Complete Guide to Email Authentication in 2026

Understand how SPF, DKIM, and DMARC work together to protect your domain from spoofing and improve email deliverability. A practical guide for email administrators.

20 min readguidesThomas Johnson

The Problem: Why Email Authentication Exists

Email authentication is the set of protocols — SPF, DKIM, and DMARC — that verify whether an email actually comes from the domain it claims. Without these protocols, any server on the internet can impersonate your domain.

SMTP was designed in 1982 (RFC 821). It has no built-in mechanism to verify sender identity. Any server on the internet can connect to a mail server and claim to be sending email from any domain. The From: header, the Return-Path, the HELO identity — all of these are assertions, not verified facts.

This is the fundamental vulnerability that enables email spoofing, phishing, and domain impersonation. An attacker doesn't need access to your mail server or DNS to send email that appears to come from your domain. They connect to the recipient's mail server, set the headers to your domain, and deliver the message. Without authentication, the receiving server has no way to distinguish this forged email from a legitimate one.

Three protocols were developed over the past two decades to solve this problem: SPF (2006, updated 2014), DKIM (2007, updated 2011), and DMARC (2015). Each addresses a different part of the authentication gap, and together they form a layered defense that lets receiving servers verify the origin and integrity of email messages.

As of 2024-2026, these protocols have moved from "recommended" to effectively required. Google and Yahoo enforce baseline authentication for all senders, with stricter requirements for bulk senders. Microsoft enforces authentication for high-volume senders to Outlook consumer mailboxes. Non-compliant email faces rejection, spam filtering, or degraded deliverability. See Bulk Sender Requirements for the current enforcement details from each provider.

Email authentication is no longer optional infrastructure. It is a baseline requirement for any domain that sends email.

SPF Authentication: Authorized Senders

What SPF Does

SPF (Sender Policy Framework), defined in RFC 7208, lets a domain owner declare which IP addresses and servers are authorized to send email on behalf of that domain. The declaration is published as a DNS TXT record on the domain. When a receiving server gets an email, it looks up the sending domain's SPF record and checks whether the sending server's IP address is listed as authorized.

How SPF Works

SPF evaluation follows this sequence:

  1. An email arrives at the receiving server. The server extracts the domain from the Return-Path (envelope sender), not the From: header.
  2. The server queries DNS for a TXT record at that domain.
  3. It finds the SPF record (the one starting with v=spf1).
  4. It evaluates each mechanism in the record left to right, checking whether the sending IP matches.
  5. The first matching mechanism determines the result: pass, fail, softfail, or neutral.
  6. If no mechanism matches, the default result is neutral (unless the record ends with all).

Example SPF Record

example.com.  TXT  "v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.0/24 -all"

This record authorizes:

  • All IP addresses in Google Workspace's SPF record (include:_spf.google.com)
  • All IP addresses in SendGrid's SPF record (include:sendgrid.net)
  • The IP range 203.0.113.0/24 directly (ip4:)
  • No other senders (-all means hard fail for everything else)

The 10-Lookup Limit

SPF evaluation is limited to 10 DNS lookups total. Mechanisms that trigger lookups include include:, a:, mx:, redirect=, and exists:. Direct IP mechanisms (ip4:, ip6:) do not count. Lookups are recursive: if an included record itself contains 3 includes, that's 4 total lookups.

Modern email setups commonly exceed this limit. Google Workspace alone consumes 3-4 lookups. Add Microsoft 365 (2-3), a marketing platform, and a transactional email service, and you're over. Exceeding 10 lookups causes a PermError, which means SPF cannot be evaluated at all.

Use the mxio SPF Checker to see your current lookup count and identify which includes are consuming your budget. See Fix SPF PermError: Too Many DNS Lookups if your record exceeds the limit. For domains that cannot reduce their lookup count, mxio's Managed SPF resolves includes to IP addresses automatically and keeps the flattened record updated as providers change their ranges. See What Is SPF Flattening? for a full explanation of the technique.

