Email Authentication: SPF, DKIM, DMARC, and BIMI Explained
Authentication is the technical foundation of email deliverability. This guide explains how SPF, DKIM, DMARC, and BIMI work, why each one matters, how to set them up correctly, and how to reach full enforcement without breaking legitimate mail.
Why Email Authentication Matters
Authentication is not optional. Every major inbox provider evaluates it before making placement decisions, and Google and Yahoo now require DMARC for bulk senders.
Inbox placement
Receiving servers use authentication results as a primary signal for spam filtering. Failing SPF or DKIM pushes mail toward the spam folder before content is even evaluated.
Domain protection
Without DMARC enforcement, anyone can send email that appears to come from your domain. Authentication closes that gap and protects your brand from spoofing.
Provider requirements
Google and Yahoo require DMARC for bulk senders. Sending without it means your mail may be rejected or filtered regardless of content quality.
Sender reputation
Authentication failures are logged in your sending history and contribute to reputation decay over time. Consistent passing builds the trust that improves inbox placement.
The Email Authentication Stack
Four standards, each operating at a different layer. They work together - not as alternatives.
| Standard | What it does | Layer |
|---|---|---|
| SPF | Declares authorized senders | Envelope |
| DKIM | Signs message content | Message |
| DMARC | Enforces alignment and policy | Policy |
| BIMI | Displays brand logo in inbox | Trust |
Sender Policy Framework
SPF is a DNS TXT record that lists the servers and services authorized to send email on behalf of your domain. When a receiving server gets a message from your domain, it checks the sending IP against your SPF record.
Common SPF mechanisms
| ip4: | Authorize a specific IPv4 address or range |
| ip6: | Authorize a specific IPv6 address or range |
| include: | Pull in the SPF record of another domain (e.g. a sending service) |
| a: | Authorize the A record of a domain |
| mx: | Authorize the MX servers of a domain |
| ~all | Softfail: treat unauthorized senders as suspicious |
| -all | Hardfail: reject unauthorized senders |
Example record
v=spf1 include:sendgrid.net include:_spf.google.com ip4:203.0.113.5 -allCommon SPF issues
Multiple SPF records
A domain must publish exactly one SPF TXT record. Multiple records cause evaluation to fail. Merge all mechanisms into one record.
Exceeding the 10-lookup limit
Each include: and mechanism that requires a DNS lookup counts against a hard limit of 10. Exceeding it causes SPF to return PermError, treated as a fail by many providers.
Missing authorized senders
If a legitimate sending service is not in the SPF record, its mail may fail authentication even though it's legitimate.
Overly permissive policy
+all or ?all authorize all senders, making SPF meaningless. Always end with ~all or -all.
DomainKeys Identified Mail
DKIM adds a cryptographic signature to every outgoing email. Receiving servers use the public key published in your DNS to verify the signature, confirming the message came from an authorized source and was not altered in transit.
How DKIM works
Key pair generated
Your sending provider generates a public/private key pair. The private key stays on the sending server; the public key is published in DNS.
Message signed
When an email is sent, the sending server uses the private key to generate a cryptographic signature of the message headers and body.
Signature added
The signature is added to the email as a DKIM-Signature header.
Receiving server verifies
The receiving server looks up the public key in DNS using the domain and selector from the DKIM-Signature header, then verifies the signature.
Pass or fail
If the signature matches, DKIM passes. If the message was modified in transit or the key is wrong, DKIM fails.
DKIM best practices
- Use a 2048-bit key because 1024-bit is considered weak by modern standards
- Configure DKIM on every domain and subdomain you send from
- Rotate DKIM keys periodically to limit exposure if a key is compromised
- Use unique selectors per sending service to make rotation easier
- Verify DKIM is passing before applying a strict DMARC policy
DNS record format
selector._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=<public key>"Domain-based Message Authentication
DMARC ties SPF and DKIM to your From domain and tells receiving servers what to do when they fail. It is the enforcement layer and the one required by Google and Yahoo for bulk senders.
DMARC policy levels
p=none- Monitor onlyUse when
Starting out. Collect reports without affecting delivery.
Risk
No protection because anyone can still spoof your domain.
p=quarantine- Move to spamUse when
After verifying SPF and DKIM are passing for all legitimate senders.
Risk
Legitimate mail can land in spam if not all sending streams are authenticated.
p=reject- Reject the messageUse when
When all legitimate sending is authenticated and reports show no unexplained failures.
Risk
Misconfigured senders will have their mail rejected, invisible to recipients.
