SPF, DKIM, and DMARC Explained: The Complete Email Authentication Guide

Why Email Authentication Matters More Than Ever

Email was never designed with built-in identity verification. The original SMTP protocol trusts that the "From" address is genuine, which made email spoofing trivially easy. Over the past two decades, three authentication protocols - SPF, DKIM, and DMARC - evolved to close this gap and prove that an email genuinely comes from the domain it claims.

In 2026, authentication is not optional. Google, Yahoo, Microsoft, and Apple all require properly configured authentication as a baseline for inbox delivery. Since February 2024, bulk senders without DMARC enforcement have seen measurable drops in deliverability at Gmail and Yahoo. That trend has only accelerated.

This guide explains how each protocol works, walks through setup step by step, covers the common mistakes that break them, and shows how they work together to protect your domain and your deliverability.

SPF: Sender Policy Framework

What SPF Does

SPF allows you to declare which mail servers and IP addresses are authorized to send email on behalf of your domain. You publish this declaration as a DNS TXT record on your domain. When a receiving mail server gets a message claiming to be from your domain, it looks up your SPF record and checks whether the sending server's IP address is on the approved list.

If the IP matches, SPF passes. If not, SPF fails, and the receiving server can treat the message with suspicion or reject it outright.

How to Set Up SPF

SPF is configured as a TXT record on your domain's DNS. The record starts with v=spf1, followed by the mechanisms that define authorized senders, and ends with an all qualifier.

Here is an example SPF record for a domain that sends email through Google Workspace and Mailgun:

v=spf1 include:_spf.google.com include:mailgun.org -all

Breaking this down:

• v=spf1 - Identifies this as an SPF record
• include:_spf.google.com - Authorizes Google Workspace's mail servers
• include:mailgun.org - Authorizes Mailgun's mail servers
• -all - Rejects any server not explicitly listed (hard fail)

The all qualifier options are:

Qualifier	Meaning	Recommendation
-all	Hard fail - reject unauthorized senders	Best for deliverability
~all	Soft fail - mark but do not reject	Acceptable during transition
?all	Neutral - no opinion	Not recommended
+all	Pass everything - authorize all senders	Never use this

Common SPF Mistakes

Too many DNS lookups. SPF has a strict limit of 10 DNS lookups per record. Each include, a, mx, and redirect mechanism counts as one lookup, and nested includes count toward the total. Exceeding 10 lookups causes SPF to return a "permerror" and fail for all messages.

If you are running into the lookup limit, consider using Optimail's free SPF record generator to flatten your record by resolving includes into explicit IP ranges.

Multiple SPF records. A domain must have exactly one SPF TXT record. If you have two, SPF will return a permerror. This commonly happens when adding a new email service without updating the existing record - the new provider's documentation says "add this TXT record," and teams create a second record instead of merging the values.

Using +all or forgetting the all mechanism entirely. Without a restrictive all qualifier, SPF provides no protection against spoofing and sends no useful signal to receiving servers.

Forgetting third-party senders. If you use a CRM, marketing platform, transactional email service, or helpdesk that sends email on your behalf, each one needs to be included in your SPF record. Audit all services that send as your domain and make sure every one is accounted for.

DKIM: DomainKeys Identified Mail

What DKIM Does

DKIM adds a cryptographic signature to every outgoing email. The sending server signs specific headers and the message body using a private key. The corresponding public key is published in your DNS as a TXT record. When the receiving server gets the email, it retrieves the public key from DNS and uses it to verify the signature.

If the signature checks out, DKIM passes - proving that the message was sent by someone who possesses the private key for your domain and that the message was not modified in transit.

How to Set Up DKIM

DKIM setup involves two steps: generating a key pair and publishing the public key in DNS.

Most email service providers handle the key generation automatically. They provide you with a DNS record to publish. Here is what a typical DKIM DNS record looks like:

Record type: TXT (or CNAME, depending on the provider) Host/Name: selector1._domainkey.yourdomain.com Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

The selector is a label chosen by your email provider that allows multiple DKIM keys to coexist. Different services use different selectors, so they do not conflict.

For example, Google Workspace uses a selector like google, while SendGrid might use s1. You can have multiple DKIM records - one per selector - on the same domain without conflict.

After publishing the DNS record, enable DKIM signing in your email provider's settings. Most providers have a "Verify" or "Authenticate" button that checks whether the DNS record is correctly published.

