Skip to content
Learn · Glossary

Email authentication

Email authentication is the set of DNS-based standards — SPF, DKIM, and DMARC — that lets receiving mail servers verify a message was really sent by the domain it claims. SPF authorizes sending servers, DKIM signs message content, and DMARC tells receivers what to do when both checks fail. It proves identity; it does not guarantee inbox placement.

Updated 8 Jul 20263 min readBy fromHello
Key takeaways
  • SPF, DKIM, and DMARC prove different things: SPF authorizes sending servers, DKIM signs content, DMARC enforces alignment between the two and the visible From address.
  • Google's sender guidelines require SPF, DKIM, and a DMARC policy from anyone sending 5,000+ daily messages to Gmail accounts; Yahoo enforces similar rules.
  • Authentication proves identity, not quality — a fully authenticated message can still land in spam.

What do SPF, DKIM, and DMARC each prove?

SPF (Sender Policy Framework) is a DNS record listing the servers allowed to send mail for your domain; receivers check the connecting server against it. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each message, validated against a public key in your DNS — proof the content was not altered in transit. DMARC (defined in RFC 7489) sits on top: it tells receivers what to do when neither check passes for the visible From domain — monitor, quarantine, or reject — and sends you reports about who is sending as you.

Email authentication and the three DNS standards that implement it.

How does DMARC alignment work?

A message can pass SPF and DKIM and still fail DMARC. Alignment is the missing piece: the domain in the visible From header must match the domain that passed SPF (the Return-Path) or the DKIM signing domain (the d= tag). In relaxed mode a subdomain match counts; in strict mode the domains must be identical. Alignment is what actually stops spoofing — without it, a spammer could pass SPF on their own domain while displaying yours.

What do Gmail and Yahoo require from bulk senders?

Since February 2024, Google's email sender guidelines require every sender to publish SPF or DKIM, and anyone sending 5,000 or more messages a day to Gmail accounts to have all three: SPF, DKIM, and a DMARC policy (p=none is enough to start), with an aligned From domain. Yahoo enforces matching rules. Miss them and mail gets rejected or throttled regardless of content. For a small team this is an afternoon of DNS records — do it before you need the volume.

Does authentication guarantee inbox placement?

No. Authentication proves who sent the message, not whether anyone wants it — spammers publish perfect SPF records too. Inbox placement also depends on sender reputation, engagement, list hygiene, and how you handle bounces and your suppression list. Treat SPF, DKIM, and DMARC as the entry ticket, then work on the rest — our guide to email deliverability for startups covers warmup, reputation, and monitoring.

FAQ

Common questions

  • What is the difference between SPF and DKIM?

    SPF validates the server that delivered the message against a list in your DNS; it breaks when mail is forwarded. DKIM signs the message itself, so the signature survives forwarding and proves the content was not modified. They fail in different ways, which is why receivers — and DMARC — want both.

  • Do I need DMARC if I already have SPF and DKIM?

    Yes, for two reasons. Without DMARC, alignment is not enforced, so a message can pass SPF or DKIM on an unrelated domain while displaying yours. And Gmail and Yahoo require a DMARC policy from bulk senders, so skipping it caps your sending volume.

  • Will SPF, DKIM, and DMARC stop my email going to spam?

    Not by themselves. They remove one reason to filter you — unverifiable identity — but placement still depends on reputation, engagement, and list quality. Fully authenticated mail lands in spam every day.

  • What DMARC policy should a startup start with?

    Start at p=none with a rua reporting address, watch the reports until every legitimate source passes with alignment, then move to p=quarantine and eventually p=reject. Jumping straight to reject is how teams lose their own transactional mail.

See the platform the team runs.

Related guides
Early access

Put your growth teamon autopilot.

Early access opens gradually, so the team tunes to real use cases. Small teams with big ambitions go first.

500+ already on the list

Not ready to share an email? It's open source. Run it yourself today. View on GitHub

No spam. One email when your spot opens. Unsubscribe at any time.