DMARC record tags
| Tag | Required | Description |
|---|---|---|
| p= | Required | Policy for the organizational domain (none / quarantine / reject) |
| sp= | Optional | Policy for subdomains (inherits p= if omitted) |
| rua= | Optional | Email address for aggregate reports (daily XML summaries) |
| ruf= | Optional | Email address for forensic reports (per-failure detail) |
| pct= | Optional | Percentage of messages the policy applies to (default 100) |
| adkim= | Optional | DKIM alignment mode: r (relaxed, default) or s (strict) |
| aspf= | Optional | SPF alignment mode: r (relaxed, default) or s (strict) |
DMARC enforcement roadmap
Publish p=none with rua=
Start collecting aggregate reports without affecting delivery. Use a dedicated reporting address or a DMARC report processor.
Analyze reports for 2–4 weeks
Identify every sending source appearing in reports. Confirm SPF and DKIM are passing for all legitimate senders.
Fix authentication gaps
Add missing senders to SPF. Configure DKIM for any sources that are failing. Resolve alignment issues.
Move to p=quarantine
Once all legitimate mail is authenticated and reports are clean, move to quarantine. Monitor for unexpected failures.
Move to p=reject
After a clean period at quarantine with no unexplained failures, move to reject. This is full DMARC enforcement.
DMARC Alignment Explained
Authentication and alignment are different things. SPF or DKIM can pass technically while still failing DMARC if the signing domain doesn't align with the From header domain.
| Scenario | DMARC result |
|---|---|
| SPF passes, DKIM passes, both aligned | DMARC pass |
| SPF passes, DKIM passes, neither aligned | DMARC fail |
| SPF fails, DKIM passes and aligned | DMARC pass |
| SPF passes and aligned, DKIM fails | DMARC pass |
| SPF fails, DKIM fails | DMARC fail |
Brand Indicators for Message Identification
BIMI is an optional standard that displays your brand logo in the inbox before the email is opened. It builds on DMARC enforcement and requires a Verified Mark Certificate (VMC) for Gmail and Yahoo.
Requirements
- DMARC at p=quarantine or p=reject (p=none is not sufficient)
- A verified Mark Certificate (VMC), required by Gmail and Yahoo for logo display
- A square SVG logo in the BIMI-required SVG Tiny PS format
- The SVG hosted at a public, stable HTTPS URL
- A BIMI TXT record published at default._bimi.yourdomain.com
Benefits
- Brand logo displayed in the inbox before the email is opened
- Visible trust signal that increases open rates
- Requires enforcement-level DMARC so it also signals strong authentication
- Differentiates your brand in crowded inboxes
DNS record format
default._bimi.yourdomain.com TXT "v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/vmc.pem"Common Authentication Mistakes
Configuring authentication on the main domain only
Every subdomain and sending domain needs its own SPF, DKIM, and DMARC. mail.yourdomain.com, outreach.yourdomain.com, and yourdomain.com are separate and each needs to be configured.
Moving to p=reject too quickly
Skipping the p=none monitoring phase means you have no visibility into which sending streams might fail. A premature p=reject can cause legitimate mail to be silently dropped.
Not setting up rua= reporting
Without aggregate report addresses, you have no data about what's passing and failing under your DMARC policy. Reports are essential so configure them from day one.
SPF with too many DNS lookups
The 10-lookup limit is strict. Every include: that references another record with its own includes compounds fast. Audit your SPF record for lookup count before publishing it.
Weak DKIM key length
1024-bit DKIM keys are considered weak. Use 2048-bit keys. Many older ESP configurations still default to 1024, so verify what your provider is generating.
Ignoring DKIM alignment
DKIM can pass technically but still fail DMARC alignment if the d= domain in the DKIM signature doesn't align with the From header domain. Pass isn't enough because alignment is required.
Free Authentication Checkers
SPF Checker
Validate your SPF record, check for syntax errors, and detect lookup limit issues.
DKIM Checker
Verify your DKIM public key is publishing and signatures are passing.
DMARC Checker
Check your DMARC policy, alignment mode, and enforcement level.
BIMI Checker
Verify your BIMI record and see a preview of your logo as it appears in inbox.
FAQ
Email Authentication FAQ
Get Your Authentication Setup Right
Missing or misconfigured SPF, DKIM, or DMARC is the most common root cause of deliverability problems and the easiest to fix with the right audit.
MailAdept reviews your full authentication stack, identifies alignment gaps, and builds the fix plan with you.