How to Authenticate Email With SPF, DKIM, and DMARC

How to Authenticate Email With SPF, DKIM, and DMARC

If you want stronger deliverability, better inbox placement, and fewer messages landing in the spam folder, email authentication needs to be part of your foundation.

At a high level, SPF, DKIM, and DMARC are the three core email authentication protocols that help mailbox providers verify whether a message is legitimately coming from your domain. According to Google’s email sender guidelines, all senders should use SPF or DKIM, and bulk senders to Gmail need SPF, DKIM, and DMARC in place.

For marketers, this is not just an IT checklist item. It directly affects trust, placement, and long-term performance. That is why authentication belongs in the same conversation as dedicated IP strategy, ESP migration planning, open rate analysis, and CTOR performance.

What Is Email Authentication?

Email authentication is the process of using DNS records and cryptographic checks to prove that an email sender is authorized to send on behalf of a domain. The most important email authentication methods are Sender Policy Framework SPF, DomainKeys Identified Mail DKIM, and DMARC. Together, they help receiving servers identify legitimate mail, spot spoofing, and decide what to do with suspicious messages. Google and DMARC.org both frame SPF, DKIM, and DMARC as the core standards behind modern authenticated email.

A simple way to think about the three is this:

  • SPF checks whether the sending server is allowed to send for the domain
  • DKIM checks whether the message carries a valid digital signature
  • DMARC checks whether SPF or DKIM passed in a way that aligns with the visible From domain

That alignment layer is a big reason these email authentication protocols matter so much for modern deliverability. Google’s DMARC documentation explains that DMARC only passes when SPF or DKIM authenticates successfully and the authenticating domain matches the domain in the From header.

Why SPF, DKIM, and DMARC Matter

Authentication helps mailbox providers trust your mail. It also helps domain holders protect their brand from spoofing, phishing, and unauthorized sending. DMARC.org explains that DMARC gives domain owners a way to publish policies for how receivers should handle non-aligned mail, while also enabling reporting back to the sender.

That matters because even strong campaigns can underperform when mailbox providers do not trust the sending identity behind them. Authentication will not fix weak creative or poor list hygiene on its own, but poor authentication can absolutely hurt inbox placement. This is one reason the topic pairs so naturally with content like What Is a Newsletter? and What Is an Open Rate?: before anyone opens or clicks, the message has to be trusted enough to land in the inbox.

What SPF Does

Sender Policy Framework SPF is a DNS-based method that tells receiving mail servers which IPs or services are allowed to send email for your domain. Cloudflare’s documentation describes SPF as a record that lists the authorized IP addresses and domains that can send email on behalf of your zone.

A basic SPF record might look like this:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

That tells mailbox providers that Google and SendGrid are valid sending sources for the domain.

SPF sounds simple, but a lot of teams still get it wrong. Common issues include publishing multiple SPF records, forgetting to include an older platform that still sends mail, or leaving outdated vendors in place long after they are no longer used. If you are cleaning up sending infrastructure during a platform move, it is smart to handle SPF review as part of a broader ESP migration process.

What DKIM Does

DomainKeys Identified Mail DKIM adds a cryptographic signature to each outgoing message. When the email arrives, the receiving server checks that signature against the public key published in your DNS. If the signature validates, the receiver can confirm the message was authorized by the sending domain and was not materially altered in transit. Google’s guidance on setting up DKIM reflects this model and recommends authentication as part of reliable delivery.

A DKIM record usually lives on a selector, such as:

selector1._domainkey.yourdomain.com

The DNS record contains the public key, while the sending system keeps the private key secure on its side. That private key is what creates the signature on the message, and the matching public key in DNS is what allows the receiving server to validate it.

This is why DKIM signatures are so valuable: they do more than show who sent the email. They also help confirm the message content was not tampered with during delivery. In practical terms, that makes DKIM one of the most important email authentication methods available to any serious sender.

What DMARC Does

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It builds on SPF and DKIM by adding policy, reporting, and domain alignment. DMARC.org explains that DMARC records are published in DNS and tell receiving servers what to do with non-aligned mail, such as monitor it, quarantine it, or reject it.

A basic DMARC record might look like this:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

A stricter version could look like this:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

Those policy values matter:

  • p=none means monitor only
  • p=quarantine means failing mail may be routed to the spam folder
  • p=reject means failing mail should be refused outright by the receiver

For domain holders, DMARC is often the point where authentication stops being passive and starts becoming enforceable.

SPF vs DKIM vs DMARC

A lot of marketers talk about SPF, DKIM, and DMARC as one concept, but they each do different jobs.

SPF validates the server path.

DKIM validates the signed message itself.

DMARC validates whether SPF or DKIM passed in a way that aligns with the visible From domain.

That last piece is critical. Google’s email sender guidelines FAQ recommends full DMARC alignment for both SPF and DKIM for the most reliable authentication posture.

So while SPF and DKIM are both useful, DMARC is what ties the whole system together and gives mailbox providers clear instructions on how to handle mail that fails.

How to Set Up SPF, DKIM, and DMARC

The cleanest approach is to handle setup in a logical order.