What SPF Protects Against

SPF prevents unauthorized servers from sending email using your domain in the Return-Path. If an attacker tries to send email with a Return-Path at your domain from a server not listed in your SPF record, the receiving server sees an SPF fail result.

What SPF Does Not Protect Against

SPF checks the Return-Path domain, not the From: header domain. These are two different fields. A user sees the From: header in their email client — they never see the Return-Path. An attacker can set the Return-Path to their own domain (which passes SPF for their domain) while setting the visible From: header to your domain. The email passes SPF but is still spoofing your domain in the way that matters to the recipient. This gap is exactly why DKIM and DMARC exist.

SPF also breaks when email is forwarded. If a server forwards your email to another address, the forwarding server's IP is not in your SPF record, so SPF fails at the final destination. This is a known architectural limitation.

DKIM Authentication: Message Integrity

What DKIM Does

DKIM (DomainKeys Identified Mail), defined in RFC 6376, adds a cryptographic signature to outgoing email messages. The signature covers specific headers and the message body. The corresponding public key is published in DNS. Receiving servers use the public key to verify that the message was signed by the claimed domain and that the signed content has not been modified in transit.

How DKIM Works

DKIM signing and verification follows this sequence:

  1. The sending server generates a hash of specified headers (typically From:, To:, Subject:, Date:, and others) plus the message body.
  2. The server signs this hash with its private key and attaches the signature as a DKIM-Signature header on the message.
  3. The DKIM-Signature header includes d= (the signing domain) and s= (the selector), which together tell the receiving server where to find the public key.
  4. The receiving server queries DNS for a TXT record at selector._domainkey.domain.com.
  5. It retrieves the public key, verifies the signature, and confirms the signed content hasn't changed.

Example DKIM DNS Record

google._domainkey.example.com.  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1234..."

The record components:

  • v=DKIM1 — Protocol version
  • k=rsa — Key type (RSA is standard; Ed25519 is gaining support per RFC 8463)
  • p= — The public key (base64-encoded)

Selectors

DKIM uses selectors to allow multiple signing keys per domain. Each sending service (Google Workspace, SendGrid, Mailchimp) typically uses its own selector. Google uses google, SendGrid often uses s1 and s2, Microsoft uses selector1 and selector2.

This design means a domain can have many DKIM keys simultaneously — one per sending service — without conflicts. Each service signs with its own private key, and the corresponding public key lives at its own selector in DNS.

Use the mxio DKIM Checker to verify your DKIM records for specific selectors. If no record is found, see DKIM Record Not Found for setup instructions.

Key Size

Use 2048-bit RSA keys as the minimum. 1024-bit keys are still accepted by most providers but are considered weak — they are theoretically factorable with sufficient resources. Some providers have begun warning about 1024-bit keys. 4096-bit keys provide stronger security but may exceed DNS TXT record size limits without splitting.

What DKIM Protects Against

DKIM verifies two things: that the message was authorized by the signing domain, and that the signed portions of the message have not been modified. If an attacker intercepts the email and changes the body or signed headers, the signature verification fails. If someone forges an email without access to the private key, they can't produce a valid signature.

Unlike SPF, DKIM survives forwarding. The signature is part of the message itself, so it remains valid regardless of which servers relay the message.

What DKIM Does Not Protect Against

DKIM alone doesn't tell the receiving server what to do when verification fails. A failed or missing DKIM signature has no defined consequence without DMARC. The receiving server knows the signature is invalid but has no policy instruction. DKIM also doesn't cover the entire message — unsigned headers can be added or modified, and the body hash only covers what was originally signed.

DMARC Authentication: The Policy Layer

What DMARC Does

DMARC (Domain-based Message Authentication, Reporting and Conformance), defined in RFC 7489, connects SPF and DKIM to the From: header domain that users actually see. It adds two critical components that SPF and DKIM lack: a policy telling receivers what to do with failures, and a reporting mechanism that tells domain owners what's happening with their email.

