
Every Email Authentication Method Explained (SPF, DKIM, DMARC & Beyond)
Email authentication is the foundation of deliverability. It tells inbox providers like Gmail, Outlook, and Yahoo whether your email is legitimate, trusted, and safe to deliver. Without proper authentication, your emails will be filtered, quarantined, or rejected regardless of content quality.
Most people stop at SPF, DKIM, and DMARC. But modern email security goes much deeper. There is an entire ecosystem of protocols that control how your email is verified, encrypted, branded, and validated in transit. Every method you implement correctly removes another reason for inbox providers to treat your mail as suspicious.
This guide covers every major email authentication method in detail, with DNS record examples, configuration specifics, and practical implementation guidance.
Authentication Quick Reference
| # | Method | What It Does | Required |
|---|---|---|---|
| 1 | SPF | Lists which IPs can send for your domain | Yes |
| 2 | DKIM | Cryptographically signs your email | Yes |
| 3 | DMARC | Enforces SPF and DKIM results | Yes |
| 4 | ARC | Preserves auth results through forwarding | Recommended |
| 5 | BIMI | Displays brand logo in inbox | Optional |
| 6 | MTA-STS | Forces TLS encryption for inbound mail | Recommended |
| 7 | TLS-RPT | Reports TLS connection failures | With MTA-STS |
| 8 | rDNS | Maps IP back to domain name | Expected |
| 9 | PTR | DNS record for reverse lookups | Expected |
| 10 | HELO / EHLO | SMTP server greeting identity | Expected |
| 11 | DANE | Binds TLS certs to domain via DNSSEC | Optional |
The Core Authentication Layer
These three methods are non-negotiable. Without them, deliverability collapses. Every inbox provider checks these before deciding whether to accept or reject your mail.
1. SPF (Sender Policy Framework)
SPF tells receiving servers which IP addresses are allowed to send email on behalf of your domain. It is published as a DNS TXT record and checked by the receiving server at connection time.
How SPF Works
When a receiving mail server gets an incoming connection claiming to be from your domain, it looks up your SPF record, extracts the list of authorised IPs and mechanisms, and checks whether the connecting IP matches any of them. The result determines whether the email passes or fails SPF.
SPF DNS Record Structure
v=spf1 ip4:203.0.113.1 include:_spf.google.com ~all
Each SPF record starts with v=spf1 followed by mechanisms and ends with a catch-all qualifier.
SPF Mechanisms
| Mechanism | What It Does | Example |
|---|---|---|
ip4 |
Authorises a specific IPv4 address or range | ip4:203.0.113.1 |
ip6 |
Authorises a specific IPv6 address or range | ip6:2001:db8::/32 |
include |
Includes another domain's SPF policy | include:_spf.google.com |
a |
Authorises the domain's A record IPs | a:mail.yourdomain.com |
mx |
Authorises the domain's MX server IPs | mx |
exists |
Authorises based on a DNS lookup result | exists:%{i}._yourdomain.com |
SPF Qualifiers
| Qualifier | Meaning |
|---|---|
+ |
Pass (default, can be omitted) |
- |
Fail (hard fail, reject) |
~ |
Soft fail (mark as suspicious) |
? |
Neutral (no opinion) |
Practical SPF Record Examples
Small business using Google Workspace:
v=spf1 include:_spf.google.com ~all
Using Google Workspace plus Mailchimp:
v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
Full control with specific IPs:
v=spf1 ip4:203.0.113.1 ip4:203.0.113.2 include:_spf.google.com -all
SPF Limitations
SPF breaks when emails are forwarded. When a message is forwarded, the forwarding server connects to the destination, but the forwarding server is not in the original domain's SPF record. The check fails even though the email is legitimate. SPF also has a 10-lookup limit. Each include, a, mx, and exists mechanism counts as one lookup. Exceeding this limit causes the SPF check to return a permanent error.
| Constraint | Limit |
|---|---|
| DNS lookups per SPF check | 10 maximum |
| DNS TXT record size | 512 bytes (2550 with SPF extension) |
| Void lookups (non-existent domains) | 2 maximum |
2. DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to every email you send. The receiving server retrieves your public key from DNS and verifies that the message was signed by the corresponding private key and has not been modified in transit.
