Skip to main content
Guides/The Complete Guide to Email Authentication

Authenticate Your Email or Get Spoofed.

Protect your domain and build sender reputation

11+ pagesFree PDF download

SPF Records

Flatten SPF, avoid DNS lookups, and prevent alignment failures.

DKIM Signing

Set up and rotate DKIM keys for every sending domain.

DMARC Policies

Move from none to quarantine to reject with confidence.

What's Inside the Guide

10,000–15,000 words of actionable, expert content

Real-world examples, code samples, and templates

Step-by-step instructions you can follow today

Checklists, worksheets, and quick-reference tables

Regularly updated with the latest best practices

Get Your Free Guide

Sign up for Email Calculator and download the full guide instantly.

By signing up, you agree to our Terms and Privacy Policy. No spam, unsubscribe anytime.

What Is Email Authentication?

Email authentication is the technical framework that allows receiving mail servers to verify that an email claiming to come from a specific domain was genuinely sent by an authorised source. It is the foundation of trust in email communication and the primary defence against spoofing, phishing, and domain impersonation.

Without authentication, anyone can forge your domain. An attacker can send an email that looks like it came from your company, tricking recipients into revealing passwords, transferring money, or downloading malware. Authentication protocols — SPF, DKIM, and DMARC — work together to close this vulnerability by giving ISPs a reliable way to check the legitimacy of every message.

The need for authentication has never been more urgent. In 2024, Google and Yahoo introduced mandatory authentication requirements for bulk senders. Anyone sending more than 5,000 messages per day to Gmail or Yahoo addresses must have SPF, DKIM, and DMARC configured correctly. Failure to comply results in delivery failures or spam filtering. Other major providers are following the same path, meaning authentication is no longer optional for any serious sender.

Authentication also unlocks advanced capabilities. With DMARC in place, senders can adopt BIMI (Brand Indicators for Message Identification), which displays verified brand logos next to emails in supporting mail clients. This increases visibility, recognition, and trust. But BIMI requires strict DMARC enforcement at the reject level, making authentication the gateway to better brand presentation.

The authentication landscape continues to evolve. MTA-STS and TLS-RPT add transport-layer security reporting, ensuring that emails are encrypted in transit. ARC preserves authentication results across email forwarding chains. Understanding the full ecosystem helps you build a robust, future-proofed email programme.

Why Authentication Matters Now More Than Ever

Authentication has transitioned from a best practice to a requirement. The 2024 Gmail and Yahoo policy changes marked a turning point. For the first time, major ISPs explicitly required authentication for all bulk senders, and they backed the requirement with enforcement actions that included blocking and filtering.

The numbers tell the story. Before 2024, DMARC adoption among legitimate senders hovered around 40%. After the policy changes, adoption surged past 70% for commercial senders. However, adoption alone is not enough. Many organisations have implemented authentication with a p=none policy — monitoring only — and have never progressed to quarantine or reject enforcement, leaving themselves vulnerable.

The cost of inadequate authentication is measurable. Organisations without DMARC enforcement remain vulnerable to domain spoofing attacks. According to industry research, nearly three-quarters of all organisations experienced a domain spoofing attack in the past year. The average cost of a successful business email compromise attack exceeds £100,000 when factoring in direct losses, remediation, and reputational damage.

Authentication also directly affects deliverability. ISPs factor authentication status into their filtering decisions. An email that fails both SPF and DKIM checks is far more likely to be filtered, even if the content is legitimate. Conversely, properly authenticated email receives preferential treatment in many ISP filtering systems.

Beyond security and deliverability, authentication enables brand control. DMARC aggregate reports give you visibility into every server sending email from your domain, whether authorised or not. This allows you to identify and address shadow IT, compromised accounts, and phishing campaigns targeting your domain. Authentication turns email from a trust-based system into a verifiable one.

SPF: Sender Policy Framework

SPF is the oldest of the three core authentication protocols and the most widely adopted. It works by publishing a DNS record that explicitly lists the IP addresses and servers authorised to send email on behalf of your domain.

How SPF works at the DNS level. When an ISP receives an email claiming to be from example.com, it performs a DNS lookup on example.com for an SPF record (a TXT record starting with v=spf1). The record contains a list of authorised senders. If the sending server's IP matches an entry in the record, SPF passes. If not, it fails.

