email authentication: SPF, DKIM, and DMARC explained
SPF, DKIM, and DMARC explained in plain language. What each protocol does, how they work together, and the mistakes that tank your deliverability.
You set up a new domain, configured your mail server, and sent your first batch of messages. Half bounced. The rest landed in spam. The content was fine, the addresses were valid, and nothing in the logs screamed "error." The problem is simpler than that: you never proved to the receiving servers that you're allowed to send from that domain.
That proof comes from three DNS-based protocols that work together as a single authentication system: SPF, DKIM, and DMARC. Each handles a different piece of verification. Together, they tell receiving mail servers "yes, this sender is who they claim to be." Without all three, your email is unverified. And in 2026, unverified email doesn't reach inboxes.
Info
Google and Yahoo jointly began enforcing authentication requirements for bulk senders in February 2024. Those rules are now fully active across all major providers. Missing any of the three records means quarantine or outright rejection.
What problem does email authentication solve?#
Email was designed in the 1970s with zero identity verification built into the protocol. SMTP lets anyone claim to send from any address. There's nothing in the original spec stopping someone from firing off a message that appears to come from ceo@yourcompany.com. That's the gap phishing exploits, and it's the gap these three protocols were built to close.
SPF checks whether the sending server is authorized for the domain. DKIM verifies that the message was genuinely produced by the claimed domain and hasn't been altered in transit. DMARC sets the policy for what happens when SPF or DKIM fails, and sends you reports about it. Three separate DNS records, one authentication system.
SPF: authorizing your sending servers#
Sender Policy Framework (SPF) is a DNS TXT record that lists every IP address and mail server authorized to send email on behalf of your domain. When a receiving server gets a message from you@yourdomain.com, it looks up the SPF record for yourdomain.com and checks whether the sending server's IP appears on the list.
A typical SPF record looks like this:
v=spf1 include:_spf.google.com include:sendgrid.net -all
Breaking that down:
- `v=spf1` identifies the record type
- Each `include:` directive authorizes a specific service's mail servers
- `-all` at the end means "reject anything not covered by the includes"
That -all ending is the enforcement mechanism. A tilde version (~all) signals a soft fail, which flags the message as suspicious but doesn't block it. The hyphen version (-all) is a hard fail: reject the message outright.
The most common SPF mistake is also the simplest: forgetting to add a new sending service. If you start using a newsletter platform or transactional email provider and don't update your SPF record, every email sent through that service fails authentication. I've seen this break outreach campaigns overnight. One missed include and suddenly nothing from your new tool reaches anyone.
SPF also has a hard limit of 10 DNS lookups. Each include directive can trigger nested lookups under the hood, and once the total exceeds 10, your entire SPF record becomes invalid. This catches businesses using five or six third-party email tools. The record looks fine when you read it, but it silently fails because of nested lookup chains you never see. Tools like MXToolbox and dmarcian offer free SPF checkers if you want to audit your lookup count.
DKIM: signing your messages#
DomainKeys Identified Mail (DKIM) takes a different approach from SPF. Instead of checking the sending server, it checks the message itself using cryptographic signatures.
The process works like this:
- You generate a public/private key pair for your domain
- The public key gets published as a DNS TXT record under a selector subdomain (something like
selector1._domainkey.yourdomain.com) - When your server sends an email, it signs specific headers and the message body with the private key
- The receiving server retrieves the public key from DNS and verifies the signature
A DKIM DNS record looks something like:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
If the signature checks out, the receiving server knows two things: the message genuinely originated from a server holding the private key for that domain, and the content hasn't been tampered with during transit. If someone intercepts and modifies the email between servers, the signature breaks and the check fails.
DKIM doesn't prevent someone from attempting to send as your domain. It gives the receiving server a way to verify whether a specific message is authentic. The enforcement piece, where failed checks actually result in blocked messages, comes from DMARC.
One detail people overlook: DKIM keys should be rotated periodically. Every 6 to 12 months is a reasonable cadence. If a private key is compromised, anyone holding it can sign messages that pass DKIM verification for your domain. Regular rotation limits the damage window.
DMARC: the policy and reporting layer#
Domain-based Message Authentication, Reporting & Conformance (DMARC) sits on top of SPF and DKIM. It handles two things neither protocol provides on its own: a policy for what happens when authentication fails, and a reporting mechanism that shows you who's sending email using your domain.
A DMARC record is a DNS TXT record at _dmarc.yourdomain.com:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100
The key fields:
p=rejecttells receiving servers to block messages that fail both SPF and DKIM. Other options arequarantine(route to spam) andnone(monitor without enforcing)rua=mailto:...is the address where aggregate reports get sent. These XML reports detail every server that sent mail using your domain and whether each message passed or failedpct=100applies the policy to 100% of failing messages
The concept most setups get wrong is DMARC alignment. It's not enough for SPF or DKIM to pass independently. DMARC requires that the domain in the visible From: header matches the domain that passed SPF or DKIM. Without alignment, an attacker could configure valid SPF and DKIM records for their own infrastructure while spoofing your domain in the From: field that the recipient actually sees.
Alignment comes in two modes: strict (exact domain match required) and relaxed (subdomains of the organizational domain count as matching). Relaxed is the default and works for most configurations.
The authentication sequence#
When an email arrives at Gmail, Outlook, or any major provider, the receiving server runs through these checks in sequence:
- SPF check: Is the sending server's IP authorized for this domain? Pass or fail.
- DKIM check: Does the cryptographic signature verify against the public key in DNS? Pass or fail.