How DKIM Works
When you send an email, your outgoing mail server signs the message headers and body using a private key. The signature is inserted as a DKIM-Signature header. The receiving server extracts the selector and domain from this header, fetches the public key from DNS, and verifies the signature.
DKIM DNS Record Structure
default._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."
| Component | What It Is |
|---|---|
default |
The selector name (identifies which key pair was used) |
_domainkey |
Required prefix for DKIM records |
yourdomain.com |
The signing domain (d= in the signature) |
v=DKIM1 |
Version identifier |
k=rsa |
Key algorithm (rsa or ed25519) |
p= |
The public key (base64 encoded) |
DKIM Selectors
Selectors allow you to have multiple DKIM keys for the same domain. Each ESP or sending service uses a different selector, and you can rotate keys by publishing a new selector before switching to it.
| Use Case | Selector Name |
|---|---|
| Google Workspace | google._domainkey |
| Mailchimp | k1._domainkey.mcsv.net (on mcsv.net domain) |
| Custom key | s1._domainkey |
DKIM Key Rotation
Keys should be rotated periodically. The process is:
- Generate a new key pair and publish the public key using a new selector (s2)
- Update your sending server to sign with s2
- Leave s1 published for several days to handle in-transit messages
- Remove s1 once all delayed messages have been delivered
DKIM Canonicalization
DKIM allows you to choose how strictly headers and body content are canonicalized before signing.
| Algorithm | Header Treatment | Body Treatment |
|---|---|---|
| simple/simple | Strict, no modifications allowed | Strict, no modifications allowed |
| relaxed/simple | Headers can be whitespace-normalized | Body must be exact |
| relaxed/relaxed | Both headers and body can be whitespace-normalized | Most tolerant |
| simple/relaxed | Headers must be exact | Body can be whitespace-normalized |
Most senders use relaxed/simple or relaxed/relaxed. The simple/simple option is too strict for most production environments where mailing lists or security gateways may add headers.
3. DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC connects SPF and DKIM under a single policy. It tells inbox providers what to do when authentication checks fail and provides reporting so you can see who is sending email on your behalf.
DMARC DNS Record Structure
_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"
| Tag | Meaning | Example |
|---|---|---|
v |
Version | v=DMARC1 |
p |
Policy | p=none, p=quarantine, p=reject |
sp |
Subdomain policy | sp=none (optional, defaults to p) |
rua |
Aggregate report URI | rua=mailto:dmarc@yourdomain.com |
ruf |
Forensic report URI | ruf=mailto:forensic@yourdomain.com |
pct |
Percentage of mail to filter | pct=100 |
adkim |
DKIM alignment mode | adkim=r (relaxed) or adkim=s (strict) |
aspf |
SPF alignment mode | aspf=r (relaxed) or aspf=s (strict) |
fo |
Forensic reporting options | fo=1 |
DMARC Policies
| Policy | What Happens | When to Use |
|---|---|---|
| p=none | No action taken, monitoring only | Initial deployment, identifying senders |
| p=quarantine | Failed mail sent to spam | After monitoring phase |
| p=reject | Failed mail blocked entirely | Once all legitimate senders pass |
DMARC Alignment
DMARC checks that the domain in the From header matches the domains used in SPF and DKIM. This is called alignment.
| Mode | DKIM Alignment | SPF Alignment |
|---|---|---|
| Relaxed (r) | d=domain can be a subdomain of the From domain | Return-path domain can be a subdomain of the From domain |
| Strict (s) | d=domain must exactly match the From domain | Return-path domain must exactly match the From domain |
If neither DKIM nor SPF passes alignment, DMARC fails.