How DMARC Works

DMARC evaluation follows this sequence:

  1. The receiving server checks SPF and DKIM as described above.
  2. It then looks up the DMARC record at _dmarc.domain.com (where domain.com is the domain in the From: header).
  3. DMARC requires that at least one of SPF or DKIM passes AND aligns with the From: header domain.
  4. If neither passes with alignment, the DMARC result is fail.
  5. The receiving server applies the domain's published DMARC policy to the message.

Example DMARC Record

_dmarc.example.com.  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensic@example.com; adkim=r; aspf=r; pct=100"

The record components:

  • v=DMARC1 — Protocol version
  • p= — Policy for the domain (none, quarantine, or reject)
  • rua= — Address for aggregate reports (daily XML summaries)
  • ruf= — Address for forensic/failure reports (individual failure samples)
  • adkim= — DKIM alignment mode (r=relaxed, s=strict)
  • aspf= — SPF alignment mode (r=relaxed, s=strict)
  • pct= — Percentage of failing messages the policy applies to

Use the mxio DMARC Checker to verify your DMARC record and policy configuration. If no record exists, see No DMARC Record Found.

The Three Policies

Policy Tag Receiver Action Use Case
None p=none Deliver normally, send reports Initial deployment, monitoring phase
Quarantine p=quarantine Route to spam/junk folder Transition phase, partial enforcement
Reject p=reject Block the message entirely Full enforcement, maximum protection

Starting with p=none is correct — it collects data without affecting delivery. Staying at p=none indefinitely is a mistake. See DMARC p=none: Why You Should Move to Enforce for guidance on progressing your policy.

Aggregate vs. Forensic Reports

Aggregate reports (rua=) are XML files sent daily by receiving servers. They summarize authentication results for all email seen from your domain: which IPs sent email, whether SPF/DKIM passed, and whether DMARC alignment succeeded. These reports are essential for understanding your email ecosystem before tightening policy.

Forensic reports (ruf=) provide details about individual messages that failed DMARC. They can include message headers and sometimes partial body content. Not all providers send forensic reports due to privacy concerns — Gmail, for example, does not send them. They are useful when available but should not be relied upon as the sole monitoring mechanism.

Why You Need DMARC Even with SPF and DKIM

Without DMARC, SPF and DKIM results have no enforced consequences and no connection to the From: header. An email can fail both SPF and DKIM and still be delivered. An email can pass SPF for a completely different domain than the From: header shows. DMARC closes both of these gaps: it defines what happens when authentication fails, and it requires that successful authentication is actually relevant to the domain the user sees.

DMARC also provides visibility. Without DMARC reporting, you have no way to know who is sending email using your domain, whether your legitimate services are authenticating correctly, or whether anyone is spoofing your domain. The aggregate reports are often the first time administrators discover unauthorized use of their domain.

How SPF, DKIM, and DMARC Work Together for Email Authentication

The Authentication Chain

Each protocol checks a different aspect of an email message at a different layer:

Protocol What It Checks Identifier Verified Survives Forwarding Policy Enforcement
SPF Sending server IP against authorized list Return-Path domain (envelope sender) No No (result only)
DKIM Cryptographic signature on headers + body d= domain (signing domain) Yes No (result only)
DMARC SPF/DKIM results + alignment with From: domain From: header domain Yes (via DKIM) Yes (none/quarantine/reject)

DMARC is the layer that ties everything together. SPF and DKIM produce authentication results; DMARC interprets those results in the context of the domain the recipient actually sees.

Understanding Alignment

Alignment is the concept that makes DMARC work. It answers the question: does the domain that passed authentication actually match the domain in the From: header?

SPF alignment compares the Return-Path domain to the From: header domain. If a message has Return-Path: bounce@marketing.example.com and From: newsletter@example.com:

  • Relaxed alignment (aspf=r): Passes — the organizational domains match (example.com)
  • Strict alignment (aspf=s): Fails — the exact domains don't match (marketing.example.com vs example.com)

DKIM alignment compares the DKIM d= domain to the From: header domain. If a message is signed with d=example.com and the From: header shows newsletter@example.com:

  • Relaxed alignment (adkim=r): Passes — the organizational domains match
  • Strict alignment (adkim=s): Passes — the exact domains match

For a detailed look at alignment failures and fixes, see DMARC Alignment Failure.

