The Three Records Standing Between Your Email and the Spam Folder
TL;DR: SPF, DKIM, and DMARC are the three DNS-based authentication standards now required by Gmail, Yahoo, Outlook, and Hotmail. As of 2026, non-compliant bulk senders have their messages rejected at the SMTP level — not filtered to spam, but blocked outright. All three records must be configured correctly and aligned with your From domain.
In February 2024, Google and Yahoo made email authentication mandatory for bulk senders. In May 2025, Microsoft followed. As of 2026, non-compliant messages to Gmail, Yahoo, Outlook, and Hotmail are rejected at the SMTP level — not filtered to spam, but blocked outright.
86% of domains still haven’t enforced DMARC. Only 16% have published a DMARC record at all. If you’re reading this and unsure whether your setup is correct, you’re in good company — and in a dangerous position.
This guide explains exactly how SPF, DKIM, and DMARC work, how they interact, what correct configuration looks like, and how to implement them without breaking your existing email flow.
⚡ Check where you stand right now: Run the free DNS Checker → — instant SPF/DKIM/DMARC grade, no signup.
Why Email Authentication Exists
TL;DR: Email was designed in the 1970s with no mechanism to verify the sender’s identity, meaning any server could impersonate any domain. SPF, DKIM, and DMARC are the three-layer framework the industry built to address this gap. Each protocol solves a different part of the verification problem — sending server authorization, message integrity, and enforcement policy.
Email was invented in the 1970s without any mechanism for verifying who was actually sending a message. Any server could claim to be sending “from: support@yourbank.com” — and receiving servers had no way to verify it.
SPF, DKIM, and DMARC are the three-layer authentication framework the industry built to fix this. Each solves a different part of the verification problem:
| Protocol | What it verifies | Analogy |
|---|---|---|
| SPF | Whether this server is authorized to send email for your domain | Checking the return address against an approved list |
| DKIM | Whether the email content was tampered with in transit | A tamper-evident seal on a package |
| DMARC | Whether SPF and DKIM results align with the From address — and what to do if they don’t | The policy governing what happens when checks fail |
They work together. SPF and DKIM provide verification signals. DMARC provides the enforcement policy — formally defined in RFC 7489. All three are required.
SPF — Sender Policy Framework
TL;DR: SPF is a DNS TXT record that lists every mail server authorized to send email from your domain. Receiving servers check the sending IP against this list and pass or fail the message accordingly. A correct SPF record ends with
-all(hard fail) and must stay under the 10 DNS lookup limit.
What SPF Does
SPF is a DNS TXT record that lists every mail server authorized to send email from your domain. When an email arrives claiming to be from your@company.com, the receiving server checks your SPF record to see if the sending IP is listed.
- SPF pass: The sending IP is in your SPF record — good signal
- SPF fail (hard fail): The sending IP is not authorized — emails may be rejected
- SPF softfail: Not authorized but not rejected — treated as suspicious
How SPF Works
- Your server sends a message to Gmail with
From: hello@yourcompany.com - Gmail looks up the DNS TXT record for
yourcompany.com - It finds:
v=spf1 include:_spf.google.com include:sendgrid.net ~all - Gmail checks whether the sending IP is authorized by any of the listed includes
- If yes: SPF passes. If no: SPF fails
SPF Record Syntax
v=spf1 [mechanisms] [qualifier]all Common mechanisms:
| Mechanism | Meaning |
|---|---|
ip4:203.0.113.0/24 | Authorizes this specific IP range |
include:_spf.google.com | Includes Google Workspace’s authorized servers |
include:sendgrid.net | Includes SendGrid’s authorized servers |
a | Authorizes the domain’s own A record |
mx | Authorizes the domain’s MX record hosts |
Qualifiers:
| Qualifier | Meaning |
|---|---|
+all | Pass all — don’t use this, it authorizes any server |
~all | SoftFail — unauthorized servers accepted but marked |
-all | HardFail — unauthorized servers rejected |
?all | Neutral — effectively meaningless |
A correct, strict SPF record:
v=spf1 include:_spf.google.com include:sendgrid.net -all Critical rule: One SPF record per domain only. Multiple records = only one gets read. Combine all sending services into a single record.
The 10 DNS Lookup Limit
SPF authentication fails if resolving your record requires more than 10 DNS lookups. Each include: counts as one lookup, and those includes often contain their own includes.
