inboxes.
← Blog Fundamentals July 2026 · 10 min read

Email Authentication Explained: How SPF, DKIM, and DMARC Protect Your Sending

Email authentication is how a receiving mail server verifies that a message really comes from the domain it claims to come from. Three DNS-based standards do the work: SPF says which servers may send for your domain, DKIM cryptographically signs each message so tampering and forgery are detectable, and DMARC ties both to the From address your recipient actually sees and tells receivers what to do when the check fails.

In 2026 this is not optional plumbing. Gmail and Yahoo have required authentication from every sender since February 2024, and since November 2025 Gmail hard-rejects unauthenticated bulk mail at the SMTP level instead of quietly filing it to spam. This guide explains each mechanism in plain language, what "alignment" actually means, where ARC fits, why rejection became the default, and the order to set everything up without breaking your own mail.

Why email needs authentication at all

The core email protocol, SMTP, dates to 1982 and was designed for a network of trusted universities. It lets any server claim any From address; nothing in the protocol checks. That single design gap is why phishing works: a forged message "from" your bank looks protocol-identical to a real one. Authentication retrofits identity onto that trusting protocol using DNS, which only the domain owner controls, as the anchor of truth. If a claim about example.com can be verified against records published in example.com's own DNS, receivers finally have something solid to build reputation and filtering on.

That last point is the part senders often miss: authentication is not just anti-phishing, it is what makes your good reputation portable. An unauthenticated message cannot be credited to your domain, so every unauthenticated send wastes the trust you have earned.

SPF: the list of allowed senders

SPF (Sender Policy Framework, RFC 7208) is a TXT record on your domain listing the servers and services allowed to send mail on its behalf. When mail arrives, the receiver looks at the domain in the envelope sender (the Return-Path, not the visible From), fetches that domain's SPF record, and checks whether the connecting IP is on the list.

A typical record looks like v=spf1 include:_spf.google.com include:sendgrid.net -all: "Google and SendGrid may send for us; everyone else fails." Plain-language caveats worth knowing:

  • SPF checks the hidden Return-Path domain, so a phisher can pass SPF on their own domain while displaying yours in the From line. SPF alone does not protect the From address; that is DMARC's job.
  • SPF breaks on plain forwarding, because the forwarding server's IP is not on your list.
  • You get exactly one SPF record and at most 10 DNS lookups inside it; exceeding either silently invalidates the whole thing.

You can confirm your record parses and stays within the lookup budget with an SPF checker.

DKIM: the tamper-evident signature

DKIM (DomainKeys Identified Mail, RFC 6376) has your mail server sign each outgoing message with a private cryptographic key. The matching public key is published in your DNS at a named "selector" (for example s1._domainkey.example.com). The receiver fetches the public key and verifies the signature over the message body and key headers.

A valid DKIM signature proves two things: the message was authorized by the domain in the signature (the d= value), and the signed content was not altered in transit. Unlike SPF, DKIM survives forwarding, because the signature travels inside the message. Practical guidance: use 2048-bit keys where your provider supports them (1024-bit is the accepted minimum, and Gmail will not accept shorter), rotate keys periodically, and make sure the signature's d= is your domain rather than your ESP's shared domain. A DKIM checker verifies the published key and selector in seconds.

DMARC: policy plus the alignment rule

DMARC (RFC 7489) closes the loop. It is a TXT record at _dmarc.yourdomain.com that does three things:

  1. Requires alignment. DMARC passes only if SPF or DKIM passes and the domain that passed matches the domain in the visible From header. This is the piece that finally protects what recipients actually see.
  2. Declares policy. p=none (just observe), p=quarantine (send failures to spam), or p=reject (refuse failures outright).
  3. Requests reports. The rua tag asks receivers to send you aggregate XML reports showing who is sending as your domain and whether it passes. Parsed properly, via DMARC monitoring, these reports are the only systematic way to discover a forgotten SaaS tool sending as you, or an active spoofing campaign.

What "alignment" means, concretely

Alignment trips up more senders than any other concept, so here it is as a table. Suppose the recipient sees From: [email protected]:

Scenario SPF result DKIM result DMARC verdict
ESP signs with d=example.com, Return-Path is ESP's domainPass, unalignedPass, alignedPass (DKIM aligned)
ESP signs with d=esp-shared.com, Return-Path is ESP's domainPass, unalignedPass, unalignedFail (nothing aligns)
Your own server, Return-Path example.com, DKIM d=example.comPass, alignedPass, alignedPass (both align)
Forwarded message, body untouchedFail (new IP)Pass, alignedPass (DKIM survives)

Two takeaways: green checkmarks on SPF and DKIM individually mean nothing until one of them aligns with your From domain, and DKIM alignment is the robust one to invest in because it survives forwarding.

