generate a clean record with the DMARC Generator.

Review the aggregate reports

Watch your DMARC reports for two to four weeks and find every legitimate source that is failing SPF or DKIM alignment. Fix those gaps before you change the policy.

Tighten SPF and climb the policy

Switch SPF to -all, move DMARC to p=quarantine, and after another clean monitoring period move to p=reject for full protection.

Common mistakes that break authentication

Most authentication failures trace back to a handful of avoidable errors: more than one SPF record, too many DNS lookups, and a DMARC policy that never leaves monitoring mode. Each one silently undermines the protection you think you have.

  • Two SPF records. A domain must have exactly one v=spf1 TXT record. A second one is not additive; it makes SPF return a permerror and fail outright.
  • Too many DNS lookups. Stacking include statements past the limit of 10 breaks SPF. Flatten or consolidate sources to stay under it.
  • Forgotten senders. Every service that mails as your domain must be authorized in SPF and signing with DKIM, or its mail will fail once you enforce DMARC.
  • Using +all or the ptr mechanism. +all authorizes the whole internet, and ptr is slow, unreliable, and discouraged by the specification.
  • Living on p=none. Monitoring is a starting point, not a destination. A policy that never reaches quarantine or reject leaves your domain just as spoofable as having no DMARC at all.
Check all three in one pass

Authentication is only one part of your sender reputation. Run your domain through the Sender Reputation Checker for an A to F grade that scores SPF, DKIM, and DMARC together with your blacklist status and DNS, and tells you exactly what to fix next.

Reviewed by Jennifer Jackson, Email Deliverability Analyst · June 2026

Email authentication FAQ

What is email authentication?
Email authentication is a group of DNS based standards, SPF, DKIM, and DMARC, that let a receiving server confirm a message genuinely came from your domain and was not forged. SPF lists the servers allowed to send for you, DKIM adds a cryptographic signature, and DMARC ties both to the visible From address and sets a policy for failures.
Do I need all three of SPF, DKIM, and DMARC?
Yes. Each one covers a gap the others leave open, and since 2024 Google, Yahoo, and Microsoft require all three from bulk senders. SPF and DKIM prove legitimacy, but only DMARC, through alignment, stops someone forging the address your recipients actually see.
What is DMARC alignment?
Alignment is the rule that the domain which passed SPF or DKIM must match the domain in the visible From header. Relaxed alignment, the default, matches on the organizational domain so mail.example.com aligns with example.com; strict alignment requires an exact match. A message passes DMARC only when at least one authenticated domain aligns.
What does p=none mean in DMARC?
The p=none policy is monitor only. Receivers take no action on mail that fails DMARC but send you aggregate reports so you can see who is sending as your domain. It is the right place to start, but it provides no spoofing protection, so you should move up to quarantine and then reject once your reports are clean.
How do I set up SPF, DKIM, and DMARC?
Work in order. Inventory every service that sends mail as your domain, publish a single SPF TXT record covering all of them, enable DKIM signing on each service, then add a _dmarc record at p=none with an rua reporting address. Review the reports for two to four weeks, fix any failing sources, then tighten SPF to -all and climb DMARC to quarantine and reject.
What is the SPF 10 DNS lookup limit?
RFC 7208 limits an SPF check to 10 DNS lookups. Each include, a, mx, ptr, exists, and redirect term counts toward it, while ip4, ip6, and all do not. Exceeding 10 returns a permerror that most receivers treat as a failure, so consolidate or flatten sources and confirm your count with the SPF Checker.
Should I use -all or ~all in my SPF record?
Use ~all (soft fail) while you are still confirming every legitimate sender, then switch to -all (hard fail) once your record is complete. A hard fail tells receivers to reject anything not on your list, which is the strongest setting. Never use +all, which authorizes the entire internet to send as your domain.
What DKIM key length should I use?
Use a 2048-bit RSA key as the default and treat 1024 bits as the bare minimum, in line with RFC 8301. A selector lets you publish several keys at once, which is what makes rotation and multiple sending services possible, so publish a new selector periodically and switch your signing to it.
Why do my emails still fail DMARC if SPF passes?
SPF can pass while DMARC fails because of alignment. SPF validates the hidden Return-Path domain, not the visible From, so if those two domains do not line up under your alignment mode, DMARC does not count the SPF pass. The fix is to make sure either SPF or DKIM authenticates a domain that aligns with your From address.