What do SPF, DKIM, and DMARC each prove?
SPF (Sender Policy Framework) is a DNS record listing the servers allowed to send mail for your domain; receivers check the connecting server against it. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each message, validated against a public key in your DNS — proof the content was not altered in transit. DMARC (defined in RFC 7489) sits on top: it tells receivers what to do when neither check passes for the visible From domain — monitor, quarantine, or reject — and sends you reports about who is sending as you.
How does DMARC alignment work?
A message can pass SPF and DKIM and still fail DMARC. Alignment is the missing piece: the domain in the visible From header must match the domain that passed SPF (the Return-Path) or the DKIM signing domain (the d= tag). In relaxed mode a subdomain match counts; in strict mode the domains must be identical. Alignment is what actually stops spoofing — without it, a spammer could pass SPF on their own domain while displaying yours.
What do Gmail and Yahoo require from bulk senders?
Since February 2024, Google's email sender guidelines require every sender to publish SPF or DKIM, and anyone sending 5,000 or more messages a day to Gmail accounts to have all three: SPF, DKIM, and a DMARC policy (p=none is enough to start), with an aligned From domain. Yahoo enforces matching rules. Miss them and mail gets rejected or throttled regardless of content. For a small team this is an afternoon of DNS records — do it before you need the volume.
Does authentication guarantee inbox placement?
No. Authentication proves who sent the message, not whether anyone wants it — spammers publish perfect SPF records too. Inbox placement also depends on sender reputation, engagement, list hygiene, and how you handle bounces and your suppression list. Treat SPF, DKIM, and DMARC as the entry ticket, then work on the rest — our guide to email deliverability for startups covers warmup, reputation, and monitoring.