Email Authentication Explained: SPF, DKIM, and DMARC (2026 Guide)
Email was designed in an era of implicit trust, with no built-in way to verify that a message claiming to be “from your bank” actually came from your bank. That original sin is why phishing and domain spoofing have plagued the internet for decades: by default, anyone can put your domain in the From field of an email and send it. The fix is a trio of DNS-based standards — SPF, DKIM, and DMARC — that together let receiving servers cryptographically verify that an email genuinely originated from the domain it claims.
Getting these right does two things at once. It protects your domain and recipients from spoofing and phishing, and it dramatically improves deliverability — the likelihood your legitimate mail reaches the inbox instead of the spam folder. As of 2024, major providers including Google and Yahoo require all three for bulk senders, so this is no longer an optional hardening step; it’s table stakes for anyone who sends email at scale. This guide explains exactly how each standard works, how they combine, and how to deploy them without breaking your own mail.
Why email needs authentication at all
When a receiving mail server gets a message, it faces a deceptively hard question: is this really from who it claims to be? Nothing in the base email protocol (SMTP) answers it. The “From” address a user sees is just text the sender chose — as forgeable as the return address on a paper envelope. Spammers and phishers exploit this constantly, sending mail that appears to come from trusted brands, banks, and colleagues.
SPF, DKIM, and DMARC retrofit trust onto this open system. Each publishes verification data in your domain’s DNS, and receiving servers check that data against incoming mail. None of them encrypts the message body (that’s a separate concern); they exist to answer one question — did this really come from the claimed domain? — with increasing rigor. You can inspect any of these records yourself with a DNS Lookup tool by querying the TXT records described below.
SPF: which servers may send for your domain
SPF (Sender Policy Framework) is the first and simplest layer. You publish a TXT record in DNS that lists the mail servers authorized to send email on behalf of your domain. When a receiver gets a message, it checks the sending server’s IP against your SPF record. On the list? SPF passes. Not on the list? SPF fails.
An SPF record looks like this:
v=spf1 include:_spf.google.com include:sendgrid.net ~all
Reading it left to right: v=spf1 declares the version; include: clauses delegate to the SPF records of services that send for you (here, Google Workspace and SendGrid); and ~all is the catch-all policy — ~all (soft fail) says “anything else is suspicious,” while -all (hard fail) says “reject anything else.”
SPF is valuable but has three important limitations you must understand:
- It breaks on forwarding. When mail is forwarded, the forwarding server’s IP isn’t in the original domain’s SPF record, so SPF fails — even for legitimate mail. This is a fundamental, unavoidable weakness.
- It checks the hidden envelope domain, not the visible From. SPF validates the “return-path” (envelope-from) that recipients never see — not the From address they do see. An attacker can pass SPF for their own domain while displaying your domain in the visible From. SPF alone doesn’t stop the spoofing users actually experience.
- It has a 10-DNS-lookup limit. Each
includecosts lookups, and exceeding ten causes SPF to fail (permerror). Sprawling SPF records that chain through many services silently break.
These gaps are precisely why SPF alone is not enough — and why DKIM and DMARC exist.
DKIM: cryptographically signing every message
DKIM (DomainKeys Identified Mail) adds cryptographic proof. Your mail server signs each outgoing message with a private key, attaching the signature in a DKIM-Signature header. You publish the matching public key in DNS. The receiver fetches the public key, verifies the signature, and learns two things: the message genuinely came from a server holding your private key, and the signed parts were not altered in transit.
The public key lives at a special DNS subdomain using a selector:
selector1._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."
The selector (selector1 here) lets you run multiple keys simultaneously — useful for rotation and for different sending services. DKIM’s strengths over SPF: it survives forwarding (the signature travels with the message), and it proves integrity (tampering invalidates the signature). Its limitation on its own: DKIM proves a domain signed the message, but doesn’t, by itself, require that the signing domain match the visible From. An attacker could validly DKIM-sign mail for their domain while showing yours in the From field.
Notice the pattern: SPF and DKIM each provide real but partial protection, and each has the same blind spot — neither, alone, ties the verification to the visible From address that users actually judge. That’s the gap DMARC closes.
A note on forwarding and ARC
Forwarding is the perennial headache of email authentication, and it’s worth understanding why. When a message is forwarded — by a mailing list, a “forward to my other address” rule, or a corporate gateway — the forwarding server’s IP isn’t in the original sender’s SPF record, so SPF breaks. DKIM usually survives (the signature travels with the message), but mailing lists that modify the message — adding a footer, rewriting the subject — break the DKIM signature too, because the signed content changed. This is the main reason legitimate, forwarded mail sometimes fails DMARC.