DMARC Reporting
Aggregate reports (RUA) arrive as XML attachments in daily or weekly summaries showing how many emails passed or failed DMARC from each source IP. Forensic reports (RUF) contain copies of failed messages and include individual failure details.
Recommended DMARC Deployment Path
- Publish
p=nonewith RUA reporting - Monitor reports for 2 to 4 weeks to identify every legitimate sending source
- Add any missing SPF includes or DKIM signers discovered during monitoring
- Move to
p=quarantinefor 2 to 4 weeks - Move to
p=rejectonce complaint monitoring confirms no legitimate mail is being blocked
The Extended Authentication and Trust Layer
These systems improve deliverability, branding, and transport security. Not all are required, but implementing them signals higher trust to inbox providers.
| Method | Purpose | Adoption Level |
|---|---|---|
| ARC | Preserves auth results through forwarding | Moderate |
| BIMI | Displays verified brand logo in inbox | Growing |
| MTA-STS | Enforces TLS for inbound mail | Moderate |
| TLS-RPT | Reports TLS connection failures | Growing with MTA-STS |
| rDNS and PTR | Validates sending server identity | Expected by major providers |
| HELO / EHLO | Identifies server during SMTP handshake | Expected |
| DANE | Binds TLS certs to domain via DNSSEC | Low |
4. ARC (Authenticated Received Chain)
ARC preserves authentication results when emails pass through multiple servers. Forwarding breaks SPF because the forwarding server is not listed in the original sender's SPF record. If the forwarding server modifies the message in any way, it may also break DKIM. ARC fixes this by sealing the original authentication results.
How ARC Works
Each server that handles the email can add an ARC seal. The seal contains the authentication results at that point. When the final destination server receives the email, it can see the complete chain of authentication results from every server the email passed through.
| ARC Header | Purpose |
|---|---|
| ARC-Seal | Cryptographic seal of the ARC set |
| ARC-Message-Signature | DKIM-style signature of the message |
| ARC-Authentication-Results | The authentication results at this hop |
When ARC Matters
- Mailing lists that forward subscriber emails
- Corporate email forwarded from internal to external addresses
- Security or filtering gateways that process email before delivery
- Email forwarding services that redirect mail to consolidated inboxes
ARC is implemented on the mail server or gateway, not in DNS. If you send through a major ESP, they likely handle ARC on your behalf.
5. BIMI (Brand Indicators for Message Identification)
BIMI allows verified brands to display their logo next to their emails in supported inboxes. When a subscriber sees your logo in their inbox preview, they immediately recognise the email as legitimate.
BIMI Requirements
- DMARC policy set to p=quarantine or p=reject
- A Verified Mark Certificate (VMC) from an approved certificate authority
- Your brand logo in SVG Tiny 1.2 format
- A BIMI DNS record pointing to the logo
BIMI DNS Record Structure
default._bimi.yourdomain.com TXT "v=BIMI1; l=https://cdn.yourdomain.com/logo.svg; a=https://cdn.yourdomain.com/vmc.pem"
| Component | Purpose |
|---|---|
v=BIMI1 |
Version identifier |
l= |
URL to the SVG logo file |
a= |
URL to the Verified Mark Certificate |
Benefits of BIMI
- Increases brand recognition at the point-of-open decision in the inbox
- Improves subscriber trust and click-through rates
- Reduces the effectiveness of phishing attacks against your domain
- Provides a visible return on investment for your DMARC implementation
Current BIMI Support
| Provider | Support Status |
|---|---|
| Gmail | Supported |
| Yahoo | Supported |
| Apple Mail | Supported (limited) |
| Outlook | Partial |
| Other providers | Limited or planned |
6. MTA-STS (Mail Transfer Agent Strict Transport Security)
MTA-STS forces encrypted TLS connections between mail servers. Without it, email can fall back to unencrypted plain text transmission if the initial TLS negotiation fails. This fallback is a security vulnerability because an attacker can force the connection to downgrade and intercept the message.
