SPAMRUN
Back to blog
Technical

Email Authentication Explained: SPF, DKIM, and DMARC Setup Guide

November 10, 2025
15 min read
By SPAMRUN Team

Email authentication is the technical foundation of deliverability. Without proper SPF, DKIM, and DMARC records, even legitimate emails can be flagged as spam. Here's everything you need to know to set them up correctly.

Why Email Authentication Matters

Email authentication proves you're actually who you claim to be. Without it, anyone could send emails pretending to be from your domain. ISPs block unauthenticated emails to protect their users from phishing and spam.

Impact on deliverability: Gmail and other major providers heavily penalize emails without proper authentication. You could see 50%+ of your emails go to spam simply due to missing authentication.

SPF (Sender Policy Framework)

What is SPF?

SPF is a DNS record that lists which mail servers are authorized to send email on behalf of your domain. When an email arrives, the receiving server checks the SPF record to verify the sender is allowed.

How to Set Up SPF

Step 1: Identify all services that send email from your domain (your email provider, marketing tools, CRM, etc.)

Step 2: Get the SPF records from each service. They'll look like:

  • Google Workspace: include:_spf.google.com
  • Mailchimp: include:servers.mcsv.net
  • SendGrid: include:sendgrid.net

Step 3: Create one SPF record combining all includes:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Step 4: Add as a TXT record in your DNS settings

SPF Record Limits

  • Maximum 10 DNS lookups
  • Only one SPF record per domain
  • Use "~all" (soft fail) or "-all" (hard fail)

DKIM (DomainKeys Identified Mail)

What is DKIM?

DKIM adds a digital signature to your emails. The receiving server uses your public key (published in DNS) to verify the signature. This proves the email wasn't tampered with in transit.

How to Set Up DKIM

Step 1: Generate DKIM keys through your email service provider

Step 2: They'll give you DNS records to add (usually looks like):

selector._domainkey.yourdomain.com

Step 3: Add the TXT record to your DNS

Step 4: Verify setup in your ESP dashboard

DKIM Best Practices

  • Use 2048-bit key length (most secure)
  • Rotate keys annually
  • Set up DKIM for all sending domains
  • Test signatures after setup

DMARC (Domain-based Message Authentication)

What is DMARC?

DMARC builds on SPF and DKIM. It tells receiving servers what to do if SPF or DKIM checks fail, and sends you reports about email authentication failures.

How to Set Up DMARC

Step 1: Ensure SPF and DKIM are working first

Step 2: Create DMARC policy record:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Policies:

  • p=none: Monitor only (start here)
  • p=quarantine: Send failures to spam
  • p=reject: Block failures entirely

Step 3: Add as TXT record for _dmarc.yourdomain.com

Step 4: Monitor reports and gradually move from none → quarantine → reject

Testing Your Authentication

Tools to verify setup:

  • MXToolbox SPF/DKIM/DMARC checker
  • Google Admin Toolbox
  • DMARC Analyzer
  • Send test email to accounts you control

Common Mistakes

  • Multiple SPF records (only one allowed)
  • Exceeding 10 DNS lookups in SPF
  • Forgetting to set up for subdomains
  • Moving to DMARC p=reject too quickly
  • Not monitoring DMARC reports

Authentication Checklist

  • ✅ SPF record published and verified
  • ✅ DKIM keys generated and added to DNS
  • ✅ DMARC policy set (start with p=none)
  • ✅ All sending services included in SPF
  • ✅ Tested with verification tools
  • ✅ Monitoring DMARC reports
authentication
SPF
DKIM
DMARC

Ready to Stop Landing in Spam?

Check your emails for spam triggers before sending. Get instant AI-powered analysis and actionable recommendations. Start with 3 free checks—no credit card required.

Previous Article

Cold Email Spam Score: How to Check Before Hitting Send

Next Article

CAN-SPAM Act Compliance: Everything You Need to Know in 2025