Teams using multiple sending tools — marketing ESP, CRM, support tool, transactional email service — frequently exceed 10 lookups without realizing it.
Symptoms: SPF PermError, which fails authentication silently without a clear error in your ESP.
Fix: Use SPF flattening (resolve included IPs and list them directly) or subdomain delegation (send from subdomains with their own SPF records).
DKIM — DomainKeys Identified Mail
TL;DR: DKIM adds a cryptographic signature to every outgoing email, tied to the message content and key headers. Receiving servers verify this signature using your public key published in DNS, confirming the message was not altered in transit and came from a server that controls your domain. For DMARC to pass on DKIM, the signing domain must be your own domain — not your ESP’s generic domain.
What DKIM Does
DKIM adds a cryptographic signature to every email you send. The signature proves two things:
- The email was sent by someone who controls your domain (they had the private key)
- The email content was not altered in transit (the signature is tied to the message body and headers)
SPF verifies the sending server. DKIM verifies the message itself.
How DKIM Works
- Your email server generates a cryptographic hash of the email’s content (body + selected headers)
- That hash is encrypted with your private DKIM key and attached as a
DKIM-Signatureheader - The receiving server looks up your public DKIM key in DNS (a TXT record under a selector subdomain)
- It uses the public key to decrypt the signature and verify the hash matches
- If the hash matches: DKIM passes. If not: the message was tampered with, or the key doesn’t match
DKIM DNS Record Format
Your DKIM public key lives in DNS at:
[selector]._domainkey.[yourdomain].com For example, if your selector is google and your domain is yourcompany.com:
google._domainkey.yourcompany.com The record:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ... Important DKIM Notes
Selectors: You can have multiple DKIM keys on one domain, each identified by a different selector. This lets you use separate keys for different sending services without conflict.
Key length: Google requires minimum 1024-bit; 2048-bit is the current recommendation. Keys shorter than 1024 bits are rejected.
Key rotation: Rotate DKIM keys every 6-12 months as a security best practice. Always test before removing the old key — key rotation without proper DNS planning breaks authentication.
DKIM alignment for DMARC: The d= domain in the DKIM signature must match (or be a subdomain of) the From: header domain. If your ESP signs with sendgrid.net instead of yourcompany.com, DKIM alignment fails for DMARC.
DMARC — Domain-based Message Authentication, Reporting and Conformance
TL;DR: DMARC defines the policy receiving servers apply when SPF or DKIM fails — none (monitor only), quarantine (spam folder), or reject (block at SMTP). It also enforces alignment: the authenticated domain must match the From address your recipients actually see. DMARC aggregate reports (RUA) reveal which sources are passing or failing across all major mailbox providers.
What DMARC Does
DMARC ties SPF and DKIM together under a single policy. It answers: “When an email from my domain fails SPF or DKIM, what should receiving servers do?”
DMARC adds a crucial concept: alignment. SPF or DKIM can technically “pass” while still being misaligned with the From address — the address your recipients actually see. DMARC checks that the authenticated domain aligns with the From domain.
And DMARC provides reporting — aggregate reports (RUA) from mailbox providers showing how your domain’s email is performing and where authentication failures occur.
DMARC Alignment: The Concept Most Guides Skip
This trips up many setups.
SPF alignment: The Return-Path domain (envelope sender) must match the From: header domain.
DKIM alignment: The d= domain in the DKIM signature must match (or be a subdomain of) the From: header domain.
When you send through an ESP, it often uses its own domain for the Return-Path (bounces.sendgrid.net). This causes SPF misalignment. Fix: configure a custom bounce domain (a subdomain of your sending domain) through your ESP.
If your ESP signs DKIM with its own domain, fix: configure custom DKIM signing with your own domain through the ESP.
