Updated Jan 17, 2026
TL;DR: SPF specifies who can send from your domain, DKIM cryptographically signs your emails, and DMARC tells receiving servers what to do when checks fail. Set up all three correctly, start DMARC at p=none, monitor reports, then gradually move to p=quarantine and p=reject.
Email authentication isn't optional anymore - it's mandatory.
As of 2024, Gmail and Microsoft require SPF, DKIM, and DMARC for bulk senders. Emails failing these checks are throttled, quarantined, or rejected outright. For cold emailers, this isn't just a technical checkbox - it's the difference between reaching inboxes and disappearing into spam.
Yet many sales teams still operate with broken or incomplete authentication, wondering why their deliverability suffers. This guide explains what each protocol does, how to set them up correctly, and how to avoid the common mistakes that destroy deliverability.
Why Authentication Matters in 2026
Email authentication serves two purposes: proving you're who you say you are, and proving your email hasn't been tampered with.
The Trust Problem
Without authentication, anyone can send email claiming to be from your domain. Spammers exploit this constantly - spoofing legitimate domains to make their spam look credible. Authentication protocols let receiving servers verify that:
- The sending server is authorized to send for your domain
- The email content hasn't been modified in transit
- You've told receivers what to do with emails that fail these checks
The 2026 Requirements
Major email providers now enforce authentication:
Gmail (Google):
- SPF or DKIM required for all senders
- DMARC required for senders exceeding 5,000 emails/day
- Spam complaint rate must stay below 0.3%
- One-click unsubscribe required for marketing emails
Microsoft (Outlook/Office 365):
- SPF, DKIM, and DMARC required for high-volume senders
- Non-compliant bulk mail routed to junk or rejected
- Enhanced enforcement for domains without proper authentication
Yahoo:
- Aligned with Gmail requirements
- DMARC policy required for bulk senders
The Deliverability Impact
Properly authenticated emails:
- Have significantly higher inbox placement rates
- Build domain reputation faster
- Are trusted more by spam filters
- Can recover from deliverability issues faster
Unauthenticated emails:
- Face automatic throttling or rejection
- Damage domain reputation
- Get caught in spam filters more often
- May be blocked entirely by enterprise recipients
Understanding the Three Protocols
Think of SPF, DKIM, and DMARC as a security system with three layers:
- SPF verifies the sender's IP address is authorized
- DKIM verifies the message wasn't altered in transit
- DMARC tells receivers what to do when SPF or DKIM fails
You need all three working together for complete protection.
SPF: Sender Policy Framework
What it does: SPF allows you to specify which servers (IP addresses) are authorized to send email on behalf of your domain.
How it works:
- You publish an SPF record in your domain's DNS
- When a server receives email from your domain, it checks this record
- If the sending IP matches your SPF record, it passes
- If it doesn't match, the email fails SPF
Example SPF record:
1v=spf1 include:_spf.google.com include:sendgrid.net ~all
Components explained:
v=spf1- Version identifier (required)include:_spf.google.com- Authorize Google's serversinclude:sendgrid.net- Authorize SendGrid's servers~all- Soft fail for unauthorized senders (recommended)
SPF mechanisms:
Mechanism | Meaning |
|---|---|
| Include another domain's SPF record |
| Authorize specific IPv4 address |
| Authorize specific IPv6 address |
| Authorize IP from A record |
| Authorize mail servers |
| Match everything (always at end) |
SPF qualifiers:
Qualifier | Result |
|---|---|
| Pass (default) |
| Hard fail (reject) |
| Soft fail (accept but flag) |
| Neutral |
DKIM: DomainKeys Identified Mail
What it does: DKIM adds a cryptographic signature to your emails, proving the message content hasn't been tampered with since leaving your server.
How it works:
- Your email server signs outgoing messages with a private key
- The matching public key is published in your DNS
- Receiving servers use the public key to verify the signature
- If verification passes, the email is authenticated
Example DKIM record:
1selector._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA..."
Components explained:
selector- Identifies which key to use (you can have multiple)_domainkey- Standard DKIM prefixv=DKIM1- Version identifierk=rsa- Key typep=- The actual public key (base64 encoded)
DKIM alignment: For DMARC purposes, the domain in the DKIM signature (d=) should match or align with your From domain.
DMARC: Domain-based Message Authentication
What it does: DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It also provides reporting so you can monitor authentication results.
How it works:
- You publish a DMARC record specifying your policy
- Receiving servers check SPF and DKIM results
- They verify alignment (do the domains match?)
- They apply your policy (none, quarantine, reject)
- They send you reports about authentication results
Example DMARC record:
1_dmarc.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100"
Components explained:
v=DMARC1- Version identifier (required)p=- Policy (none, quarantine, or reject)rua=- Email address for aggregate reportsruf=- Email address for forensic reportspct=- Percentage of messages to apply policy to
DMARC policies:
Policy | Action |
|---|---|
| Monitor only, don't affect delivery |
| Send failing emails to spam/junk |
| Block failing emails entirely |
Alignment modes:
Mode | Setting | Requirement |
|---|---|---|
Strict |
| Exact domain match |
Relaxed |
| Organizational domain match (default) |
Step-by-Step Setup Guide
Prerequisites
Before starting:
- Access to your domain's DNS management
- Admin access to your email provider (Google Workspace, Microsoft 365, etc.)
