Skip to main content
fareof
Start free

Email Authentication: SPF, DKIM, and DMARC Explained

Without authentication, inbox providers cannot confirm your mail is legitimate. SPF, DKIM, and DMARC prove ownership of your sending domain and unlock better deliverability.

Why Email Authentication Matters

Spammers routinely forge the From address — a technique called spoofing. Authentication records published in DNS let receiving servers verify that a message claiming to come from your domain actually originated from infrastructure you control.

Gmail and Yahoo made SPF and DKIM mandatory for bulk senders as of February 2024. DMARC is required for senders sending over 5,000 messages per day to Gmail.

SPF — Sender Policy Framework

Authorises which servers can send on your behalf

An SPF record is a DNS TXT record listing the IP addresses and mail servers permitted to send email from your domain.

Example SPF record (DNS TXT):

v=spf1 include:_spf.google.com include:sendgrid.net ~all
  • ~all — softfail: deliver but mark suspicious (recommended while testing)
  • -all — hardfail: reject messages from unlisted sources (use once stable)
  • +all — pass everything: never use this

SPF record generator — coming soon.

DKIM — DomainKeys Identified Mail

Signs each message with a cryptographic key

DKIM adds a digital signature to email headers. Your sending server signs outgoing messages with a private key; the receiving server verifies the signature against a public key in your DNS.

Example DKIM DNS record:

google._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0G..."
  • Use a 2048-bit key minimum — 1024-bit keys are considered weak
  • Rotate keys annually or after any suspected compromise
  • Your ESP generates the key pair and provides the DNS record to publish

DKIM record generator — coming soon.

DMARC — Domain-based Message Authentication

Tells receivers what to do when authentication fails

DMARC builds on SPF and DKIM. It lets you publish a policy instructing receiving servers how to handle messages that fail both checks — and sends you aggregate reports.

Example DMARC record:

_dmarc.example.com TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100"
  • p=none — monitor only, no action (start here)
  • p=quarantine — send failing messages to spam
  • p=reject — block failing messages outright (goal state)
  • rua= — email address for aggregate XML reports

DMARC record generator — coming soon.

Recommended Implementation Order

  1. 1Publish an SPF record listing all authorised sending sources.
  2. 2Enable DKIM signing in your ESP and publish the public key DNS record.
  3. 3Add a DMARC record with p=none and rua= pointing to a report inbox.
  4. 4Review DMARC reports for 30 days to discover unauthorised senders.
  5. 5Move DMARC policy to p=quarantine once all legitimate sources pass.
  6. 6Advance to p=reject once you are confident in full coverage.

Authentication Quick-Check

  • SPF record published in DNS with -all or ~all qualifier
  • DKIM key length is 2048-bit minimum
  • DKIM selector matches what your ESP configured
  • DMARC record present at _dmarc.yourdomain.com
  • DMARC rua address is monitored regularly
  • DMARC policy is at least p=quarantine for production domains
  • SPF record has no more than 10 DNS lookups (hard limit)

Authentication passes. Now verify your list.

Even a perfectly authenticated domain struggles if your list contains invalid addresses.

Start free

Related Guides

Free Email Verifier Hub Sender Reputation Factors Spam Filter Triggers Inbox Placement Guide Email Blacklist Check