A newer standard, ARC (Authenticated Received Chain), addresses this by letting each forwarding server record the authentication results it saw and cryptographically sign that record. A trusted forwarder can then vouch that the message was authenticated when it arrived, even though forwarding broke the original checks. ARC adoption is growing but not universal, so the practical defense remains having both SPF and DKIM aligned — since DKIM survives plain forwarding, a forwarded message that breaks SPF can still pass DMARC via aligned DKIM. This redundancy is exactly why DMARC requires only that one of the two mechanisms pass and align, not both.
DMARC: tying it together with policy and alignment
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the keystone. It does three jobs:
- Enforces alignment. This is the crucial concept. DMARC requires that the domain validated by SPF or DKIM matches the visible From domain. An attacker can pass SPF/DKIM for their own domain, but they cannot make those checks align with your domain in the From field — because they don’t control your DNS or your DKIM key. Alignment is the mechanism that actually stops spoofing.
- Sets a policy for failures. You tell receivers what to do when a message claiming to be from your domain fails authentication: monitor, quarantine, or reject.
- Sends you reports. Receivers email you aggregate (and optionally forensic) reports showing who is sending mail as your domain — including unauthorized senders. This visibility is invaluable.
A DMARC record is a TXT record at _dmarc.yourdomain.com:
_dmarc.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; adkim=s; aspf=s"
Here p=reject is the policy, rua= is where aggregate reports go, and adkim=s/aspf=s set strict alignment. A message passes DMARC if it passes SPF or DKIM and that passing mechanism aligns with the From domain. Because DKIM survives forwarding, a forwarded message that breaks SPF can still pass DMARC via aligned DKIM — which is why you want both.
The three DMARC policy levels
The p= value is your enforcement dial, and choosing it carelessly can blackhole your own mail:
| Policy | Receiver behavior | When to use |
|---|---|---|
p=none | Take no action; just send reports | Initial monitoring — always start here |
p=quarantine | Treat failing mail as suspicious (→ spam) | After confirming legitimate senders pass |
p=reject | Refuse failing mail outright | Full protection, once you’re confident |
Deploying email authentication without breaking your mail
The cardinal rule of DMARC: never jump straight to p=reject. Most organizations send legitimate mail through more services than they realize — marketing platforms, CRMs, support desks, invoicing tools, transactional providers — and any one not properly authorized will have its mail rejected. The safe, standard rollout is gradual:
- Publish SPF and DKIM for every service that legitimately sends as your domain. This is the prerequisite; DMARC enforces what SPF/DKIM establish.
- Publish DMARC at
p=nonewith a reporting address (rua=). This changes nothing about delivery but starts the flow of reports. - Read the aggregate reports for several weeks. They reveal every source sending as your domain — including ones you forgot (that old newsletter tool) and ones that are malicious. Authorize the legitimate ones via SPF/DKIM; investigate the rest.
- Move to
p=quarantine, optionally with a percentage (pct=25) to ramp gradually. Monitor reports for any legitimate mail now being quarantined and fix it. - Move to
p=rejectonce reports confirm your legitimate senders all pass and align. Now spoofed mail using your domain is refused outright.
This staged approach is the difference between deploying DMARC and accidentally rejecting your own payroll notifications. The reports are the safety net — they let you see the full picture before you enforce.
Why this matters more than ever in 2026
Two forces have turned email authentication from best practice into requirement. First, deliverability: mailbox providers weight authentication heavily, and properly authenticated domains land in the inbox while unauthenticated mail gets filtered to spam or rejected. Second, and decisively, mandates: since 2024, Google and Yahoo require bulk senders (roughly, those sending thousands of messages per day) to have SPF, DKIM, and DMARC in place, with DMARC at least at p=none. Other providers are following. If you send marketing or transactional email at any volume and you’re not authenticated, your deliverability is already suffering.
Beyond compliance, the security payoff is direct. A domain at p=reject with aligned SPF and DKIM cannot be spoofed in a way that reaches inboxes — protecting your customers from phishing that impersonates you, and protecting your brand from the reputational damage of being a spoofing vector.
