InboxEagle
Back to Blog
authentication SPF DKIM DMARC

SPF, DKIM, and DMARC Explained: The Authentication Trinity

A plain-English breakdown of the three email authentication standards every sender needs to understand.

InboxEagle Team · · Updated Mar 21, 2026

SPF, DKIM, and DMARC are the three DNS-based standards that prove to receiving mail servers that your email is legitimate. Without all three configured correctly, your domain is vulnerable to spoofing and ISPs will treat your email with increased suspicion. As of February 2024, Gmail and Yahoo require DMARC authentication for all senders sending 5,000+ emails per day.

Over a decade of diagnosing deliverability failures across thousands of email programs, authentication misconfiguration is consistently the first thing we find — and the fastest thing to fix.

Authentication by the Numbers

100% SPF/DKIM pass rate you should target
2024 Year Gmail & Yahoo mandated DMARC for bulk senders
10 Maximum DNS lookups allowed in an SPF record
p=reject DMARC policy for maximum protection

SPF: Sender Policy Framework

SPF is a DNS record that lists every IP address and domain service authorized to send mail on your behalf.

How It Works

  1. You publish a TXT record at your domain: v=spf1 include:bayengage.com ~all
  2. When Gmail receives an email claiming to be from you, it checks if the sending IP is in your SPF record
  3. If it matches, SPF passes. If not, the ~all (softfail) or -all (hardfail) policy kicks in

Common Mistakes

  • Exceeding 10 DNS lookups: SPF limits you to 10 lookups. Tools like SPF flattening help reduce this count.
  • Missing ESPs: Added a new email tool? Update your SPF record.
  • Wrong qualifier: Start with ~all (softfail) before switching to -all (hardfail)

DKIM: DomainKeys Identified Mail

DKIM adds a digital signature to every email you send, proving the content wasn’t modified in transit.

How It Works

  1. Your email provider generates a public/private key pair
  2. The private key signs every outgoing email’s headers
  3. You publish the public key as a DNS TXT record
  4. Receiving servers verify the signature using your public key

Why It Matters

DKIM is required for DMARC alignment. Without it, your DMARC policy is based only on SPF, which is weaker and doesn’t authenticate the visible From address.

DMARC: Domain-based Message Authentication, Reporting & Conformance

DMARC is the policy layer that ties SPF and DKIM together and provides reporting.

The Three Policies

PolicyEffect
p=noneMonitor only — no action taken on failures
p=quarantineFailed messages go to spam
p=rejectFailed messages are blocked entirely

Start with Monitoring

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

This gives you visibility into all mail streams claiming to be from your domain before you enforce anything.

Reading DMARC Reports

DMARC reports (RUA = aggregate, RUF = forensic) are XML files that tell you:

  • Which IPs are sending mail as your domain
  • Whether SPF and DKIM are passing
  • How many messages are failing

InboxEagle parses and visualizes these reports so you don’t have to read raw XML.

The Correct Implementation Order

Follow the steps above in sequence — SPF first, then DKIM, then DMARC. This order protects you from accidentally blocking legitimate email during rollout.

Need to build your records? Try the free DMARC Record Generator or SPF Builder — no account required. Once your records are live, DMARC Monitoring from InboxEagle continuously tracks enforcement rates and alerts you to failures in under 2 minutes.

Frequently Asked Questions

What is the difference between SPF, DKIM, and DMARC?
SPF (Sender Policy Framework) lists which IP addresses are allowed to send email for your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to prove email content wasn't tampered with. DMARC ties them together — it tells receiving servers what to do when SPF or DKIM fails, and sends you reports on who's sending as your domain. You need all three for full email authentication.
Do I need all three — SPF, DKIM, and DMARC?
Yes. SPF alone is weak because it doesn't authenticate the visible From address. DKIM alone doesn't tell ISPs what to do with failures. DMARC ties them together and requires at least SPF or DKIM to align with your From domain. As of 2024, Gmail and Yahoo require DMARC for bulk senders.
What DMARC policy should I start with?
Start with p=none, which is monitoring-only mode — it doesn't affect email delivery but generates reports showing who is sending as your domain. After 2–4 weeks of reviewing reports to confirm all legitimate mail passes, move to p=quarantine, then eventually p=reject for maximum protection.
What is SPF flattening and why does it matter?
SPF is limited to 10 DNS lookups per record. Many senders exceed this limit by including multiple sending services (BayEngage, your CRM, ad platforms, etc.). When the limit is exceeded, SPF fails. SPF flattening resolves the included domains to their IP addresses and writes them directly into the record, reducing lookup count.
How do I know if DMARC is working?
Add an rua= tag to your DMARC record pointing to an email address you control (e.g., rua=mailto:dmarc@yourdomain.com). ISPs will send daily aggregate reports showing SPF/DKIM pass rates, sending IPs, and policy enforcement. Tools like InboxEagle parse these reports automatically so you don't have to read raw XML.
Share this article: Share on X Share on LinkedIn

One deliverability insight, every Friday.

Trusted by 2,000+ email senders. Free, always.

Free Download

Email Authentication Setup Checklist (SPF + DKIM + DMARC)

A step-by-step checklist to get all three authentication standards configured correctly — in the right order.

  • SPF record configuration & DNS publishing
  • DKIM key generation & selector setup
  • DMARC policy progression (none → quarantine → reject)
  • Verification commands to confirm each record

No spam. Unsubscribe any time.