- List of all services that send email on your behalf
- 15-30 minutes per domain
Step 1: Audit Your Sending Sources
Identify everything that sends email from your domain:
- Primary email provider (Google Workspace, Microsoft 365)
- Cold email platform (MailBeast, Instantly, Apollo, etc.)
- Marketing automation (HubSpot, Mailchimp, etc.)
- Transactional email (SendGrid, Postmark, etc.)
- CRM systems with email capability
- Help desk software
- Any other tools that send as your domain
Why this matters: Your SPF record must include all legitimate senders. Missing one means those emails will fail authentication.
Step 2: Configure SPF
Step 2.1: Build your SPF record
Start with the base:
1v=spf1
Add includes for each sending service:
1v=spf1 include:_spf.google.com include:spf.protection.outlook.com
End with a soft fail:
1v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all
Step 2.2: Add to DNS
- Go to your DNS provider (Cloudflare, GoDaddy, Namecheap, etc.)
- Navigate to DNS management for your domain
- Add a new TXT record:
- Name/Host:
@(or leave blank for root domain) - Type: TXT
- Value: Your complete SPF record
- TTL: 3600 (1 hour) or default
Step 2.3: Verify
Use a tool like MXToolbox SPF Check:
- Enter your domain
- Verify the record is published correctly
- Check for errors or warnings
Common SPF mistakes to avoid:
Mistake | Problem | Solution |
|---|---|---|
Multiple SPF records | Invalid, causes failures | Combine into one record |
Too many DNS lookups | SPF has 10-lookup limit | Flatten or simplify |
Missing includes | Legitimate mail fails SPF | Audit all senders |
Using | Blocks legitimate mail | Use |
Step 3: Configure DKIM
DKIM setup varies by email provider. Here are the most common:
Google Workspace:
- Go to Admin Console → Apps → Google Workspace → Gmail
- Select "Authenticate email"
- Click "Generate new record"
- Choose selector prefix (default:
google) - Copy the provided TXT record
- Add to DNS as instructed
- Return to Google and click "Start authentication"
Microsoft 365:
- Go to Microsoft 365 Defender portal
- Navigate to Email & Collaboration → Policies → DKIM
- Select your domain
- Click "Enable"
- Microsoft provides two CNAME records to add to DNS
- Add both records to your DNS
- Return and confirm DKIM is enabled
Cold email platforms (MailBeast, etc.):
- Check your platform's settings for DKIM configuration
- Follow their specific instructions for DNS records
- Verify within the platform once DNS propagates
Verification:
- Use MXToolbox DKIM Lookup
- Enter your domain and selector
- Confirm the public key is published correctly
Step 4: Configure DMARC
Step 4.1: Start with monitoring
Begin with p=none to monitor without affecting delivery:
1v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Step 4.2: Add to DNS
- Add a new TXT record:
- Name/Host:
_dmarc - Type: TXT
- Value: Your DMARC record
- TTL: 3600
Step 4.3: Monitor reports
DMARC aggregate reports (rua) arrive daily as XML files. Use a DMARC monitoring service to parse them:
- DMARC Analyzer
- Valimail
- Dmarcian
- Postmark DMARC
Step 4.4: Analyze and fix issues
Review reports for:
- Unauthorized senders using your domain
- Legitimate senders failing authentication
- Alignment issues between From domain and authentication
Fix issues before moving to enforcement.
Step 4.5: Move to enforcement
After 2-4 weeks of clean monitoring:
- Move to quarantine with percentage:
1v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com
- Gradually increase percentage (25% → 50% → 100%)
- After quarantine is stable, move to reject:
1v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com
DMARC implementation timeline:
Week | Policy | Percentage | Action |
|---|---|---|---|
1-2 | none | 100% | Monitor only |
3-4 | quarantine | 25% | Begin enforcement |
5-6 | quarantine | 50% | Increase coverage |
7-8 | quarantine | 100% | Full quarantine |
9+ | reject | 100% | Full protection |
Step 5: Verify Everything
After setup, verify all three protocols are working:
Tools for verification:
- MXToolbox: Comprehensive checks for all protocols
- Mail Tester: Send a test email and get a score
- Google Postmaster Tools: Monitor Gmail-specific authentication
- Your email platform: Most platforms show authentication status
What to check:
- [ ] SPF record is valid and passing
- [ ] DKIM is signing emails
- [ ] DMARC record is published
- [ ] All legitimate senders pass authentication
- [ ] Reports are being received
Troubleshooting Common Issues
SPF Failures
"SPF PermError: Too many DNS lookups"
SPF is limited to 10 DNS lookups. Every include: counts as a lookup, and those includes can have their own includes.
