Email Sender Authentication: SPF, DKIM, and DMARC

Why Email Authentication Matters

Email sender authentication proves that an email claiming to come from your domain actually came from an authorized sender. Without proper authentication, your emails are more likely to land in spam or be rejected by major providers like Gmail, Outlook, and Yahoo.

SPF, DKIM, and DMARC are the three industry-standard protocols used together to protect your domain’s reputation and improve inbox placement.

SPF — Sender Policy Framework

SPF is a DNS TXT record that specifies which IP addresses and servers are allowed to send email on behalf of your domain.

Host: @ (or example.com)
Type: TXT
Value: v=spf1 include:_spf.google.com include:_spf.sendgrid.net ~all

• Only one SPF record is allowed per domain.
• Use include: mechanisms to authorize third-party senders.
• Limit DNS lookups to 10 or fewer to avoid permerror.
• Start with ~all (soft fail). Use -all (hard fail) only after full testing.

DKIM — DomainKeys Identified Mail

DKIM adds a digital signature to each email. The receiving server verifies this signature using a public key published in your DNS.

Host: google._domainkey.example.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

• Use 2048-bit keys for better security.
• Rotate selectors periodically (recommended at least annually).
• Every legitimate outgoing message should be DKIM-signed.

DMARC — Domain-based Message Authentication, Reporting & Conformance

DMARC builds on SPF and DKIM. It defines what should happen when authentication fails and provides reporting on failures.

Host: _dmarc.example.com
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; pct=100; adkim=r; aspf=r; fo=1

Common policy values:

• p=none — Monitor only (recommended starting point)
• p=quarantine — Send to spam
• p=reject — Block the message

Alignment Explained

For DMARC to pass, at least one of SPF or DKIM must align with the visible From: address.

• Relaxed alignment (r): The organizational domain matches (e.g., newsletter.example.com aligns with example.com).
• Strict alignment (s): The domains must match exactly.

DKIM alignment is generally more reliable because it survives forwarding better than SPF.

Recommended DMARC Rollout Plan

1. Start with p=none and collect reports for at least 2 weeks.
2. Fix all legitimate senders and authentication issues.
3. Move to p=quarantine with low pct (e.g. 10%), then gradually increase.
4. Once stable, switch to p=reject.

Reading DMARC Aggregate Reports

DMARC reports are sent to the address specified in rua. They contain data about source IPs, authentication results, and alignment.

Key things to watch for:

• Unknown sending IPs (possible spoofing or forgotten sender)
• SPF/DKIM failures from authorized services
• Alignment failures (common with forwarders)

Troubleshooting Tips

• SPF permerror: Too many DNS lookups — flatten includes or use subdomains.
• DKIM signature invalid: DNS record was copied incorrectly (extra spaces, quotes, or line breaks).
• DMARC fails despite SPF+DKIM pass: Alignment issue.
• Still hitting spam: Check reverse DNS (PTR), one-click unsubscribe headers, and IP/domain reputation.

Proper setup of SPF, DKIM, and DMARC significantly improves email deliverability and protects your domain from spoofing.