Email authentication is a set of DNS-based standards that prove an email really came from the domain it claims. Three records do the work: SPF lists allowed sending servers, DKIM signs messages cryptographically, and DMARC tells receivers what to do when a check fails. Together they block spoofing and protect deliverability.
How does email authentication work?
Receiving mail servers run automatic checks the moment a message arrives. They look up your domain's DNS records and compare them against the incoming email. If the sending server, signature, and alignment match your published records, the message passes. If not, the receiver can quarantine or reject it based on your policy.
None of this touches the message body a human reads. The checks happen during the SMTP conversation and inside the email headers. A spoofed message can look perfect on screen and still fail authentication behind the scenes. Each of the three records verifies a different part of that handshake, and a receiver weighs all three before deciding where the message lands.
SPF: which servers may send for your domain
SPF, the Sender Policy Framework, is a DNS TXT record listing the IP addresses and services allowed to send email for your domain. When a message arrives, the receiver checks the sending server's IP against that list. A listed server passes. An unlisted one fails. Keep the record accurate as you add tools like a CRM or a newsletter platform.
SPF has a real limit. It checks the hidden envelope sender, not the From address your recipient actually reads. It also breaks on forwarding, because the forwarding server is not on your list. SPF alone cannot stop a spoofer who fakes your visible From address, which is exactly why DKIM and DMARC exist alongside it.
DKIM: a signature on every message
DKIM, DomainKeys Identified Mail, attaches a cryptographic signature to the header of each outgoing message. Your sending server signs with a private key. You publish the matching public key in DNS. The receiver fetches that public key and confirms the signature is valid and the signed parts were not altered on the way.
Because DKIM signs content rather than the connection, it survives forwarding far better than SPF. Change a signed field and the signature breaks. A passing DKIM result proves two things at once: the message came from a server holding your private key, and nobody tampered with the parts that were signed.
DMARC: the policy that ties it together
DMARC, Domain-based Message Authentication, Reporting and Conformance, is the record that issues instructions. It demands that SPF or DKIM not only pass but also align with the visible From domain. Then it tells receivers how to handle failures: take no action, quarantine to the spam folder, or reject the message before it is delivered.
DMARC also reports back. Aggregate reports name every source sending mail as your domain, including forgotten services and outright impersonators. Start at p=none to watch traffic without blocking anything. Once your legitimate senders pass and align, tighten the policy to quarantine, then to reject. That progression is how you shut the door on spoofing without dropping real mail.
How do SPF, DKIM, and DMARC work together?
Each record covers a gap the others leave open. SPF authorizes servers. DKIM verifies the message was not changed. DMARC enforces alignment with the From address and sets the failure policy. A message needs only one of SPF or DKIM to pass with alignment, but publishing all three gives receivers the strongest signal that you are legitimate.
| Record | What it checks | Published as | Main weakness |
|---|---|---|---|
| SPF | The sending server's IP address | DNS TXT record | Breaks on forwarding |
| DKIM | A cryptographic signature on the message | DNS TXT record with a public key | Needs careful key management |
| DMARC | Alignment plus a failure policy | DNS TXT record at _dmarc | Only works once SPF or DKIM is set up |
Think of it as three layers. SPF answers where a message may come from. DKIM answers whether it stayed intact. DMARC answers what to do when the first two disagree with the From address. Miss one layer and you leave a gap a determined spoofer can walk straight through.
Authentication proves who is sending. It says nothing about whether the addresses on your list are real. Clean the list first. The free tool on this site, the Free Email Verifier, flags invalid, duplicate, and disposable addresses right in the browser before you hit send, and your CSV never leaves your machine. If you would rather hand off pipeline entirely, Synthisia runs done-for-you lead sourcing and outreach on top of that same hygiene.
Check your list right now, free
10 checks a day with no signup. 100 a day with just your email.
Why email authentication affects deliverability
Mailbox providers treat authentication as a core trust signal. Gmail and Yahoo now require SPF, DKIM, and DMARC from bulk senders. Miss those checks and your mail slides into spam or gets rejected at the door. Pass them and you protect your domain reputation, your inbox placement, and your brand against anyone spoofing your name.
Records alone will not save a bad list. Authenticated mail sent to dead addresses and spam traps still wrecks your reputation, because providers watch bounce and complaint rates just as closely. Keep hard bounces under 2% and verify addresses before the first send. Authentication and list hygiene are two halves of the same deliverability job.
How do you set up email authentication?
Publish three DNS TXT records and monitor the results. Start with SPF listing your senders, add DKIM keys from each sending platform, then add a DMARC record set to p=none. Watch the reports for a few weeks, confirm your real mail passes and aligns, and only then raise the DMARC policy to quarantine or reject.
- Publish an SPF TXT record that lists every service allowed to send for your domain.
- Enable DKIM on each sending platform and add the public key each one gives you to DNS.
- Add a DMARC record at _dmarc.yourdomain.com starting with p=none and a reporting address.
- Read the aggregate reports and find every legitimate sender that is failing or misaligned.
- Fix those senders, then raise DMARC to p=quarantine, and finally to p=reject.
Once all three pass and align, run a quick verification pass on your list before each campaign. Authenticated mail sent to a clean list is the combination that reliably reaches the inbox.