← Clarigital·Clarity in Digital Marketing
Email Marketing · Session 9, Guide 3

SPF, DKIM & DMARC · Email Authentication Complete Guide

SPF, DKIM, and DMARC are the three email authentication standards that prove your emails are genuinely from your domain — preventing spoofing, building sender reputation, and since 2024 required for all bulk email senders. This guide covers exactly what each protocol does, how to configure each one, how to verify they are working, and the BIMI standard that enables brand logos in Gmail.

Email Marketing2,900 wordsUpdated Apr 2026

What You Will Learn

  • What email spoofing is and how authentication prevents it
  • How SPF specifies which servers are authorised to send email from your domain
  • How DKIM adds a cryptographic signature that proves email wasn't modified in transit
  • How DMARC tells receiving servers what to do when SPF or DKIM fails
  • How BIMI enables brand logos in Gmail for authenticated senders
  • How to verify your authentication is set up correctly
  • Google and Yahoo's February 2024 bulk sender authentication requirements

Why Authentication Matters

Without authentication, anyone can send email claiming to be from your domain. An attacker can send phishing emails that appear to come from your@company.com — with no authentication in place, receiving servers have no way to verify whether the email is genuinely from you. This damages your brand, harms your customers, and — because phishing emails from your domain generate spam complaints — damages your sending reputation even for your legitimate emails.

Authentication solves this through three complementary protocols: SPF specifies which IP addresses are authorised to send email from your domain; DKIM adds a cryptographic signature verifying the email was not modified in transit; DMARC ties them together and tells receiving servers what to do when checks fail.

Since February 2024, Google and Yahoo require SPF, DKIM, and DMARC for all senders sending more than 5,000 emails per day to Gmail or Yahoo accounts. Senders without proper authentication see increasing rejection rates.

SPF — Sender Policy Framework

SPF is a DNS TXT record that lists which mail servers (IP addresses or hostnames) are authorised to send email from your domain. When a receiving server gets an email claiming to be from yourdomain.com, it looks up the SPF record for yourdomain.com and checks whether the sending IP is on the authorised list.

SPF record syntax

v=spf1 include:_spf.google.com include:servers.mcsv.net ~all

# v=spf1          — SPF version 1
# include:        — authorise servers from another domain's SPF record
#                   (use for ESP servers — Mailchimp, Klaviyo, etc.)
# ip4:1.2.3.4     — authorise a specific IP address
# ip4:1.2.3.0/24  — authorise an IP range
# ~all            — softfail: unauthorised servers flagged but not rejected
# -all            — hardfail: unauthorised servers rejected

Setting up SPF

  1. Log in to your DNS provider (Cloudflare, Route 53, GoDaddy, etc.)
  2. Add a TXT record for your root domain (@) with your SPF value
  3. Include your ESP's SPF include (your ESP's documentation provides this — e.g. Mailchimp is include:servers.mcsv.net)
  4. If sending from Google Workspace, include include:_spf.google.com
  5. End with ~all (softfail) while testing, switch to -all (hardfail) after verifying all legitimate senders are covered
Only one SPF record per domain

You can only have one SPF TXT record on your root domain. If you have multiple sending sources (your ESP, Google Workspace, a CRM), combine all their include statements into a single SPF record. Multiple SPF records cause authentication failures.

DKIM — DomainKeys Identified Mail

DKIM adds a cryptographic signature to every email you send. The sending server signs the email with a private key; the receiving server retrieves the corresponding public key from your DNS and verifies the signature. If the signature validates, the email was genuinely sent by a server with your private key and was not modified in transit.

How DKIM works in practice

Your ESP generates a DKIM key pair for your domain. They give you a public key to publish as a DNS TXT record on a selector subdomain of your domain (e.g. selector1._domainkey.yourdomain.com). Their servers use the private key to sign every email they send on your behalf.

Setting up DKIM

  1. In your ESP account, find the DKIM setup section (Authentication, Domain Verification, or similar)
  2. Your ESP generates a DKIM key pair and provides you with a CNAME or TXT record to add to your DNS
  3. Add the provided DNS record exactly as specified
  4. Return to your ESP and click Verify — they will confirm the DNS record is correct
  5. Repeat for each ESP or mail sending service (Google Workspace, Salesforce, etc.) that sends email from your domain — each gets its own DKIM key and selector
# Example DKIM DNS record
# Name: mailchimpkey1._domainkey.yourdomain.com
# Type: CNAME
# Value: dkim.mcsv.net

DMARC — Domain-based Message Authentication

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the final layer of email authentication. It tells receiving servers what to do when an email from your domain fails SPF or DKIM checks — and sends you reports about authentication results.