DMARC Record Syntax
v=DMARC1; p=[policy]; rua=mailto:[email]; ruf=mailto:[email]; pct=[percentage]; adkim=[r/s]; aspf=[r/s] | Tag | Meaning | Example |
|---|---|---|
p= | Policy for the root domain | p=reject |
rua= | Email for aggregate reports | rua=mailto:dmarc@yourcompany.com |
ruf= | Email for forensic reports | ruf=mailto:dmarc@yourcompany.com |
pct= | Percentage of messages to apply policy to | pct=100 |
sp= | Policy for subdomains | sp=quarantine |
adkim= | DKIM alignment mode (r=relaxed, s=strict) | adkim=r |
aspf= | SPF alignment mode (r=relaxed, s=strict) | aspf=r |
The Three DMARC Policies
| Policy | Effect |
|---|---|
p=none | Monitor only. Failed messages are delivered. Reports sent to your RUA address. Use this first. |
p=quarantine | Failed messages go to spam/junk. The middle step before full enforcement. |
p=reject | Failed messages are rejected at the SMTP level. Full enforcement. |
The Safe Path to DMARC Enforcement
Moving too quickly to p=reject without understanding all your sending sources can block legitimate email.
Week 1-2: Deploy at p=none
v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.com Collect aggregate reports. Use a DMARC report analyzer (Dmarcian, PowerDMARC, URIports) to identify all sources sending email from your domain.
Week 3-6: Fix alignment for all legitimate sources For each legitimate sender (marketing ESP, CRM, helpdesk, transactional email), configure custom bounce domain (SPF alignment) and custom DKIM signing (DKIM alignment).
Week 7-8: Move to p=quarantine at low percentage
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourcompany.com Apply quarantine to 10% of failing messages. Monitor for legitimate email impact.
Week 9-12: Increase and move to p=reject Gradually increase pct= from 10 → 25 → 50 → 100. Move from p=quarantine to p=reject once confident all legitimate sources are aligned.
Final state:
v=DMARC1; p=reject; rua=mailto:dmarc@yourcompany.com; ruf=mailto:dmarc@yourcompany.com; pct=100; adkim=r; aspf=r How SPF, DKIM, and DMARC Work Together
TL;DR: When a message arrives, the receiving server runs SPF and DKIM checks independently, then DMARC checks whether at least one passes and aligns with the From domain. DMARC requires only one of SPF+alignment or DKIM+alignment to succeed — not both. DKIM alignment is more reliable than SPF alone because DKIM signatures survive email forwarding while SPF does not.
Here’s what happens when Gmail receives an email claiming to be from yourcompany.com:
Incoming email → From: sarah@yourcompany.com
1. SPF check:
→ Look up TXT record for yourcompany.com
→ Is the sending IP on the authorized list?
→ SPF result: PASS or FAIL
2. DKIM check:
→ Look up public key at [selector]._domainkey.yourcompany.com
→ Verify cryptographic signature
→ DKIM result: PASS or FAIL
3. DMARC check:
→ Does SPF PASS + align with From domain?
→ Does DKIM PASS + align with From domain?
→ At least one must pass + align for DMARC to pass
→ If DMARC fails → apply policy (none / quarantine / reject)
→ Send aggregate report to rua= address Key nuance: DMARC passes if either SPF + alignment OR DKIM + alignment passes — it doesn’t require both. But best practice is having both passing, because SPF alone breaks on forwarded email (the forwarding server’s IP isn’t in your SPF record), while DKIM survives forwarding.
BIMI (Brand Indicators for Message Identification)
TL;DR: BIMI lets you display your brand logo next to your email in Gmail, Yahoo Mail, and Apple Mail. It requires DMARC at p=quarantine or p=reject, plus a Verified Mark Certificate (VMC) for Gmail. BIMI is an optional layer built on top of a fully enforced DMARC setup.
BIMI lets you display your brand logo next to your email in supporting clients — Gmail, Yahoo Mail, Apple Mail. It requires DMARC at p=quarantine or p=reject, and a Verified Mark Certificate (VMC) for Gmail.
BIMI is increasingly important for brand trust and inbox recognition. For the complete setup guide: BIMI: What It Is and How to Set It Up
Google & Yahoo 2026 Requirements Summary
TL;DR: As of 2026, all bulk senders (5,000+ messages/day) must publish SPF and DKIM records, maintain DMARC at p=none or higher with aligned authentication, implement one-click unsubscribe, and keep spam rates below 0.10%. Microsoft enforced equivalent requirements for Outlook and Hotmail starting May 5, 2025.
| Requirement | Applies to | Status |
|---|---|---|
| SPF record published | All senders | Required |
| DKIM with 1024+ bit key | All senders | Required |
DMARC at p=none or higher | Bulk senders (>5,000/day) | Required; non-compliant emails rejected |
| DMARC alignment (SPF or DKIM) | Bulk senders | Required |
| One-click unsubscribe (List-Unsubscribe header) | Bulk senders | Required |
| Spam rate below 0.10% | All senders | Monitored; above 0.30% triggers filtering |
Microsoft (Outlook/Hotmail) enforced equivalent requirements starting May 5, 2025.
