SPF, DKIM and DMARC: The Complete Email Authentication Guide

Email authentication protocols are the technical foundation of deliverability. They prove to receiving mail servers that your messages genuinely come from your domain — not from a fraudster spoofing your brand. In 2024, Google and Yahoo made SPF, DKIM and DMARC mandatory for senders with more than 5,000 daily emails. Understanding them is now non-negotiable.

SPF — Sender Policy Framework

SPF defines which mail servers are authorised to send email on behalf of your domain. It works through a DNS TXT record that lists approved IP addresses and mail servers.

Example SPF record:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

This tells receiving servers: "Only Google's servers and SendGrid are allowed to send from this domain. All others should be treated with suspicion (~all = soft fail) or rejected (-all = hard fail)."

Common SPF mistakes:

• Too many DNS lookups (max 10 allowed) — causes SPF to fail
• Missing your ESP or transactional email provider from the record
• Using +all (allow all) — completely defeats the purpose

DKIM — DomainKeys Identified Mail

DKIM adds a digital signature to each outgoing email. The receiving server checks this signature against a public key published in your DNS. If the signature matches, the message is confirmed to be unmodified in transit.

Think of DKIM as a wax seal on a letter — it proves both the origin and that the contents haven't been tampered with.

Example DKIM DNS record:

selector._domainkey.yourdomain.com  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGS..."

Your ESP usually generates and manages your DKIM keys. The key step is publishing the DNS record they provide in your domain's DNS settings.

DMARC — Domain-based Message Authentication, Reporting & Conformance

DMARC ties SPF and DKIM together and tells receiving servers what to do with messages that fail authentication. It also enables reporting — you receive daily XML reports showing who is sending email on behalf of your domain.

Example DMARC record:

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100"

DMARC policies (p=):

• p=none — Monitor only; take no action on failing messages. Start here.
• p=quarantine — Send failing messages to spam.
• p=reject — Block failing messages entirely. The strongest protection.

The Alignment Requirement

DMARC requires alignment: the domain in the From header must match either the SPF-authenticated domain or the DKIM signing domain. This is what stops email spoofing even when an attacker passes SPF or DKIM individually.

Implementation Order

1. Set up SPF — add your ESPs and mail servers to a TXT record
2. Enable DKIM — publish the key your ESP provides in DNS
3. Add DMARC starting with p=none and an rua report address
4. Monitor the DMARC reports for 2–4 weeks to identify all legitimate sending sources
5. Gradually move to p=quarantine then p=reject

Summary

SPF, DKIM and DMARC together protect your domain from spoofing, improve inbox placement, and are now required by major providers. Implement all three — starting with monitoring mode — and use a DMARC monitoring tool to stay on top of your authentication results.