SPF record syntax follows a standardised format. A basic record looks like this:

v=spf1 include:_spf.google.com ip4:192.0.2.0/24 ip6:2001:db8::/32 ~all

The v=spf1 tag identifies the record as SPF version 1. include references another domain's SPF record (commonly used for ESPs like Google, Mailchimp, or Salesforce). ip4 and ip6 authorise specific IP addresses or ranges. The all mechanism at the end specifies the default action: -all (fail), ~all (soft fail), +all (pass, never use), or ?all (neutral).

The 10-lookup limit is one of the most commonly violated SPF rules. Every include, a, mx, ptr, and exists mechanism counts as a DNS lookup. The total must not exceed ten. When it does, SPF returns a permerror and authentication fails. This is particularly problematic for organisations that use multiple ESPs or services, each of which adds an include statement. Optimising SPF records to stay within the limit requires careful planning or the use of SPF macros in advanced cases.

Common SPF mistakes include listing too many includes, using +all which effectively disables SPF, forgetting to include all sending sources, and failing to update SPF records when switching email providers. Another frequent error is using SPF without DKIM, leaving a single point of failure — forwarded email will break SPF because the forwarding server is not in the original SPF record.

DKIM: DomainKeys Identified Mail

DKIM addresses the limitations of SPF by using cryptographic signatures. While SPF only checks the sending server, DKIM verifies that the message content itself has not been altered and that it genuinely came from the claimed domain.

How public-key cryptography works in email. The sending server generates a private-public key pair. The private key is kept on the sending server and used to sign outgoing emails. The public key is published as a DNS TXT record on the sending domain. When an ISP receives a signed email, it looks up the public key, decrypts the signature, and compares it to the message content. If they match, the email is verified.

Setting up DKIM for major platforms typically involves generating a key pair through your ESP, publishing the public key in your DNS, and enabling signing. Each platform has slightly different requirements. Google Workspace provides a default DKIM key but recommends generating a custom one for better deliverability. Microsoft 365 uses a selector-based approach with automatic key rotation. Mailchimp, SendGrid, and other ESPs each have their own setup workflows.

Key rotation is a critical but often overlooked maintenance task. DKIM keys should be rotated periodically — annually at minimum — to maintain security. When rotating, publish the new public key alongside the old one (using a different selector) until all in-transit emails signed with the old key have been delivered. Then remove the old key. This rolling approach prevents authentication failures during the transition.

DKIM alignment determines whether the domain used in the DKIM signature matches the domain in the From header. This matters for DMARC, which requires either SPF or DKIM alignment to pass. DKIM alignment can be strict (exact match required) or relaxed (organisational domain match allowed). For most senders, relaxed alignment with DKIM is the easiest path to DMARC compliance.

DMARC: Domain-based Message Authentication

DMARC is the policy layer that sits on top of SPF and DKIM. It tells receiving mail servers what to do when authentication fails and provides reporting that gives senders visibility into authentication results.

How DMARC policies work. A DMARC record is a DNS TXT record at _dmarc.yourdomain.com. It specifies a policy (p=none, p=quarantine, or p=reject), the percentage of messages to apply the policy to (pct=100), and reporting addresses. A typical DMARC record looks like this:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensic@yourdomain.com; pct=100;

The three policy levels represent an escalating enforcement spectrum. p=none tells ISPs to take no action on authentication failures. It is a monitoring-only mode that allows you to see who is sending email from your domain without affecting delivery. p=quarantine instructs ISPs to send failing messages to spam. p=reject tells them to block failing messages entirely.

The recommended deployment path starts with p=none for data collection. After analysing the reports for two to four weeks, move to p=quarantine at a low percentage (pct=25), gradually increasing over several weeks. Once all legitimate traffic authenticates correctly, move to p=quarantine at 100%, then finally to p=reject. This gradual approach prevents accidental blocking of legitimate email.

DMARC aggregate reports (rua) provide XML summaries of authentication results from receiving ISPs. They show how many messages passed or failed each check, organised by source IP and domain. Forensic reports (ruf) provide details on individual authentication failures. These reports are invaluable for troubleshooting and monitoring.

Alignment modes determine how strictly the authenticated domain must match the header From domain. For SPF alignment, strict requires an exact match of the domain; relaxed requires only the organisational domain to match. For DKIM alignment, the same distinction applies. Most senders use relaxed alignment for both, though some forward-consistency models require strict.