How MTA-STS Works
MTA-STS requires two things: a policy file hosted on your web server and a DNS record that signals MTA-STS is in use.
MTA-STS Policy File
Published at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt:
version: STSv1
mode: enforce
mx: mx1.yourdomain.com
mx: mx2.yourdomain.com
max_age: 86400
| Field | Meaning |
|---|---|
mode |
enforce (reject if TLS fails), testing (log but deliver), none (disable) |
mx |
List of authorised MX hosts that must support TLS |
max_age |
How long the policy is valid in seconds |
MTA-STS DNS Record
_mta-sts.yourdomain.com TXT "v=STSv1; id=2026070101;"
| Component | Purpose |
|---|---|
v=STSv1 |
Version identifier |
id= |
Policy identifier (change when policy updates) |
Deployment Recommendation
Start with mode: testing for several weeks to identify any delivery issues, then switch to mode: enforce once you confirm all legitimate mail servers support TLS.
7. TLS-RPT (TLS Reporting)
TLS-RPT works alongside MTA-STS and provides visibility into TLS connection failures. When a sending server cannot establish a TLS connection to your domain, TLS-RPT generates a report explaining the failure.
TLS-RPT DNS Record
_smtp._tls.yourdomain.com TXT "v=TLSRPTv1; rua=mailto:tls-reports@yourdomain.com"
| Component | Purpose |
|---|---|
v=TLSRPTv1 |
Version identifier |
rua= |
URI where TLS reports should be sent |
TLS-RPT Reports Contain
- How many connections succeeded or failed TLS
- The specific failure reason for each failed connection
- The sending IP and domain for each reportable event
- Timestamps and duration of TLS negotiation attempts
Without TLS-RPT, you would never know that legitimate senders are failing to reach your mail servers because of TLS issues.
8. Reverse DNS (rDNS)
Reverse DNS maps an IP address back to a domain name. While forward DNS translates domain names into IP addresses, reverse DNS does the opposite. Inbox providers query reverse DNS for every connecting IP to verify that the sending server is who it claims to be.
How rDNS Is Checked
When a mail server connects, the receiving server performs a reverse lookup on the connecting IP. It then compares the returned hostname to the HELO name sent by the connecting server. If they do not match, or if no reverse record exists, the receiving server treats the connection with suspicion.
Why rDNS Matters
- Major inbox providers including Gmail and Outlook expect valid rDNS for all sending IPs
- Missing or mismatched rDNS is a common spam filter trigger
- Reverse DNS confirms the sending server is associated with your domain
9. PTR Records
PTR records are the DNS entries that enable reverse DNS lookups. A PTR record maps an IP address to a hostname. Unlike forward DNS where you control your own domain, PTR records are typically managed by whoever owns the IP address block, often your hosting provider or ISP.
PTR Record Format
203.0.113.1 PTR mail.yourdomain.com
PTR Impact on Deliverability
| PTR Configuration | Provider Perception | Action Needed |
|---|---|---|
| Matches sending domain exactly | Positive signal | Ideal configuration |
| Matches a verified subdomain | Neutral to positive | Acceptable |
| Generic hosting hostname | Negative | Request PTR update from hosting provider |
| Missing entirely | Strong negative | Request PTR creation from IP owner |
| No reverse DNS at all | Likely blocked | Immediate action needed |
How to Fix PTR Issues
PTR records are controlled by the owner of the IP address. If your hosting provider assigns you a shared or pooled IP, they control the PTR record. Request a PTR update that reflects your sending domain or a dedicated IP address where you control the reverse DNS.
10. HELO and EHLO (SMTP Greeting)
HELO and EHLO are the first commands a mail server sends when connecting to another server. They identify the sending server by hostname. EHLO is the extended version of HELO that announces support for additional SMTP features.