ARC, in one short section

ARC (Authenticated Received Chain, RFC 8617) exists for the forwarding problem. When a mailing list or forwarding service legitimately modifies a message (adding a footer, rewriting a subject), SPF and DKIM can break through no fault of the sender. ARC lets each intermediary record the authentication results it saw and sign that record, building a verifiable chain of custody the final receiver can choose to trust. As a sender you do not configure ARC; large receivers like Gmail and Microsoft implement it. It is worth recognizing in headers (ARC-Authentication-Results) so you do not misdiagnose forwarded-mail failures as configuration bugs.

Why unauthenticated mail gets rejected in 2026

The timeline of enforcement has been steady and public. February 2024: Google and Yahoo require SPF or DKIM from all senders, and both plus DMARC plus alignment from bulk senders (5,000+ messages per day to Gmail), alongside one-click unsubscribe and a spam-rate ceiling of 0.3%. April through June 2024: Google phases in errors and partial rejections for non-compliant traffic. May 2025: Microsoft announces matching requirements for high-volume senders to Outlook, Hotmail, and Live addresses. November 2025: Gmail moves to hard SMTP rejection, the 550 5.7.26 family of permanent errors, for unauthenticated bulk mail, ending the era where authentication failures merely meant the spam folder.

The economics explain the trajectory: authentication costs a legitimate sender a few DNS records, while it costs a spoofer their entire model. Requiring it lets providers cheaply discard a huge class of abuse before content filtering even starts. Expect thresholds to keep tightening, not loosening. For how these checks interact with the rest of Gmail's scoring, see how the Gmail spam filter works.

The right setup order

  1. Inventory your senders. List every system that sends as your domain: ESP, transactional API, CRM, helpdesk, billing, internal servers. Missing one here is the classic cause of breakage later.
  2. SPF first. One record covering every sender from the inventory, ending ~all. Verify with a checker and a live header.
  3. DKIM second. Enable signing in each sending service with your own domain, 2048-bit keys where offered. Verify dkim=pass with your domain in d=.
  4. DMARC at p=none third. Publish with a rua address and let reports accumulate for 2-4 weeks. This cannot break delivery and shows you every source you forgot.
  5. Fix stragglers, then tighten. When reports show your legitimate mail passing aligned at 98%+, move to p=quarantine, then p=reject. Rushing to reject before the reports are clean is how companies block their own invoices.

The record-level details, example DNS entries, key lengths, and the mistakes that silently break each record, are in the companion piece: SPF, DKIM, DMARC: what each record does.

How to read your own authentication results

You do not need a tool to spot-check any of this; every major provider writes its verdict into the message itself. Send a message through your normal sending path to a Gmail account you control, open it, choose "Show original", and read the Authentication-Results header. A healthy result looks like:

Authentication-Results: mx.google.com;
   spf=pass (sender IP is 198.51.100.10) smtp.mailfrom=bounce.example.com;
   dkim=pass [email protected] header.s=s1;
   dmarc=pass (p=REJECT sp=REJECT) header.from=example.com

Three things to check: all three verdicts say pass; the DKIM header.i or header.d domain is yours, not your ESP's shared domain; and the header.from matches the domain your recipients see. If DMARC fails while SPF and DKIM both pass, you are looking at an alignment problem, which is a configuration fix at your ESP, not a DNS fix. Repeat the check once per sending service, because each one (ESP, transactional API, helpdesk) authenticates independently and any one of them can be the silent failure.

Authentication is necessary, not sufficient

An honest boundary to close on: passing SPF, DKIM, and DMARC gets you identified, not inboxed. Authentication is the entry ticket; placement still depends on reputation, complaint rates, and whether recipients want your mail. Plenty of spam authenticates perfectly. No configuration of these records guarantees the inbox, and any vendor claiming otherwise is overselling, so treat placement predictions, including test results, as directional estimates.

Once your records are live, check the whole chain end to end: a placement test with Inboxes sends real mail through your setup, verifies SPF, DKIM, DMARC, and alignment as receivers actually evaluate them, and shows where the message lands across six providers, with fixes ranked by impact.