BIMI and Emerging Standards

BIMI (Brand Indicators for Message Identification) displays a verified logo next to authenticated emails in supporting clients including Gmail, Apple Mail, and Yahoo Mail. It increases brand recognition, builds trust, and improves engagement rates.

Requirements for BIMI. To adopt BIMI, you must have DMARC enforcement at p=quarantine or p=reject for your sending domain. You need a verified logo certificate (VMC) from an accredited certificate authority, though some providers offer a self-declared BIMI option without a VMC. The logo must be an SVG file hosted at a publicly accessible URL and published in a DNS TXT record at default._bimi.yourdomain.com.

The benefits of BIMI extend beyond visual recognition. Early adopters report click-through rate increases of 10 to 15% for authenticated, logo-bearing emails. BIMI also signals to recipients that you take email security seriously, which builds long-term trust. As more email clients adopt BIMI support, the competitive advantage of having verified logos will grow.

MTA-STS and TLS-RPT add transport-layer security to the authentication stack. MTA-STS (Mail Transfer Agent Strict Transport Security) enforces TLS encryption for email delivery, preventing downgrade attacks that strip encryption in transit. TLS-RPT provides reporting on delivery failures caused by TLS issues. Together, they ensure your email is not only authenticated but also encrypted throughout its journey.

What You'll Learn in the Full Guide

Our complete email authentication PDF guide provides everything you need to implement, test, and maintain authentication protocols. It includes DNS record templates for SPF, DKIM, DMARC, and BIMI that you can customise for your specific infrastructure. Troubleshooting flowcharts help you diagnose authentication failures quickly, whether the issue is DNS propagation, record syntax, or key management.

The guide covers testing tools including mailbox analysers, DMARC parsers, and SPF validators, with step-by-step instructions for each. A migration roadmap walks you through switching ESPs or moving to a new domain without breaking authentication. The full setup checklist ensures nothing is missed during implementation.

Who Needs This Guide

This guide is for IT teams responsible for email infrastructure, email marketers who need to understand how authentication affects their campaigns, and domain administrators managing DNS for organisations of any size. If you are responsible for ensuring that your organisation's email is secure, authenticated, and deliverable, this guide covers everything you need.

System administrators migrating to new email platforms, security professionals implementing DMARC enforcement, and marketing operations teams working with ESPs will all find actionable guidance. The guide is practical rather than theoretical, with clear instructions for every major platform and use case.

Frequently Asked Questions

SPF (Sender Policy Framework) is a DNS record that lists which IP addresses are authorised to send email from your domain. When an ISP receives an email claiming to be from your domain, they check the SPF record to verify it came from an approved server. Without SPF, anyone can send email pretending to be you. The guide covers SPF record syntax, lookup limits, and troubleshooting.

DKIM (DomainKeys Identified Mail) uses public-key cryptography to sign your outgoing emails, proving they haven't been tampered with in transit. It's a critical authentication method that helps ISPs verify email integrity. DKIM is required by Gmail and Yahoo's sender guidelines and is essential for good deliverability. Our guide includes setup instructions for all major sending platforms.

Start with p=none to monitor your email traffic without blocking anything. Once you've identified all legitimate senders, move to p=quarantine, then p=reject. Most organisations should aim for p=reject within 3–6 months. The guide includes a complete DMARC implementation roadmap with reporting tools and migration strategies.

BIMI (Brand Indicators for Message Identification) displays your brand logo next to your emails in supporting email clients like Gmail and Apple Mail. It requires DMARC at p=quarantine or p=reject. While optional, BIMI increases brand recognition, trust, and engagement. Our guide covers BIMI requirements, logo creation, and verified mark certificates.

No, you can only have one SPF record per domain. Having multiple SPF records causes SPF failures and deliverability issues. If you need to authorise multiple senders, include them all in a single record using include mechanisms. The guide explains SPF record flattening and how to stay within the 10-DNS-lookup limit.

Use tools like MXToolbox, DMARC Analyzer, or Google's Postmaster Tools to test your SPF, DKIM, and DMARC configuration. Send test emails to dedicated testing addresses and review the authentication headers. Our guide includes a full testing checklist and explains how to read email headers to diagnose authentication failures.