The Critical Rule: Only One Needs to Pass

A message passes DMARC if either SPF or DKIM passes with alignment. Not both — just one. This is a deliberate design choice. SPF breaks when email is forwarded (the forwarding server's IP isn't in your SPF record). DKIM can break if a mailing list modifies the message body or subject line. By requiring only one, DMARC remains effective even when one mechanism fails due to legitimate mail routing.

This is why configuring both SPF and DKIM is important even though only one is required to pass. They serve as fallbacks for each other:

Scenario SPF Result DKIM Result DMARC Result
Direct delivery, both configured Pass + aligned Pass + aligned Pass
Email forwarded to another address Fail (IP changed) Pass + aligned Pass (DKIM saves it)
Mailing list modifies subject Pass + aligned Fail (body modified) Pass (SPF saves it)
Third-party ESP with DKIM only Fail (no SPF alignment) Pass + aligned Pass (DKIM sufficient)
Spoofed email, no valid signature Fail Fail Fail (policy applied)

Use the mxio Header Analyzer to inspect the Authentication-Results header on a specific message and see exactly how SPF, DKIM, and DMARC evaluated for that delivery path.

Email Authentication Implementation Order

The correct sequence for deploying email authentication matters. Each step depends on data from the previous one.

Step 1: SPF

Deploy SPF first because it's the simplest and provides immediate signal.

  1. Inventory every service that sends email as your domain — your primary mail platform, marketing tools, transactional email services, CRM, helpdesk, email security/filtering services (MailRoute, Mimecast, Proofpoint), and any other SaaS that sends on your behalf.
  2. Build your SPF record with include: mechanisms for each service and any direct ip4:/ip6: entries for your own infrastructure.
  3. Publish the TXT record on your domain.
  4. Verify with the mxio SPF Checker — confirm it is valid, all senders are covered, and the lookup count is under 10.
example.com.  TXT  "v=spf1 include:_spf.google.com include:sendgrid.net -all"

Warning: Publish only one SPF record per domain. Multiple SPF records cause a PermError and break authentication entirely. See Multiple SPF Records.

Step 2: DKIM

Deploy DKIM for every sending source. Unlike SPF (one record per domain), DKIM requires per-service configuration.

  1. For each sending service, follow their documentation to generate a DKIM key pair. The service provides the public key to publish in DNS.
  2. Publish TXT records at the selector locations specified by each service (e.g., google._domainkey.example.com, s1._domainkey.example.com).
  3. Verify each selector with the mxio DKIM Checker.
  4. Send test emails from each service and check the DKIM-Signature header to confirm signing is active.

Common selectors by provider:

Provider Selector(s) DNS Record Location
Google Workspace google google._domainkey.example.com
Microsoft 365 selector1, selector2 selector1._domainkey.example.com
SendGrid s1, s2 s1._domainkey.example.com
Mailchimp k1 k1._domainkey.example.com
Amazon SES varies (auto-generated) CNAME records provided by SES
Postmark 20240101 (date-based) Provided during setup

Step 3: DMARC with p=none

Deploy DMARC in monitoring mode once SPF and DKIM are in place.

  1. Publish a DMARC record with p=none and an rua= address for aggregate reports.
  2. Wait. Collect reports for at least 2-4 weeks.
  3. Review the aggregate reports to identify all email sources for your domain — legitimate and otherwise.
_dmarc.example.com.  TXT  "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com"

The p=none policy tells receiving servers to deliver email regardless of authentication results but to send you reports about what they see. This is the data-gathering phase.