Solutions:
- Flatten your SPF record (convert includes to IP addresses)
- Use an SPF flattening service
- Reduce the number of sending services
- Move some services to subdomains with their own SPF
"SPF Fail: Sender IP not authorized"
A server is sending email from your domain but isn't in your SPF record.
Solutions:
- Add the missing service to your SPF record
- Verify you haven't forgotten a legitimate sender
- Check if it's actually unauthorized (spoofing)
DKIM Failures
"DKIM signature not found"
Your email isn't being signed.
Solutions:
- Verify DKIM is enabled in your email provider
- Check that DNS records are correct
- Ensure the selector matches what your provider is using
"DKIM signature doesn't verify"
The signature doesn't match the public key.
Solutions:
- Verify the public key in DNS is correct
- Check for copy/paste errors in the key
- Ensure nothing is modifying emails in transit (some security tools can break DKIM)
DMARC Failures
"DMARC alignment failure"
SPF or DKIM passed, but the domain doesn't align with the From address.
Solutions:
- Ensure your From address matches the authenticated domain
- Check that third-party services are sending with proper alignment
- Consider using subdomains for different services
Legitimate mail blocked by p=reject
You enforced DMARC before all senders were authenticated.
Solutions:
- Roll back to
p=noneorp=quarantine - Identify and fix unauthenticated senders
- Re-enforce gradually with percentage rollout
Cold Email-Specific Considerations
Dedicated Outreach Domains
For cold email, use separate domains from your primary:
- yourcompany-mail.com
- getyourcompany.com
- yourcompany.io
Each outreach domain needs:
- Its own SPF record
- Its own DKIM keys
- Its own DMARC record
Multiple Sending Services
If using multiple cold email tools:
- Include all services in SPF
- Ensure each service has DKIM configured
- Verify alignment for each
Subdomain Strategy
Some teams use subdomains for outreach:
- outreach.yourcompany.com
- sales.yourcompany.com
Subdomain authentication:
- Subdomains can have their own SPF records
- DKIM selectors can be shared or unique
- DMARC can apply to the parent domain or subdomain
Warmup Considerations
Even with perfect authentication:
- New domains still need warmup
- Authentication is necessary but not sufficient
- Reputation builds over time with positive engagement
Monitoring and Maintenance
Ongoing Monitoring
Weekly checks:
- Review DMARC reports for anomalies
- Check for new unauthorized senders
- Verify authentication pass rates
Monthly checks:
- Audit any new sending services added
- Review SPF record for cleanup opportunities
- Check for DNS record expiration issues
When to Re-Audit
Trigger a full audit when:
- Adding a new email sending service
- Changing email providers
- Experiencing deliverability issues
- Setting up new domains or subdomains
MailBeast Authentication Support
At MailBeast, we handle authentication complexity for you:
Guided Setup: Step-by-step wizards for SPF, DKIM, and DMARC configuration specific to your DNS provider.
Automatic Verification: We check your authentication status continuously and alert you to issues.
DNS Record Generator: Get the exact records you need for your setup, formatted correctly for your DNS provider.
DMARC Monitoring: We parse your DMARC reports and surface actionable insights without requiring you to read XML.
Health Dashboard: See authentication status for all your domains in one view, with clear indicators of what needs attention.
Proper authentication is the foundation of deliverability. We make sure yours is bulletproof.
Key Takeaways
- All three protocols are required. SPF, DKIM, and DMARC work together - you need all of them.
- Start with monitoring. Use
p=nonebefore enforcing DMARC. - Audit all senders. Missing a legitimate sender breaks authentication.
- SPF has limits. Stay under 10 DNS lookups.
- DKIM alignment matters. The signing domain must match your From domain.
- Enforce gradually. Roll out DMARC enforcement with percentage increases.
- Monitor continuously. Authentication issues can develop over time.
Frequently Asked Questions
Do I need all three protocols or just one?
You need all three. SPF and DKIM handle different aspects of authentication, and DMARC tells receivers what to do with the results. Major email providers now require all three for bulk senders.
How long does DNS propagation take?
Typically 15 minutes to 48 hours, depending on your DNS provider and TTL settings. Most changes propagate within a few hours. Wait at least 48 hours before troubleshooting "missing" records.
Can I use the same SPF/DKIM records for subdomains?
SPF records don't automatically apply to subdomains - each subdomain needs its own. DKIM can be configured to work across subdomains. DMARC at the parent domain can cover subdomains with proper policy settings.
What's the difference between soft fail (~all) and hard fail (-all)?
Soft fail (~all) tells receivers to accept but flag emails failing SPF. Hard fail (-all) tells them to reject. Use soft fail during setup and transition to hard fail once you're confident all senders are covered.
How do I know if my authentication is working?
Use testing tools like MXToolbox or Mail Tester, monitor DMARC reports, check Google Postmaster Tools, and watch your email platform's authentication status. Most platforms show pass/fail rates.
What happens if I skip DMARC?
Without DMARC, even if SPF and DKIM pass, receivers don't know your policy. They'll make their own decisions about failed authentication, which may not align with your intentions. You also won't receive reports about authentication failures.
Last updated: January 2026
Sign up for free