- DMARC evaluation: Did at least one of SPF or DKIM pass with domain alignment? If neither passed with alignment, apply the DMARC policy (none, quarantine, or reject).
An email only needs one of SPF or DKIM to pass with alignment in order to satisfy DMARC. But having both pass produces the strongest signal to receiving servers. If you're sending transactional email, outreach, or anything at volume, you want all three checks green.
Mistakes that will cost you#
Starting DMARC at p=reject without monitoring first. If your SPF record is missing a legitimate sending source, a reject policy blocks your own email. Start with p=none, review the aggregate reports for two to four weeks, close any authentication gaps you find, then move to quarantine and eventually reject.
Blowing past the SPF lookup limit. Every include can cascade into nested DNS lookups. Once you exceed 10 total, your SPF record silently becomes invalid. No error, no warning, just failed checks. Test your lookup count before and after adding any new email service.
Ignoring subdomains. DMARC policies don't automatically apply to subdomains. If you send email from notifications.yourdomain.com, you need either a separate DMARC record for that subdomain or an sp=reject directive in your root domain's DMARC record.
Treating authentication as a one-time setup. Every time you add or remove an email sending service, your SPF record needs updating. Every infrastructure change means DKIM keys may need refreshing. If you're running into 550 errors, stale authentication records are one of the first things to check.
Never reading DMARC reports. The rua address receives aggregate reports showing exactly what's happening with your domain's email. If a spammer starts using your domain, or if a legitimate service is failing authentication, the reports will show it. Most people set the address and never look at it.
Set it up before you send#
SPF says who can send. DKIM proves the message is real. DMARC tells receiving servers what to do when those checks fail. All three are required for reliable email delivery in 2026, whether you're running a SaaS product, an e-commerce store, or an AI agent that provisions its own inbox.
If you're building agents that send email, this matters even more. An agent spinning up a fresh domain starts with zero reputation and zero authentication records. Services like LobsterMail handle SPF, DKIM, and DMARC configuration automatically when an agent provisions an inbox, so the agent doesn't have to wrangle DNS records. But whether you use a managed service or set it up yourself, the records need to be correct and complete before the first message goes out.
Monitor your DMARC reports weekly. Rotate your DKIM keys every six months. Audit your SPF lookup count when you add new tools. Email authentication is not something you configure once and walk away from.
Frequently asked questions
What happens if I don't set up SPF, DKIM, and DMARC?
Your emails will likely land in spam or get rejected entirely. Since 2024, Google and Yahoo require all three for bulk senders, and other providers have followed suit. Without authentication, receiving servers have no way to verify your messages are legitimate.
Do I need all three protocols, or is one enough?
You need all three. SPF and DKIM each verify different aspects of your email (sending server and message integrity), while DMARC ties them together with a policy and alignment check. Missing any one of them leaves a gap that receiving servers will penalize.
How long does it take for SPF, DKIM, and DMARC DNS records to propagate?
DNS propagation typically takes 15 minutes to 48 hours, depending on your registrar and the TTL (time to live) set on existing records. Most changes take effect within an hour or two. Don't send email from a new domain until you've confirmed propagation using a tool like MXToolbox.
Can SPF, DKIM, and DMARC prevent all phishing attacks?
No. They prevent domain spoofing (someone faking your exact domain in the From: address), but they can't stop lookalike domains like yourcompanny.com or social engineering attacks. They're a necessary layer of protection, not a complete anti-phishing solution.
What's the difference between SPF soft fail and hard fail?
A soft fail (~all) tells the receiving server that unauthorized senders should be treated with suspicion but not necessarily rejected. A hard fail (-all) tells the server to reject unauthorized senders outright. Hard fail is the stronger setting, but make sure your SPF record is complete before using it.
How do I check if my email authentication records are configured correctly?
Use free online tools like MXToolbox, dmarcian, or Google's Check MX. These tools query your DNS records and flag missing entries, syntax errors, and lookup limit violations. You can also send a test email to check-auth@verifier.port25.com for a quick automated report.
What are DMARC aggregate reports and how do I read them?
DMARC aggregate reports are XML files sent to the rua address in your DMARC record. They list every IP that sent email using your domain and whether each message passed SPF, DKIM, and DMARC alignment. Tools like dmarcian, Postmark, and Valimail parse these into readable dashboards.
What is DKIM key rotation and how often should I do it?
DKIM key rotation means generating a new public/private key pair and updating your DNS record with the new public key. Rotating every 6 to 12 months limits the damage if a private key is compromised. Most email providers offer tools or guides for rotating keys without downtime.
What does DMARC alignment mean?
DMARC alignment means the domain in the visible From: header matches the domain that passed SPF or DKIM. Without alignment, an attacker could authenticate their own domain while spoofing yours in the From: field. Relaxed alignment (the default) allows subdomain matches; strict requires an exact match.
What happens if my SPF record exceeds the 10-lookup limit?
Your entire SPF record becomes invalid and all SPF checks fail for your domain. There's no error message or notification. Use an SPF checker to count your lookups, and consider SPF flattening (replacing include directives with direct IP ranges) if you're close to the limit.
Can I set up DMARC if I use a free email provider like Gmail or Yahoo?
No. DMARC, SPF, and DKIM require you to control the DNS records for your sending domain. Free email accounts on gmail.com or yahoo.com are covered by Google's and Yahoo's own authentication records. You need a custom domain to configure your own email authentication.
Does email authentication affect inbox placement or just delivery?
Both. Failed authentication can cause outright rejection (the email never arrives) or spam folder placement (it arrives but the recipient never sees it). Passing all three checks doesn't guarantee primary inbox placement, but failing them almost guarantees you won't get there.