For the full compliance checklist: Google & Yahoo Sender Requirements 2026
Authentication Setup Checklist
TL;DR: A complete authentication setup requires an SPF record listing all sending sources (under the 10 DNS lookup limit), DKIM configured with your own domain and a 2048-bit key, and a DMARC record at _dmarc.yourdomain.com with an active RUA address. Custom bounce domains and custom DKIM signing through your ESP are required for alignment — without them, SPF and DKIM can pass individually while DMARC still fails.
SPF:
- TXT record exists at your root domain
- All legitimate sending sources are included
- DNS lookup count is under 10
- Qualifier is
-allor~all(not+all) - Custom bounce domain configured in your ESP for SPF alignment
DKIM:
- DKIM signing is enabled in your ESP
- Custom DKIM signing configured with your own domain (not ESP’s generic domain)
- Key length is 1024 bits minimum (2048 recommended)
- Public key DNS record is correctly published and resolving
- Selector is not expired or rotated without updating DNS
DMARC:
- TXT record exists at
_dmarc.yourdomain.com - RUA address is active and monitored
- Policy is at least
p=none - Working toward
p=quarantine→p=reject - All legitimate sending sources show aligned in aggregate reports
Frequently Asked Questions
- TL;DR:
The most common questions about SPF, DKIM, and DMARC concern what happens without them, how alignment differs from simply passing, and how to safely progress from p=none to p=reject. Passing authentication does not guarantee inbox placement — spam filters evaluate reputation, engagement, and content separately from authentication.
- What happens if I don’t have SPF, DKIM, and DMARC?
As of 2026, emails to Gmail, Yahoo, Outlook, and Hotmail from non-compliant bulk senders are rejected at the SMTP level — not delivered to spam, but blocked outright. For lower-volume senders, non-compliant messages face higher spam classification rates.
- Can I pass authentication but still land in spam?
Yes. Authentication proves you are who you say you are. It does not guarantee inbox placement. Spam filters also evaluate sender reputation, engagement signals, content quality, and list hygiene. Authentication is the mandatory floor — not the ceiling. Read more: DMARC Passes But Still in Spam — Why This Happens
- What is the difference between SPF and DKIM alignment?
SPF alignment checks whether the
Return-Pathdomain matches theFromdomain. DKIM alignment checks whether thed=domain in the DKIM signature matches theFromdomain. Both can pass their individual checks while failing alignment — which is what DMARC detects.- Should I use
p=rejectorp=quarantine? p=rejectis the gold standard for full protection against spoofing. But moving fromp=nonedirectly top=rejectwithout validating all legitimate email sources can block your own mail. Follow a gradual rollout:p=none→p=quarantineat low percentage →p=reject.- Does DMARC protect against phishing from look-alike domains?
No. DMARC protects your exact domain (
yourcompany.com). It does not protect against spoofing from similar-looking domains (yourcompany-support.com,yourcompany.net). For that, domain monitoring and brand protection tools are needed separately.- What is
adkim=svsadkim=r? Strict alignment (
s) requires thed=DKIM domain to be an exact match to theFromdomain. Relaxed alignment (r) allows thed=domain to be a parent domain — somail.yourcompany.comwould align withyourcompany.com. Relaxed is the default and appropriate for most setups.
InboxStack monitors your SPF, DKIM, and DMARC health continuously — alerting you immediately when authentication misconfigurations occur before they damage your inbox placement. Start free → Just want to check your current setup once? Run the free DNS Checker → — instant grade, no signup.
Related reading:
- BIMI: What It Is and How to Set It Up
- Google & Yahoo Sender Requirements 2026: The Compliance Checklist
- DMARC Passes But Still in Spam — Why This Happens
- What Is Inbox Placement? Definition, Formula & Benchmarks
The InboxStack Brief
Stay ahead of every inbox change
Weekly digest — authentication shifts, blacklist actions, provider policy updates. Free.