1. Identify Every System That Sends Email

Start by listing every platform that sends from your domain:

  • Google Workspace or Microsoft 365
  • your ESP
  • CRM tools
  • customer support platforms
  • invoicing tools
  • websites, apps, and internal systems

This step is easy to rush, but it matters. If a legitimate sending source gets missed, it can start failing authentication the moment you tighten your policy.

2. Publish a Single SPF Record

Your root domain should have one SPF TXT record, not several. Make sure all legitimate senders are included in that record and that old services are removed.

Bad setup:

v=spf1 include:_spf.google.com ~all

v=spf1 include:sendgrid.net ~all

Better setup:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

This is one of the most common issues that breaks sender policy framework SPF validation.

3. Turn On DKIM for Every Sending Platform

Most email platforms give you DKIM records to publish in DNS. Once those records are live, the platform uses its private signing key to generate DKIM signatures on outgoing mail, while the receiving server checks the matching public key in DNS.

If one of your platforms is not signing mail, that gap can weaken your overall authentication posture. For brands focused on performance, that is especially important because authentication gaps can quietly affect placement, which in turn affects downstream metrics like open rate and click-to-open rate.

4. Publish a DMARC Record

Start conservatively with a monitoring-only policy:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

This lets you review reports before moving to enforcement. Once you are confident your legitimate mail is authenticating correctly, you can move toward quarantine and then reject. DMARC.org’s overview of DMARC policies supports this gradual rollout approach.

5. Check Domain Alignment

This is where a lot of teams get tripped up. A message can pass SPF or DKIM technically, but still fail DMARC if the authenticated domain does not align with the visible From domain. Google explicitly notes that DMARC requires SPF or DKIM authentication tied to the same domain shown in the From header.

For example:

  • From: newsletter@brand.com
  • DKIM signed by: brand.com
  • SPF authenticated as: mailer.vendor.com

In that example, DKIM may align, but SPF would not.

6. Monitor Reports and Fix What Fails

Once DMARC is live, use the reporting data to identify:

  • unauthorized senders
  • broken DNS configurations
  • misaligned vendors
  • old systems still using your domain
  • spoofing attempts

Cloudflare’s DMARC management documentation explains that DMARC reports can help show which sources are sending from your domain and whether they are passing SPF, DKIM, and DMARC.

Google’s Postmaster Tools authentication dashboard can also help email teams monitor pass rates for SPF, DKIM, and DMARC once everything is configured correctly.

Email Authentication Mistakes
Common Email Authentication Mistakes - visual selection

Using multiple SPF records

You should only have one SPF record per domain. Multiple SPF records can invalidate the check and create confusion for receivers.

Forgetting a third-party sender

A form builder, CRM, invoicing system, or customer support tool may still be sending as your brand even if your team has forgotten about it.

Moving to DMARC reject too fast

A p=reject policy is powerful, but if you skip the monitoring phase you can block legitimate mail.

Ignoring alignment

A technical SPF or DKIM pass is not enough if it does not align with the visible From domain.

Treating authentication like a one-time setup

Authentication should be reviewed whenever you change platforms, add vendors, update DNS, or modify sending domains. It is not a “set it and forget it” project.

Does Email Authentication Improve Deliverability?

Yes, but with an important caveat.

Authentication alone does not guarantee inbox placement. It will not save bad content, poor targeting, or unhealthy lists. But it does give mailbox providers the trust signals they expect, and Google now treats authenticated sending as a core requirement for many senders.

So the more accurate answer is this:

Email authentication helps support deliverability, while poor authentication can absolutely damage it.

That is why this topic sits so naturally inside a broader deliverability cluster alongside What Is a Newsletter?, What Is an Open Rate?, Click-to-Open Rate (CTOR), and The Future of Email Marketing: Dedicated IPs and the Death of Traditional Metrics.

Final Thoughts

SPF, DKIM, and DMARC are no longer advanced tactics. They are baseline infrastructure.

Sender policy framework SPF tells the world which servers can send for your domain.

DomainKeys Identified Mail DKIM uses DKIM signatures and a private key to validate message integrity.

DMARC tells receivers how to handle mail that fails and gives domain holders more control over how their brand is used in email.

If your team is serious about inbox placement, sender trust, and long-term performance, these email authentication protocols should be one of the first things you audit.

FAQ: How to Authenticate Email With SPF, DKIM, and DMARC

Do I need SPF, DKIM, and DMARC?

For many senders, yes. Google says all senders should use SPF or DKIM, and bulk senders to Gmail need all three in place.

What is the difference between SPF and DKIM?

SPF checks whether the sending server is authorized. DKIM checks whether the message carries a valid signature tied to the domain. DMARC then evaluates whether SPF or DKIM passed in alignment with the From domain.

Can DMARC work without SPF or DKIM?

No. DMARC depends on SPF andor DKIM results. It does not replace them. DMARC.org describes DMARC as a policy and reporting layer built on top of those authentication methods.

Why do emails still go to the spam folder even with authentication?

Because authentication is only one part of deliverability. Content quality, sender reputation, engagement, complaint rates, and list hygiene still matter. Authentication helps prove legitimacy, but it does not override every other signal mailbox providers use.

What should I set my DMARC policy to first?

Start with p=none so you can monitor safely, then move toward quarantine and reject once you know your legitimate mail is authenticating correctly.