Step 4: Analyze Reports and Fix Issues

Aggregate reports reveal the reality of your email ecosystem:

  • Legitimate sources failing authentication — A SaaS platform you forgot to add to SPF, a service sending without DKIM, a forwarding rule breaking SPF. Fix each one.
  • Unknown legitimate sources — Sometimes departments have set up sending services you weren't aware of. Audit and authenticate them.
  • Unauthorized senders — IP addresses you don't recognize sending email as your domain. These are either spoofing attempts or misconfigured services. Tightening DMARC policy will block them.

Don't rush this phase. The goal is to reach a state where every legitimate email source consistently passes DMARC. Moving to enforcement before this is done will block your own email.

Step 5: Tighten DMARC Policy

Once aggregate reports show consistent authentication success for all legitimate sources:

  1. Move to p=quarantine — Failed messages go to spam instead of being delivered normally. Start with pct=25 to apply the policy to only 25% of failures, then ramp to pct=50, pct=100.
  2. Monitor for any increase in delivery problems or user reports of missing email.
  3. Move to p=reject — Failed messages are blocked entirely. This provides maximum protection against domain spoofing.
_dmarc.example.com.  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; adkim=r; aspf=r"

The progression from p=none to p=reject is the entire point of DMARC. The monitoring phase exists to build confidence, not to be a permanent state. See DMARC Deployment Guide for the full phased rollout process.

Verifying Your Email Authentication Setup

After implementation, verify the full authentication chain using the tools below. Check each layer independently, then confirm they work together.

Check SPF

Use the mxio SPF Checker on your domain and verify:

  • The record is syntactically valid (no errors)
  • All sending sources are included
  • Lookup count is 10 or fewer
  • The all mechanism is present (-all or ~all, not +all)
  • Only one SPF record exists on the domain

Check DKIM

Use the mxio DKIM Checker for each sending service's selector and verify:

  • A TXT record exists at the correct selector._domainkey.domain.com location
  • The key is 2048-bit RSA or stronger
  • The p= tag contains a valid public key (not empty, which would revoke the key)

If you do not know which selectors to check, send a test email from each service and examine the DKIM-Signature header — the s= tag contains the selector.

Check DMARC

Use the mxio DMARC Checker on your domain and verify:

  • A TXT record exists at _dmarc.yourdomain.com
  • The rua= tag is present with a valid mailto address
  • The policy (p=) matches your intended enforcement level
  • Alignment modes (adkim=, aspf=) are configured appropriately (relaxed is the default and correct for most setups)

Analyze Headers End-to-End

Send a test email from each sending source to an address you control. Use the mxio Header Analyzer to inspect the Authentication-Results header on the received message. Look for:

  • spf=pass with smtp.mailfrom= showing your domain (or a subdomain)
  • dkim=pass with header.d= showing your domain
  • dmarc=pass with header.from= showing your domain

If any check fails, the header tells you exactly which component failed and why. Cross-reference with the specific error articles for the failure type.

For any health check result you're unsure about, mxio's AI-powered explanations provide a plain-English breakdown of what failed, why it matters, and exactly what to fix — saving you from manually cross-referencing RFCs and error documentation.

Ongoing Email Authentication Monitoring

Email authentication is not set-and-forget infrastructure. Provider IP ranges change, services get added, DKIM keys need rotation, and new sending sources appear. Without ongoing monitoring, working authentication degrades silently. mxio's domain health monitoring tracks all of these signals and alerts you the moment something changes.

What to Monitor

Signal Why It Matters Frequency
SPF lookup count Provider changes can add nested lookups, pushing you over 10 Monthly
SPF record validity DNS edits can introduce syntax errors Weekly
DKIM key presence Keys can be accidentally deleted during DNS changes Monthly
DKIM key strength 1024-bit keys should be upgraded to 2048-bit Quarterly
DMARC pass rate Drops indicate new senders or configuration changes Weekly
DMARC policy level Ensure no one accidentally downgrades from p=reject Monthly
Aggregate reports New sources, failures, and spoofing attempts Weekly

DKIM Key Rotation

DKIM keys should be rotated periodically — annually at minimum, quarterly for high-security environments. The rotation process:

  1. Generate a new key pair and publish the new public key under a new selector
  2. Configure the sending server to sign with the new selector
  3. Keep the old public key published for 1-2 weeks (to validate messages still in transit)
  4. Remove the old public key from DNS

After rotation, verify the new key with the mxio DKIM Checker.

