SPF, DKIM, and DMARC
Also known as: Email authentication, SPF record, DKIM signature, DMARC policy
SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance) are the three email authentication standards published as DNS records on the sender domain. SPF lists authorised sending IPs. DKIM cryptographically signs outgoing email. DMARC ties them together with a policy and reporting. In 2026, all three are essentially mandatory — Google and Microsoft tightened requirements in 2024, and sending from a domain without properly configured SPF, DKIM, and DMARC increasingly results in emails being routed to spam or blocked entirely.
Email authentication has gone from nice-to-have to essentially mandatory between 2020 and 2026. The three core standards — SPF, DKIM, and DMARC — work together to tell receiving mail servers that an email is legitimately from the claimed sender and has not been tampered with in transit.
SPF: Sender Policy Framework
SPF is the simplest of the three. It tells receivers which IP addresses are allowed to send mail on behalf of the sender's domain.
The SPF record is a TXT entry in the domain's DNS that lists authorised IPs or includes other authentication services. A typical SPF record for a domain using Google Workspace plus a few SaaS tools might look like:
`v=spf1 include:_spf.google.com include:mailgun.org include:_spf.salesforce.com ~all`
The `~all` at the end is a "softfail" policy meaning email from other IPs should be marked as suspicious but not rejected outright. A stricter `-all` means reject. Most teams start with `~all` and tighten over time.
When a receiving server gets an email claiming to be from yourdomain.com, it looks up the SPF record and checks whether the sending IP matches. If not, the email gets flagged for further scrutiny.
The common SPF failure is forgetting to include a SaaS tool that sends on the domain's behalf — a CRM, an email marketing platform, a transactional email service. Those emails will start landing in spam or being rejected.
DKIM: DomainKeys Identified Mail
DKIM is the cryptographic-signature layer. It proves the email was actually sent from the claimed domain and has not been modified in transit.
The sender's mail server signs every outgoing email with a private key. The signature gets added as a header in the email. The corresponding public key is published as a TXT record in the sender's DNS. When the receiving server gets the email, it fetches the public key, verifies the signature, and confirms (or rejects) the authentication.
DKIM is more complex to set up than SPF because the private key has to be generated and configured on the sending infrastructure, and the public key has to be published in DNS at a specific selector path (e.g., `selector1._domainkey.yourdomain.com`). Most email providers (Google Workspace, Microsoft 365, Mailgun, Postmark) handle the key generation and publish the public-key DNS record automatically.
The DKIM signature also protects against tampering — if a relay modifies the email in any way, the signature breaks and the receiver knows.
DMARC: tying it together
DMARC sits on top of SPF and DKIM. It does two things: defines what receivers should do when SPF or DKIM authentication fails, and enables aggregate reporting on authentication results.
A DMARC record specifies a policy: `none` (accept all, just report), `quarantine` (route to spam if auth fails), or `reject` (reject outright if auth fails). It also specifies email addresses to send aggregate reports to (typically a dedicated mailbox monitored by the IT or security team).
A typical DMARC record:
`v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com`
DMARC is the policy layer that makes SPF and DKIM enforcement actual rather than advisory. Without DMARC, receivers see SPF and DKIM results but apply their own internal policy. With DMARC, the sender domain explicitly tells receivers how to handle failures.
Why authentication tightened in 2024
In early 2024, Google announced that high-volume senders to Gmail (5,000+ messages per day) must have all three authentication standards properly configured. Microsoft followed with similar requirements for Microsoft 365 senders. Both providers also tightened the bar for any sender, not just high-volume ones — failures increasingly route to spam rather than being delivered with warnings.
The change reflects a broader industry trend: as phishing and email-spoofing attacks have grown, mail providers have become less tolerant of unauthenticated email. The 2024 tightening was the most visible change but the trend started earlier and continues.
Common authentication problems
Incomplete SPF. Missing a SaaS tool that sends on the domain's behalf. A common cause of "but I sent the email!" mysteries.
DKIM not enabled on a sending service. Some SaaS tools require manual DKIM setup that gets forgotten. The emails send, but without DKIM signatures, they fail DMARC and route to spam.
DMARC policy too strict too fast. Going straight to `p=reject` without first running `p=none` to monitor for a few weeks can result in legitimate emails being rejected. Best practice is to start at `p=none`, watch the reports, fix any auth failures, then progressively tighten.
DNS TXT records overlapping. Multiple SPF records on the same domain is an error (only the first is read by some receivers). Use one record with multiple includes instead.
How to verify authentication is working
Three tools cover most of what teams need:
Mail Tester (mail-tester.com). Send a test email to the address it gives you, get a deliverability score that flags authentication issues.
Google Postmaster Tools. Free dashboard from Google showing sender reputation, authentication rates, and spam-rate metrics for your sending domain.
MXToolbox SPF/DKIM/DMARC checkers. Free DNS-lookup tools that verify each record is published correctly.
For B2B sales teams sending one-to-one from established business inboxes (Gmail Workspace, Microsoft 365), the email provider handles SPF/DKIM/DMARC setup at the provider level. The risk is when teams add a third-party sending tool (CRM, cold-outreach platform, transactional email service) without updating SPF or enabling DKIM for that service.
Frequently asked questions
Do I need all three of SPF, DKIM, and DMARC?+
In 2026, essentially yes. Google and Microsoft tightened requirements in 2024 and continue to tighten. SPF alone is no longer sufficient. Sending from a domain without all three properly configured increasingly results in emails being filtered to spam or blocked, especially for senders above 5,000 messages per day to Gmail.
What is the difference between SPF and DKIM?+
SPF tells receivers which IPs are allowed to send for your domain. DKIM cryptographically signs each outgoing email so receivers can verify it has not been tampered with. SPF is IP-based; DKIM is content-based. Both can pass while the other fails (e.g., a forwarded email may break SPF but DKIM survives the forward).
What DMARC policy should I use?+
Start with `p=none` for 2-4 weeks to monitor authentication results without affecting delivery. Read the DMARC reports, fix any auth failures from legitimate senders, then move to `p=quarantine` for a few weeks. Once you are confident, move to `p=reject` for the strictest enforcement. Most B2B teams settle at `p=quarantine` indefinitely.
Does Outsolvi affect my SPF or DKIM?+
No. Outsolvi does not send emails for you — you send from your own Outlook or Gmail account, so your SPF and DKIM are whatever your business email provider already set up. Outsolvi tracks the sends but does not alter the sending path or require its own SPF include.
Can I check if my DMARC is working?+
Yes. Send a test email to a Gmail address you control, open the message, click the three-dot menu, View Original. The headers show SPF, DKIM, and DMARC results. Google Postmaster Tools also shows aggregate authentication rates for your sending domain. MXToolbox provides DNS-lookup tools for each record.
Put this concept into practice
Free tools, articles, and features on this same topic.
Related glossary terms
Want accurate tracking that handles SPF, DKIM, and DMARC?
Outsolvi tracks Outlook and Gmail with Tier 1 to 5 confidence scoring on opens, hot-lead detection, and AI reply sentiment at $7/user/mo billed yearly. 14-day free trial, no credit card.
Start 14-Day Free TrialNate built Outsolvi after watching every email-tracking tool he had ever used lie to him about opens. Outsolvi runs Tier 1 to 5 confidence scoring on every open, native in Outlook and Gmail, so the number on the dashboard is one a rep can actually act on.
We update these pages when the underlying mechanics change — new mailbox-provider rules, new tracker behavior, new measurement gaps. The dates above are real revisions, not auto-touches.