Email authentication protocols — SPF, DKIM, and DMARC — are the three pillars of email security and deliverability. Together, they help receiving mail servers verify that an email genuinely comes from who it claims to be from. If you send email for business, you need all three configured correctly.
SPF: The Authorized Sender List
SPF (Sender Policy Framework) is a DNS TXT record that lists all the IP addresses and servers authorized to send email on behalf of your domain. When a receiving server gets an email claiming to be from your domain, it checks your SPF record to see if the sending server is on the authorized list.
A basic SPF record looks like: v=spf1 include:_spf.google.com include:sendgrid.net -all. This says "Google Workspace and SendGrid are authorized to send for my domain; reject everything else." The -all at the end is important — it tells receivers to reject unauthorized senders rather than just marking them suspicious (~all).
DKIM: The Digital Signature
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to the headers of every outgoing email. This signature is generated using a private key that only your mail server possesses. The corresponding public key is published in your DNS records.
When a receiving server gets a DKIM-signed message, it retrieves your public key from DNS and uses it to verify the signature. If the signature is valid, this proves two things: the email was actually sent by an authorized system, and the message was not altered in transit.
DMARC: The Policy Layer
DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM by adding a policy layer. It tells receiving servers what to do when an email fails authentication checks — and importantly, it sends you reports about authentication results so you can monitor your domain.
DMARC has three policy levels: p=none (monitor only — do not take action on failures), p=quarantine (send failures to spam), and p=reject (block failures entirely). Start with p=none to collect data, then gradually move to quarantine and finally reject as you gain confidence in your authentication setup.
The reporting aspect of DMARC is incredibly valuable. Aggregate reports (rua) show you which servers are sending email using your domain, helping you identify legitimate services you forgot to authorize and potential spoofing attempts.
Setting Up All Three: A Step-by-Step Approach
Start by auditing all services that send email on behalf of your domain: your ESP, CRM, helpdesk, transactional email service, etc. Add each to your SPF record. Then enable DKIM signing in each service and add the public keys to your DNS. Finally, create a DMARC record starting with p=none and a reporting address.
Monitor your DMARC reports for 2-4 weeks. Look for legitimate services failing authentication and fix them. Once your failure rate is consistently low, change your policy to p=quarantine, then to p=reject after another monitoring period. Tools like dmarcian, Valimail, and Postmark's DMARC monitoring make this process much easier.
Key Takeaway
SPF, DKIM, and DMARC work together as a layered defense system. SPF authorizes your sending servers, DKIM proves message integrity, and DMARC ties them together with a policy and reporting framework. In 2026, having all three properly configured is mandatory for inbox placement with major email providers.
Ready to improve your email operations?
Start verifying emails for free — no credit card required.
Try SIndbox Intel Free