When Things Change

Before any new service starts sending email as your domain:

  1. Add the service's include: to your SPF record (check the lookup count first)
  2. Configure DKIM signing with your domain
  3. Send a test email and verify the Authentication-Results header shows DMARC pass
  4. Confirm the service appears in the next DMARC aggregate report with passing results

Make this a standard process. Every new tool, platform, or integration that sends email needs authentication configured before it goes live — not after users start complaining about spam-foldered messages.

Was this article helpful?

Related Articles

Fix SPF PermError: Too Many DNS Lookupserrors

Your SPF record exceeds the 10-lookup limit, causing email authentication failures. Learn why this happens and how to fix it with step-by-step instructions.

Why Is DMARC Failing? Causes and How to Fix Iterrors

DMARC authentication is failing for your domain. Understand the most common causes — alignment issues, missing records, third-party senders — and fix them.

No DMARC Record Found: How to Set Up DMARC from Scratcherrors

Your domain has no DMARC record. Learn why DMARC matters, how to create your first record, and the recommended rollout path from monitoring to enforcement.

DKIM Record Not Found: Setting Up DKIM DNS Recordserrors

No DKIM record found for your domain and selector. Learn how to find your DKIM selector, publish the DNS record, and verify the configuration.

Google, Yahoo, and Microsoft Bulk Sender Requirements (2026)guides

Complete guide to bulk sender authentication requirements from Gmail, Yahoo Mail, and Microsoft. SPF, DKIM, DMARC, unsubscribe headers, and spam rate thresholds.

Email Authentication for MSPs: Managing Client Domains at Scaleguides

Practical guide for MSPs and IT consultants managing email authentication across multiple client domains. Standardize SPF, DKIM, and DMARC deployment with repeatable processes.

Email Security for SMBs: Authentication Management Without Enterprise Pricingguides

Email authentication is no longer optional for small and mid-sized businesses. Learn how to protect your domain from spoofing with SPF, DKIM, and DMARC — and how managed platforms make it practical.

Managed Email Authentication: What It Is and Why It Mattersguides

Learn what managed email authentication means, why DNS-based email security requires ongoing management, and how platforms like mxio handle SPF, DKIM, and DMARC so you don't have to.

SPF Technical Reference (RFC 7208)standards

A section-by-section walkthrough of RFC 7208, the standard that defines SPF. Covers every mechanism, qualifier, the 10-lookup limit, void lookups, ptr deprecation, macros, and security considerations — with practical examples and tool links.

DKIM Technical Reference (RFC 6376)standards

Annotated walkthrough of RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures. How signing works, key record format, canonicalization modes, verification steps, and security guidance from the spec itself.

DMARC Technical Reference (RFC 7489)standards

Annotated walkthrough of RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance. Policy tags, alignment, reporting, and security considerations from the spec itself.

Domain Health Check: What It Tests and Whyguides

Understand what the mxio Domain Health Check measures across SPF, DKIM, DMARC, MX, and DNS delegation — and how to interpret your health score.

How to Build an SPF Recordguides

Build a correct SPF record for your domain using the mxio SPF Builder. Select your email providers, set your policy, and publish with confidence.

Email Header Analysis: Reading Authentication Resultsguides

Learn how to read email headers to diagnose SPF, DKIM, and DMARC authentication failures. Understand Authentication-Results headers and trace delivery paths.

Why Email Forwarding Breaks Authentication (And How to Fix It)guides

Email forwarding breaks SPF and can cause DMARC failures. Learn how SRS fixes SPF, why DKIM alignment matters for forwarded mail, and what domain owners and recipients can do.