Why email authentication matters
Before DMARC, DKIM and SPF became standard, anyone could send an email claiming to be from any domain. Spam and phishing operations thrived because receiving servers had no reliable way to verify whether a message genuinely originated from the domain it claimed. Today, the three authentication standards work together to verify sender identity. Google and Yahoo now require all three for bulk senders — without them, your emails face increased filtering or outright rejection.
SPF — Sender Policy Framework
SPF answers the question: which servers are authorised to send email from this domain? It works by publishing a TXT record in DNS that lists approved sending sources. When a receiving server gets an email claiming to be from yourdomain.com, it checks your SPF record against the sending IP.
Example SPF record
v=spf1 include:_spf.yourprovider.com ~allBreaking this down: v=spf1 identifies this as an SPF record. include: references the IP ranges your email provider maintains. ~all is a soft fail — messages from unlisted IPs are marked suspicious but not rejected. Use -all (hard fail) once you are certain all legitimate sending sources are listed.
Common SPF mistakes
- Multiple SPF records: A domain can have only one SPF record. If you have two, receiving servers may reject both. Combine them:
v=spf1 include:provider1.com include:provider2.com ~all - DNS lookup limit: SPF permits a maximum of 10 DNS lookups. Exceeding this causes a PermError that effectively means SPF fails. Audit your record if you use multiple sending services.
- Forgetting subdomains: SPF on yourdomain.com does not automatically cover mail.yourdomain.com. Each subdomain used for sending needs its own record.
DKIM — DomainKeys Identified Mail
DKIM adds a cryptographic signature to every outgoing email. The sending server signs the message using a private key. The receiving server retrieves your public key from DNS and verifies the signature. If valid, the message has not been altered in transit and genuinely came from your domain.
Example DKIM record
selector1._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCS..."The selector (here: selector1) is a label chosen by your provider. It allows multiple DKIM keys on the same domain — useful when you use more than one email platform. Your provider generates the key pair and gives you the exact record to add.
Common DKIM mistakes
- Not rotating keys: DKIM keys should be rotated periodically. Many providers handle this automatically. If yours does not, set a reminder to rotate annually.
- Record propagation delay: DNS changes can take up to 48 hours to propagate globally. Verify the record has propagated before testing deliverability.
- Wrong selector in provider settings: If the selector in your provider dashboard does not match the DNS record label, DKIM will fail silently.
DMARC — Domain-based Message Authentication, Reporting and Conformance
DMARC is the policy layer that tells receiving servers what to do when authentication fails — and sends you reports on who is sending email from your domain. It ties SPF and DKIM together and adds visibility you cannot get from either standard alone.
Example DMARC record
_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"DMARC policies
p=none— Monitor only. No action taken on failures. Use this first to understand your sending ecosystem before tightening the policy.p=quarantine— Failed messages go to the spam folder. Use after reviewing a few weeks of reports to confirm all legitimate sending is authenticated.p=reject— Failed messages are rejected outright. Use when you are confident all legitimate sending passes SPF or DKIM.
DMARC alignment
For DMARC to pass, the domain in either the SPF result or the DKIM signature must align with the From header domain. This is where many senders trip up when using a sending platform — if the platform signs DKIM using their own domain rather than yours, DMARC alignment fails even if DKIM is valid.
Common DMARC mistakes
- No RUA address: Without an rua address, you receive no reports. You are flying blind.
- Moving to p=reject too fast: If any legitimate sending source is not authenticated, p=reject will silently drop those messages. Always spend at least 2 weeks at p=none reviewing reports first.
- Ignoring DMARC reports: The XML reports show you exactly which servers are sending from your domain and how they are performing against authentication. Reading them regularly is the only way to catch issues early.
Implementation checklist
- Add SPF record with ~all to start
- Verify SPF propagation using MXToolbox or similar
- Enable DKIM via your email provider settings
- Add the DKIM TXT record your provider generates
- Verify DKIM propagation
- Add DMARC at p=none with an rua address
- Wait 1-2 weeks and review aggregate reports
- Fix any legitimate senders failing authentication
- Move to p=quarantine
- Wait 2-4 weeks and confirm no regressions
- Move to p=reject when confident
Verifying your setup
Use mail-tester.com to send a test and receive a score out of 10. Use MXToolbox to check individual records. Use Google Postmaster Tools to track authentication pass rates for Gmail recipients over time. NexusProMail monitors DKIM, SPF and DMARC for all verified sending domains and alerts you when any record becomes misconfigured.
Frequently asked questions
Do I need all three? Yes. SPF and DKIM without DMARC gives you no enforcement or reporting. DMARC without proper SPF and DKIM gives you enforcement with nothing to enforce. All three work together.
What is the difference between SPF alignment and DKIM alignment? SPF alignment checks whether the From domain matches the domain in the Return-Path (the envelope sender). DKIM alignment checks whether the From domain matches the d= domain in the DKIM signature. DMARC passes if either aligns.
What if I use multiple email providers? Each provider needs to be listed in SPF (within the 10 lookup limit) and should sign with DKIM using your domain. If a provider cannot sign DKIM with your domain, you may need to use a custom subdomain for sends from that provider.