Email authentication is the foundation of deliverability. Without it, receiving mail servers have no reliable way to verify your mail is legitimate, and reputation-based filtering will treat your messages with suspicion. SPF, DKIM, and DMARC are the three DNS-based mechanisms that solve this.
SPF: who can send from your domain
SPF (Sender Policy Framework) is a TXT record that lists the IP addresses and services authorized to send mail on behalf of your domain.
| |
Key rules:
- Use
~all(soft fail) while testing, then switch to-all(hard fail) once validated - Include every sending service your domain uses — ESPs, CRMs, marketing tools
- Avoid exceeding 10 DNS lookups (SPF has a hard lookup limit)
DKIM: signing messages with a cryptographic key
DKIM (DomainKeys Identified Mail) attaches a signature to each outgoing message. Receivers verify the signature using a public key published in your DNS.
Your sending provider generates the key pair. You publish the public key as a TXT record at a selector subdomain:
| |
Recommendations:
- Use a 2048-bit RSA key
- Rotate keys annually
- Use a dedicated selector per sending service so rotation does not affect all services at once
DMARC: enforcement and reporting
DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receivers what to do when a message fails SPF or DKIM and where to send reports.
| |
Start with p=none so failures are reported but not acted on. Once your reports show consistent alignment, move to p=quarantine (failed mail goes to spam), then p=reject (failed mail is dropped).
DMARC alignment explained
DMARC alignment is the detail most guides skip. For a message to pass DMARC, either:
- the SPF-authenticated domain must match the
From:domain (SPF alignment), or - the DKIM-signing domain must match the
From:domain (DKIM alignment)
If you send through a third-party ESP using their sending infrastructure, check whether they sign with your domain or their own. Only signing with your domain passes DMARC.
How to verify your setup
Use a tool like dig to check your published records:
| |
Send a test message and review the Authentication-Results header in the delivered mail. You should see spf=pass, dkim=pass, and dmarc=pass.
What to do when alignment fails
Common causes:
- The From domain and DKIM signing domain do not match
- SPF record is missing the ESP’s include
- DKIM selector is pointing to the wrong key
- TXT record has formatting errors (trailing spaces, broken quotes)
Check each layer in isolation before assuming the issue is systemic.
Related reading:
- Transactional Email Deliverability: How to Improve Inbox Placement — the broader deliverability picture beyond authentication: bounce handling, suppression lists, separating transactional and marketing streams, and troubleshooting Gmail and Outlook inbox placement issues
- SaaS Infrastructure: Email Delivery, Event Tracking, and Webhooks — how SPF, DKIM, and DMARC fit into the full production email infrastructure, alongside delivery confirmation, bounces, and sending reputation management
Devicode Team
Written by the team that builds and uses these products — practitioners who run into these problems in real workflows, not just analysts describing them from the outside.