HELO/EHLO Requirements
- Must match a valid domain you control
- Should resolve via forward DNS to the connecting IP
- Should not be a generic hosting provider hostname
- Must be consistent across all your sending servers
HELO Configuration Examples
| HELO Hostname | Likely Impact |
|---|---|
mail.yourdomain.com |
Positive, matches your domain |
smtp.yourdomain.com |
Positive, matches your domain |
server123.hostingprovider.net |
Negative, generic hostname |
| No HELO or malformed HELO | Strong negative |
HELO Validation Checks
Receiving servers perform these checks on your HELO:
- Is the hostname syntactically valid
- Does the hostname have an A or AAAA record
- Does the hostname match the PTR record of the connecting IP
- Is the hostname a known generic name used by spammers
A HELO that fails these checks is a deliverability red flag that can contribute to spam filtering.
11. DANE (DNS-based Authentication of Named Entities)
DANE uses DNSSEC to bind TLS certificates to domain names. It prevents attackers from using forged or compromised certificate authority certificates to intercept email traffic. While MTA-STS relies on the web PKI (public key infrastructure), DANE provides stronger guarantees by anchoring trust in DNS rather than in certificate authorities.
DANE DNS Record (TLSA Record)
_25._tcp.mail.yourdomain.com TLSA 3 1 1 abcdef1234567890...
| Component | Meaning |
|---|---|
_25 |
Port number for SMTP |
_tcp |
Transport protocol |
3 |
Certificate usage (3 means DANE-TA, trust anchor) |
1 |
Selector (1 means public key) |
1 |
Matching type (1 means SHA-256 hash) |
| Remaining | The certificate hash |
TLSA Certificate Usage Fields
| Usage | Meaning |
|---|---|
| 0 | CA constraint (certificate must chain to this CA) |
| 1 | Service certificate constraint (exact cert match) |
| 2 | Trust anchor assertion (pin a specific CA) |
| 3 | Domain-issued certificate (self-signed is acceptable) |
DANE Requirements
- DNSSEC must be deployed on your domain
- A TLSA record must be published for each MX host
- Your mail server must present a matching certificate during TLS negotiation
Why DANE Adoption Is Low
| Barrier | Explanation |
|---|---|
| DNSSEC required | Many domains have not deployed DNSSEC |
| Limited provider support | Not all receiving servers validate DANE |
| Complex configuration | TLSA record format is unfamiliar to many administrators |
| Migration difficulty | Switching to DANE requires coordination across teams |
How These Systems Work Together
Email authentication is layered, not isolated. Each method addresses a different part of the delivery chain.
| Layer | Systems | What It Verifies |
|---|---|---|
| Source identity | SPF | The sending server is authorised |
| Message integrity | DKIM | The message has not been altered |
| Policy enforcement | DMARC | What to do if authentication fails |
| Forwarding trust | ARC | Auth results preserved through relays |
| Visual trust | BIMI | Brand logo displayed in inbox |
| Transport security | MTA-STS, DANE | TLS is required and verified |
| Transport visibility | TLS-RPT | Reports on encryption failures |
| Server identity | rDNS, PTR, HELO | The server hostname is legitimate |
No single system is enough. Inbox providers evaluate the full stack. Every method you implement correctly removes another reason for filtering.