Common DKIM Mistakes

Not publishing the DNS record after enabling DKIM. The email provider generates the key pair and starts signing messages, but if the public key is not in DNS, every signature verification will fail.

Truncated DNS records. DKIM public keys are long strings. Some DNS providers have character limits for TXT records and silently truncate the value. Always verify the full record is published by using a DKIM lookup tool or running a dig command.

Key rotation neglect. DKIM keys should be rotated periodically - at least once a year, and ideally every quarter. Old keys that have been in use for years are at higher risk of compromise. Most email providers support multiple selectors to facilitate seamless key rotation.

Modifying signed headers in transit. If a forwarding server or mailing list modifies the email headers or body after DKIM signing, the signature will break. This is a known limitation of DKIM with mailing lists, and DMARC's ARC (Authenticated Received Chain) extension was designed to address it.

DMARC: Domain-based Message Authentication, Reporting, and Conformance

What DMARC Does

DMARC builds on SPF and DKIM by adding two critical capabilities:

1. Policy enforcement - You specify what receiving servers should do when both SPF and DKIM fail for a message claiming to be from your domain: nothing (none), quarantine it (quarantine), or reject it (reject).

2. Reporting - Receiving servers send you aggregate reports (RUA) detailing how many messages they saw from your domain, whether authentication passed or failed, and what action they took. This visibility is invaluable for identifying unauthorized senders and monitoring authentication health.

How DMARC Alignment Works

DMARC does not just check whether SPF or DKIM passes - it checks whether they are aligned with the "From" domain the recipient sees.

SPF alignment - The domain in the SMTP envelope "MAIL FROM" (return-path) must match the domain in the visible "From" header. If your marketing platform sends with a return-path of bounces@esp.com but the From header shows news@yourdomain.com, SPF passes for the ESP's domain but fails DMARC alignment for your domain.

DKIM alignment - The domain in the DKIM signature's d= field must match the visible "From" header domain. If your ESP signs with d=esp.com but your From header is yourdomain.com, DKIM passes but DMARC alignment fails.

For DMARC to pass, at least one of SPF or DKIM must both pass and be aligned with the From domain.

How to Set Up DMARC

DMARC is published as a TXT record on _dmarc.yourdomain.com. Here is a recommended progression:

Stage 1: Monitor (start here)

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100

This tells receiving servers to send you reports but take no action on authentication failures. Use this stage to understand your email ecosystem and identify all legitimate senders.

Stage 2: Quarantine

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=25

Start quarantining a percentage of failing messages. The pct=25 tag means only 25 percent of failing messages are quarantined; the rest are treated as p=none. Gradually increase the percentage as you confirm legitimate senders are passing.

Stage 3: Reject (full enforcement)

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100

This is the end goal. Messages that fail both SPF and DKIM alignment are rejected outright. This provides maximum protection against spoofing and sends the strongest positive signal to inbox providers about your domain's trustworthiness.

Common DMARC Mistakes

Jumping straight to p=reject. If you have not identified all legitimate senders in your ecosystem, enforcing a reject policy will block legitimate email. Always start with p=none, analyze reports, fix alignment issues, and gradually escalate.

Ignoring DMARC reports. The reports are the most valuable part of DMARC during the monitoring phase. They reveal every service sending email as your domain, including ones you may have forgotten about. Use a DMARC report analyzer to parse the XML data into readable dashboards.

Not configuring alignment for third-party senders. Each service that sends email on your behalf needs to support either SPF alignment (custom return-path domain) or DKIM alignment (signing with your domain's key). Most reputable ESPs support both - you just need to configure it in their settings.

Forgetting subdomains. By default, DMARC policy applies to the organizational domain and its subdomains. But if you want a different policy for subdomains, use the sp= tag. Some organizations set p=reject for their main domain but leave subdomains on p=none, creating a gap that spoofers exploit.