Common mistakes and how to avoid them
- Going straight to
p=reject. The classic self-inflicted outage. Start atp=none, read reports, ramp up. - Forgetting a sending service. Every tool that sends as your domain — newsletters, helpdesk, billing — needs to be in SPF and/or DKIM. Reports reveal the ones you missed.
- Exceeding SPF’s 10-lookup limit. Too many
includes cause a permerror and SPF failure. Flatten or consolidate. - Relying on SPF alone. It breaks on forwarding and doesn’t check the visible From. You need DKIM and DMARC too.
- Ignoring DMARC reports. The reports are the entire value of the monitoring phase. Set up a mailbox or a report-parsing service and actually read them.
- Letting DKIM keys go stale. Rotate keys periodically using selectors, and remove retired ones from DNS.
You can verify each record is published correctly by querying your domain’s TXT records (and the _dmarc and selector._domainkey subdomains) with a DNS Lookup tool — a quick way to confirm your configuration before relying on it.
Handling third-party senders and subdomains
The single most underestimated part of an email-authentication rollout is the sheer number of services that send mail as your domain. A typical organization sends through a primary mail provider (Google Workspace, Microsoft 365), a marketing platform (Mailchimp, Klaviyo), a transactional provider (SendGrid, Postmark), a CRM, a help desk, an invoicing tool, and often several more — each of which must be authorized in SPF and/or sign with DKIM, or its mail will fail DMARC once you enforce.
The DMARC monitoring phase exists precisely to surface this list. The aggregate reports show every source sending under your domain, legitimate and otherwise. Work through them methodically: for each legitimate sender, follow that provider’s instructions to add their SPF include and publish their DKIM key (usually via a CNAME they provide). For anything you don’t recognize, investigate — it’s either a forgotten internal tool or an attacker, and both are worth knowing about.
Subdomains deserve special attention. DMARC policy can be inherited by subdomains (via the sp= tag, the subdomain policy), and a common attack vector is spoofing a subdomain you never use for email. A robust setup publishes a DMARC record on the organizational domain with an appropriate sp=reject, and explicitly authenticates the subdomains you do send from. Unused subdomains that send no mail can be locked down with a restrictive SPF (v=spf1 -all) and a DMARC p=reject, so attackers can’t use them to impersonate you.
A practical rollout checklist:
- Inventory every service that sends email as your domain — and over-collect; you’ll find forgotten ones in the reports.
- Publish SPF authorizing each, watching the 10-lookup limit (consolidate or flatten if you approach it).
- Enable DKIM signing on every sender, using distinct selectors so you can rotate and identify keys.
- Publish DMARC at
p=nonewith a reporting address; collect data for several weeks. - Reconcile the reports: authorize legitimate senders, investigate the rest.
- Ramp to
p=quarantine(optionally withpct=for a gradual rollout), monitor, then top=reject. - Lock down unused subdomains and set an
sp=policy.
BIMI: turning authentication into a visible trust signal
Once you reach DMARC enforcement, a newer standard becomes available that turns your authentication work into something users actually see: BIMI (Brand Indicators for Message Identification). BIMI lets you publish your brand logo in DNS, and supporting mailbox providers display it next to your authenticated messages in the inbox — a visible badge of legitimacy.
The catch, and the reason BIMI matters here, is that BIMI requires DMARC at enforcement (p=quarantine or p=reject). You cannot opt into the visible trust signal without first doing the authentication work properly. For many organizations, BIMI is the business incentive that finally justifies the DMARC rollout: marketing wants the logo in the inbox, and the only path to it runs through SPF, DKIM, and an enforced DMARC policy. Some providers additionally require a Verified Mark Certificate (a paid credential proving you own the trademark on the logo), but the foundational requirement is always the same — authenticated, enforced email. BIMI is the reward at the end of the journey: your reputation, rendered as a recognizable mark, on every legitimate message you send.
Conclusion
SPF, DKIM, and DMARC retrofit the trust that email was born without. SPF authorizes which servers may send for your domain; DKIM cryptographically signs each message so forgery and tampering are detectable and survive forwarding; and DMARC ties them together, enforces alignment with the visible From address — the part that actually stops spoofing — sets a policy for failures, and reports who’s sending as you. Deploy them in order, start DMARC at p=none, read the reports until you trust your sender list, then ramp to quarantine and reject. With major providers now requiring all three for bulk mail, this is both a security imperative and a deliverability necessity. Start today by looking up your own domain’s SPF, DKIM, and DMARC records — if any are missing, you’ve found your first task.