Authentication Deployment Priority
| Priority | Method | Timeline |
|---|---|---|
| 1 | SPF | Immediate |
| 2 | DKIM | Immediate |
| 3 | DMARC (p=none) | First week |
| 4 | rDNS and PTR | First week |
| 5 | HELO configuration | First week |
| 6 | DMARC (p=quarantine) | After 2-4 weeks monitoring |
| 7 | DMARC (p=reject) | After confirming all senders pass |
| 8 | MTA-STS (testing) | After DMARC is enforced |
| 9 | MTA-STS (enforce) | After testing phase |
| 10 | TLS-RPT | With MTA-STS |
| 11 | ARC | If forwarding is used |
| 12 | BIMI | After DMARC enforcement |
| 13 | DANE | If DNSSEC is available |
Common Misconfigurations
| Issue | Impact | How to Fix |
|---|---|---|
| SPF too permissive (+all) | Weak protection against spoofing | List only authorised senders, end with -all |
| SPF exceeding 10 lookups | Permanent SPF error | Consolidate includes, eliminate unused mechanisms |
| DKIM not aligned with From domain | DMARC fails despite valid DKIM | Ensure DKIM domain matches From domain |
| Missing DMARC policy | No enforcement, no visibility | Start with p=none and RUA reporting |
| DMARC p=reject before ready | Legitimate mail may be blocked | Monitor reports fully before enforcing reject |
| Generic or missing rDNS | Higher spam filtering risk | Request PTR update from IP owner |
| Incorrect HELO hostname | Trust downgrade from providers | Use a domain you control that resolves forward |
| No TLS enforcement | Unencrypted delivery possible | Add MTA-STS policy and TLS-RPT reporting |
| BIMI without DMARC enforcement | BIMI will not activate | Set DMARC to p=quarantine or p=reject first |
| DANE with broken DNSSEC | Delivery failures | Verify DNSSEC chain before adding TLSA records |
Most deliverability issues come from misconfiguration, not missing tools.
Final Thoughts
Email authentication is no longer just about SPF, DKIM, and DMARC. It is a full ecosystem of identity, trust, encryption, and transport validation systems. Every method you implement correctly removes another reason for inbox providers to filter your mail.
If you want consistent inbox placement, think in layers:
- Identity through SPF, DKIM, and DMARC
- Forwarding protection through ARC
- Brand trust through BIMI
- Encryption through MTA-STS, TLS-RPT, and DANE
- Infrastructure trust through rDNS, PTR, and HELO
The more of this stack you implement correctly, the more mailbox providers trust your emails by default. Start with SPF, DKIM, and DMARC. Add the remaining methods over time as your programme matures and your sending infrastructure supports them.
Related Articles
- Why Are My Emails Going to Spam?
- 47 Reasons Your Email Was Rejected
- Email Deliverability Metrics Guide
- Email Deliverability: Does Your Email Reach the Inbox
- Email Deliverability 2026: What's Changed
Frequently Asked Questions
SPF, DKIM, and DMARC are the core requirements for modern email authentication. Without them, most inbox providers will filter or reject your emails. These three form the foundation that all other methods build upon.
You must have SPF, DKIM, and DMARC configured correctly before anything else. Other methods like ARC, BIMI, MTA-STS, TLS-RPT, and DANE improve security and trust but are optional for most senders. rDNS and proper HELO configuration are expected by most providers.
Authentication is only one part of deliverability. Sender reputation, engagement rates, list quality, complaint history, and content signals also heavily affect inbox placement. Authentication gets you through the door. Reputation decides how you are treated inside.
SPF verifies which servers are allowed to send email for your domain by checking the sending IP address against a published list. DKIM verifies that the message content and headers have not been altered in transit using a cryptographic signature stored in DNS. They solve different problems and both are needed.
DMARC alignment checks that the domain in the From header matches the domains used in SPF and DKIM. SPF alignment requires the domain in the envelope from to match the From domain. DKIM alignment requires the d=domain in the signature to match the From domain. If neither passes alignment, DMARC fails.
BIMI requires DMARC enforcement at quarantine or reject level, a verified logo in SVG Tiny 1.2 format, a Verified Mark Certificate from an approved CA, and a published BIMI DNS record containing the logo URL. Supported email clients then display your logo next to your messages.
MTA-STS uses a policy file published on a web server to enforce TLS for incoming mail. DANE uses DNSSEC and TLSA records to bind TLS certificates directly to domain names. DANE provides stronger cryptographic guarantees but requires DNSSEC, which many domains do not have deployed.
ARC preserves authentication results across intermediate servers. When an email is forwarded, SPF breaks because the forwarding server is not in the sender's SPF record. ARC seals the original SPF and DKIM results so the final destination server can still see the original authentication status.
Time to run those email marketing reports?
Let's get your email marketing reporting set up
Setup email reporting