# DMARC DNS TXT record
# Name: _dmarc.yourdomain.com
# Value:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-failures@yourdomain.com; sp=none; adkim=r; aspf=r

# p=none     — monitor only; don't reject or quarantine failing emails
# p=quarantine — send failing emails to spam
# p=reject   — reject failing emails outright (strongest protection)
# rua=       — email address to receive aggregate reports
# ruf=       — email address to receive forensic/failure reports
# adkim=r    — relaxed DKIM alignment (s=strict)
# aspf=r     — relaxed SPF alignment

DMARC rollout strategy

Start with p=none (monitoring mode) — collect reports to understand all email streams from your domain without risking legitimate email being blocked. After analysing reports and confirming all legitimate senders pass SPF and DKIM, advance to p=quarantine, then eventually p=reject for maximum protection.

PolicyEffectWhen to Use
p=noneNo action — reports onlyInitial setup; monitoring phase
p=quarantineFailing emails go to spamAfter confirming legitimate senders pass; before full enforcement
p=rejectFailing emails rejected entirelyFull enforcement; maximum protection

BIMI — Brand Indicators for Message Identification

BIMI is an emerging standard that displays your brand logo in the inbox alongside the sender name — in email clients that support it (Gmail, Yahoo Mail, Apple Mail). BIMI requires: a DMARC policy of p=quarantine or p=reject (not p=none); a Verified Mark Certificate (VMC) from an approved Certificate Authority for Gmail; and a properly formatted SVG logo file hosted at a specific URL.

# BIMI DNS TXT record
# Name: default._bimi.yourdomain.com
# Value:
v=BIMI1; l=https://yourdomain.com/bimi-logo.svg; a=https://yourdomain.com/vmc.pem

BIMI is a long-term investment — it requires a VMC (a brand-specific SSL-like certificate that costs several hundred pounds per year) and full DMARC enforcement, but it provides a visible brand trust signal in every inbox that supports it.

Checking Your Authentication Setup

Several free tools verify your authentication configuration:

  • MXToolbox (mxtoolbox.com). Check SPF records, DKIM records, and DMARC records individually. Also checks whether your domain or IPs appear on block lists.
  • Mail-Tester (mail-tester.com). Send an email to a unique address they provide; the tool evaluates your SPF, DKIM, DMARC, content, and deliverability and provides a score with specific issues identified.
  • Google Admin Toolbox. Google's own DNS record checker (toolbox.googleapps.com) verifies SPF, DKIM, and DMARC records exactly as Google reads them.
  • Email headers. Send yourself a test email and view the full email headers (in Gmail: "Show original"). The Authentication-Results header shows whether SPF, DKIM, and DMARC passed or failed.

Google & Yahoo 2024 Bulk Sender Requirements

In February 2024, Google and Yahoo began enforcing new requirements for bulk email senders (those sending 5,000+ emails per day to Gmail or Yahoo accounts). These requirements codified authentication best practices into mandatory baseline standards:

RequirementDetail
SPF or DKIMAt least one must pass for every email sent
DMARCDMARC record required with at least p=none
Aligned DMARCThe From domain must align with SPF or DKIM domain
One-click unsubscribeList-Unsubscribe header with one-click unsubscribe; requests processed within 2 days
Spam rateSpam complaint rate must stay below 0.10%; below 0.08% recommended
Valid forward/reverse DNSSending IP must have valid forward and reverse DNS (PTR) records

Senders who do not meet these requirements experience temporary failures (5xx errors) and eventual rejection. For any organisation sending email at scale, meeting all six requirements is no longer optional.

Authentic Sources

OfficialIETF RFC 7208 — Sender Policy Framework

The official SPF specification.

OfficialIETF RFC 6376 — DomainKeys Identified Mail

The official DKIM specification.

OfficialIETF RFC 7489 — DMARC

The official DMARC specification.

OfficialGoogle — Email Sender Guidelines

Google's official bulk sender requirements including the February 2024 authentication mandates.

Related Guides

Analytics & CROCohort & Funnel AnalysisBusiness StrategySaaS Churn & RetentionContent MarketingContent Strategy Framework

Published: 6 April 2026  ·  Words: 2,900  ·  Session: 9 of 16  ·  Sources: Official only

600 guides. All authentic sources.

Official documentation only.

Browse All GuidesA–Z Glossary