How SPF, DKIM, and DMARC Work Together

Think of the three protocols as layers of a security system:

• SPF checks that the message came from an authorized server (network-level check)
• DKIM checks that the message was not tampered with and was signed by an authorized party (message-level check)
• DMARC ensures that SPF and DKIM are aligned with the domain the recipient actually sees and enforces policy when they are not (policy-level check)

A well-configured domain has all three working in concert. Here is what happens when an email arrives at Gmail:

1. Gmail checks SPF - is the sending IP listed in the domain's SPF record?
2. Gmail checks DKIM - does the message have a valid signature matching a key in the domain's DNS?
3. Gmail checks DMARC - did at least one of SPF or DKIM pass AND align with the From domain? What policy does the domain owner want applied to failures?
4. Based on the DMARC result (plus its own reputation and content analysis), Gmail decides where to place the message.

Verifying Your Authentication Setup

After configuring SPF, DKIM, and DMARC, verify that everything is working correctly.

DNS Verification

Use a domain health check tool (like Optimail's free domain health checker at optimail.ai/tools/domain-health-check) to scan your DNS records and flag issues. The tool should verify:

• Your SPF record is syntactically correct and within the 10-lookup limit
• Your DKIM records are published and valid
• Your DMARC record is properly formatted with a valid policy

Send a Test Email

Send an email to a Gmail address and examine the headers. In Gmail, click the three dots on the message and select "Show original." Look for the Authentication-Results header, which should show:

spf=pass
dkim=pass
dmarc=pass

If any of these show "fail," investigate the specific mechanism that failed.

Monitor DMARC Reports

Within 24 to 48 hours of publishing your DMARC record, you should start receiving aggregate reports. These XML files contain data about every email received from your domain, organized by source IP and authentication result. Parsing them manually is impractical at scale - use a tool that processes and visualizes the data.

Advanced Authentication: BIMI and MTA-STS

Two newer protocols extend the authentication framework:

BIMI (Brand Indicators for Message Identification) - Allows brands to display their verified logo next to authenticated emails in supporting inbox providers. BIMI requires a DMARC policy of quarantine or reject, plus a Verified Mark Certificate (VMC) from a certificate authority. The visual impact in the inbox is significant - recipients can immediately see that the email is from a verified sender.

MTA-STS (Mail Transfer Agent Strict Transport Security) - Ensures that email in transit between servers is encrypted via TLS. Without MTA-STS, a man-in-the-middle attacker could intercept email between servers even if the sending server supports TLS. Publishing an MTA-STS policy forces receiving servers to use encrypted connections.

Troubleshooting Authentication Failures

SPF Fails But DKIM Passes

This usually means the sending service is not included in your SPF record. Check the sending IP in the email headers against your SPF record. Add the missing service's SPF include mechanism.

DKIM Fails But SPF Passes

Check whether the DKIM DNS record is correctly published by running a lookup against the selector in the email headers. Verify that the key has not been truncated. If using a third-party sender, ensure DKIM signing is enabled in their settings.

Both Pass But DMARC Fails

This is an alignment issue. SPF passes for the ESP's domain, and DKIM is signed by the ESP's domain, but neither aligns with your visible From domain. Configure custom return-path and DKIM signing domains in your ESP's settings.

Authentication Works in Testing But Fails Intermittently

Check for DNS propagation delays, especially after making changes to records. Some ISPs cache DNS aggressively. Also check whether email forwarding or mailing lists are breaking DKIM signatures by modifying message headers.

Putting It All Together: A Practical Checklist

Here is a step-by-step checklist for implementing email authentication:

1. Audit your senders - List every service, platform, and server that sends email as your domain
2. Configure SPF - Create a single TXT record including all authorized senders, ending with -all
3. Set up DKIM - Enable DKIM signing and publish public key records for each sending service
4. Publish DMARC at p=none - Start collecting reports to validate your setup
5. Analyze DMARC reports - Identify any unauthorized senders or alignment failures
6. Fix alignment issues - Configure custom domains for return-path and DKIM signing with each ESP
7. Escalate DMARC to p=quarantine - Start at a low percentage and increase gradually
8. Move to p=reject - Once all legitimate email consistently passes, enforce full rejection
9. Set up ongoing monitoring - Use a platform like Optimail to continuously track authentication status across all your domains and get alerted to failures before they impact deliverability
10. Consider BIMI - Once at DMARC enforcement, explore BIMI for visual brand verification in the inbox

Email authentication is not a set-it-and-forget-it task. New sending services, DNS changes, key rotations, and provider policy updates mean that authentication needs ongoing attention. The payoff - better deliverability, stronger brand protection, and reduced spoofing risk - makes it well worth the effort.