Email authentication is no longer optional. In 2024, Google and Yahoo made SPF, DKIM, and DMARC mandatory for bulk senders. Without proper authentication, your emails will land in spam or be rejected entirely. This guide walks you through each protocol, how they work together, and exactly how to set them up.
Why Email Authentication Matters
Email was designed in the 1970s without built-in security. Anyone can send an email claiming to be from any address—a vulnerability that spammers and phishers exploit daily. Email authentication protocols solve this by allowing domain owners to specify who can send email on their behalf.
Without authentication, inbox providers have no way to verify your emails are legitimate. They default to treating unverified emails as suspicious, which means lower deliverability and higher spam placement rates.
2024 Requirements
SPF (Sender Policy Framework)
SPF is a DNS record that lists all the servers authorized to send email for your domain. When a receiving server gets an email from your domain, it checks your SPF record to verify the sending server is on the approved list.
Think of SPF as a guest list for a party. Only servers on the list are allowed to send emails as you. Anyone not on the list is treated as an imposter.
Setting Up SPF
SPF is implemented as a TXT record in your domain's DNS. Here's the basic structure:
v=spf1 include:_spf.google.com include:sendgrid.net -allLet's break down each part:
v=spf1- Declares this is an SPF record (version 1)include:_spf.google.com- Authorizes Google Workspace serversinclude:sendgrid.net- Authorizes SendGrid servers-all- Reject emails from any other servers (hard fail)
SPF Mechanisms
SPF supports several mechanisms for specifying authorized senders:
include:- Include another domain's SPF recordip4:- Authorize a specific IPv4 address or rangeip6:- Authorize a specific IPv6 address or rangea:- Authorize the IP addresses in a domain's A recordmx:- Authorize the domain's mail servers
SPF Qualifiers
The qualifier at the end determines what happens to unauthorized senders:
-all(hard fail) - Reject unauthorized emails~all(soft fail) - Accept but mark as suspicious?all(neutral) - No policy, treat as if no SPF exists
SPF Lookup Limit
include: counts as one lookup, and nested includes count too. Exceeding this limit causes SPF to fail completely. If you hit this limit, use SPF flattening tools to convert includes to IP addresses.DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to every email you send. This signature proves the email hasn't been tampered with in transit and genuinely came from your domain.
Here's how it works: Your email server signs each outgoing email with a private key. The receiving server retrieves your public key from DNS and uses it to verify the signature. If the signature is valid, the email passes DKIM.
Setting Up DKIM
DKIM requires two things: a private key on your email server (to sign emails) and a public key in DNS (for verification).
selector1._domainkey.yourdomain.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."The record name has three parts:
selector1- A unique identifier for this key (you can have multiple)_domainkey- Required literal stringyourdomain.com- Your domain
The record value contains:
v=DKIM1- DKIM versionk=rsa- Key type (RSA is standard)p=...- Your public key (base64 encoded)
Multiple DKIM Keys
google._domainkey for Google Workspace and sendgrid._domainkey for SendGrid. This makes key rotation easier and helps identify which service sent each email.DMARC (Domain-based Message Authentication)
DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It also enables reporting, so you can see who's sending email using your domain.
DMARC requires "alignment"—the domain in the From header must match the domain that passed SPF or DKIM. This prevents attackers from passing SPF with their own domain while spoofing yours in the visible From address.
Setting Up DMARC
_dmarc.yourdomain.com IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; pct=100"Key DMARC tags:
v=DMARC1- DMARC version (required)p=- Policy for failed emails:none,quarantine, orrejectrua=- Email address for aggregate reports (daily summaries)ruf=- Email address for forensic reports (individual failures)pct=- Percentage of emails to apply the policy to (for gradual rollout)
DMARC Rollout Strategy
Never jump straight to p=reject. Follow this gradual rollout:
- Week 1-2:
p=none- Monitor only, collect reports - Week 3-4:
p=quarantine; pct=10- Quarantine 10% of failures - Week 5-6:
p=quarantine; pct=50- Increase to 50% - Week 7-8:
p=quarantine; pct=100- Full quarantine - Week 9+:
p=reject- Full rejection (only after verifying all legitimate sources)
Don't Rush to Reject
p=reject too quickly can block legitimate emails from services you forgot to authorize. Always analyze DMARC reports thoroughly before increasing enforcement.Testing Your Authentication Setup
After configuring SPF, DKIM, and DMARC, verify everything is working correctly:
1. Check DNS Records
# Check SPF
dig TXT yourdomain.com | grep spf
# Check DKIM
dig TXT selector1._domainkey.yourdomain.com
# Check DMARC
dig TXT _dmarc.yourdomain.com2. Send Test Emails
Send emails to a test service like mail-tester.com or use Gmail's "Show Original" feature to view authentication results. Look for these headers:
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of sender@yourdomain.com designates 1.2.3.4 as permitted sender)
dkim=pass header.d=yourdomain.com
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE)3. Monitor DMARC Reports
DMARC aggregate reports arrive daily as XML files. They show all servers sending email as your domain and whether they passed authentication. Use a DMARC report analyzer to make sense of the data.
Common Issues and Solutions
SPF Permerror (Too Many Lookups)
You've exceeded the 10 DNS lookup limit. Solution: Use SPF flattening to convert include: statements to direct IP addresses, or consolidate email services.
DKIM Signature Invalid
The email was modified in transit, or the public key doesn't match. Check that your DNS record is correct and that no email gateway is modifying message content.
DMARC Alignment Failure
The From domain doesn't match the SPF or DKIM domain. This often happens with email forwarding or when using third-party services that don't support custom domains properly.
Subdomain Issues
By default, DMARC applies to subdomains too. If you send from marketing.yourdomain.com, ensure it has its own SPF and DKIM records, or use the sp= tag in DMARC to set a subdomain policy.