Email Authentication in 2026: SPF, DKIM, and DMARC from First Principles
Apr 21, 2026 · 8 min read
If you send email from a custom domain and your SPF, DKIM, or DMARC is misconfigured, attackers can send email that appears to come from you — and many spam filters will pass it. Google and Yahoo's 2024 sender requirements made DMARC mandatory for anyone sending bulk email. Here is what each record does, what a correct configuration looks like, and how to migrate from monitoring to enforcement without killing your deliverability.
Why email is easy to spoof
SMTP was designed in 1982 and has no built-in authentication. The
From: header in an email is set by the sender and not verified by
the receiving server at the protocol level. Any mail server can send an email
claiming to be from [email protected]. SPF, DKIM, and DMARC
are the three DNS-based records that add authentication on top of this
40-year-old protocol.
SPF — Sender Policy Framework
An SPF record is a DNS TXT record that lists the IP addresses and mail
servers authorized to send email from your domain. When a receiving mail
server gets a message claiming to be from yourcompany.com, it looks
up the SPF record for that domain and checks whether the sending server's
IP is listed.
A minimal SPF record for a domain using Google Workspace looks like:
v=spf1 include:_spf.google.com -all
The -all at the end means "reject email from any sender not listed."
The common alternative ~all is a soft fail — the message is
accepted but marked as suspicious. For production domains, -all
is the correct choice once your record is stable.
The ten-lookup limit: SPF permits a maximum of ten DNS
lookups during evaluation. Complex configurations with many
include: statements from multiple SaaS email senders
(Mailchimp, SendGrid, HubSpot, Salesforce) frequently exceed this limit,
causing SPF to produce a PermError instead of a pass. Use an SPF flattening
service or reduce include: chain depth.
DKIM — DomainKeys Identified Mail
DKIM adds a cryptographic signature to outgoing email headers. The sending mail server signs each message with a private key, and publishes the corresponding public key in DNS under a selector subdomain. The receiving server fetches the public key and verifies the signature.
DKIM DNS records look like this (Google Workspace example):
google._domainkey.yourcompany.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."
The selector (google in the example above) is chosen by your email
provider. You can have multiple DKIM selectors active simultaneously —
useful during key rotation or when using multiple sending services.
Key length: DKIM keys should be 2048-bit RSA. 1024-bit keys are still valid per the RFC but are considered weak. Some automated DKIM checkers flag them. Keys shorter than 1024 bits are rejected by major mail providers.
DMARC — Domain-based Message Authentication, Reporting & Conformance
DMARC is the policy layer on top of SPF and DKIM. It tells receiving servers what to do when email claims to be from your domain but fails authentication, and it provides an aggregate reporting mechanism so you can see who is sending email on your domain's behalf.
A DMARC record is a TXT record at _dmarc.yourcompany.com:
v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100; adkim=s; aspf=s
The three policy values for p=:
none— monitoring only. Failed messages are delivered, but aggregate reports are sent to yourruaaddress.quarantine— failed messages go to spam. Some providers honor this strictly; others treat it loosely.reject— failed messages are rejected outright. This is the goal state for any domain that does not send email to arbitrary external parties.
The migration sequence
Never jump straight to p=reject. If any legitimate sending service is not
fully covered by your SPF or does not have a working DKIM signature, it will
be rejected — including transactional email from services you forgot about.
The safe sequence is:
- Publish
p=nonewith aruareporting address. Wait two weeks. - Read aggregate reports. Identify every service sending email from your domain.
- Add each service to SPF. Verify DKIM selectors are published and signing correctly.
- Move to
p=quarantine; pct=10. This applies quarantine policy to 10% of failing messages. Monitor for unexpected legitimate failures. - Raise
pctincrementally: 10 → 25 → 50 → 100. - Move to
p=rejectonce you are confident all legitimate email passes.
DMARC alignment
DMARC requires either SPF or DKIM to "align" — meaning the domain in the
relevant record must match the domain in the
From: header. There are two alignment modes:
- Relaxed (default): the organizational domain must match. A message from
mail.yourcompany.comaligns withyourcompany.com. - Strict (
adkim=s; aspf=s): the full domain must match exactly. Subdomains will not align with the parent domain.
Start with relaxed alignment (adkim=r; aspf=r, which are the defaults).
Move to strict only after verifying all sending services produce exact-domain alignment.
Google and Yahoo's 2024 requirements
In February 2024, Google and Yahoo began enforcing requirements for bulk senders (domains sending more than 5,000 messages/day to Gmail or Yahoo addresses):
- SPF or DKIM must pass (not both required, but DMARC requires at least one to align).
- DMARC must be present with at least
p=none. - A one-click unsubscribe header (
List-Unsubscribe) is required for marketing email. - Spam complaint rate must stay below 0.10% to avoid delivery problems, and 0.30% to avoid blocking.
For domains that are not bulk senders, the requirements are softer — but DMARC
at p=none is now effectively table stakes for any domain that wants
reliable Gmail delivery.
Checking your configuration with Kuality
Kuality's email security scanner queries your SPF, DKIM, and DMARC records on every scan and flags gaps in enforcement, missing records, SPF lookup limit violations, and weak DKIM key sizes. You can schedule weekly scans so you are notified if a configuration change breaks your email authentication — before your deliverability is affected.
Check your domain's email security free →