Email Authentication Helps Receiving Servers Make Decisions
SPF, DKIM, and DMARC are DNS-based technologies that help receiving mail systems evaluate whether a message is authorized and whether the visible sender matches the authenticated domain.
SPF
SPF lists servers allowed to send mail for a domain. The receiving server compares the sending IP address with the SPF policy.
A domain should normally publish one SPF record. Multiple separate SPF records can create a permanent error.
DKIM
DKIM adds a digital signature to outgoing messages. The receiving system uses a public key stored in DNS to verify that the signed parts of the message were not changed after signing.
DMARC
DMARC tells receiving servers what to do when SPF or DKIM checks fail and alignment requirements are not met. Policies can monitor, quarantine, or reject messages.
Start With Monitoring
Organizations often begin with a DMARC policy of none while collecting reports. This helps identify legitimate services before moving to stricter enforcement.
Common Problems
- Old services are missing from SPF.
- SPF exceeds lookup limits.
- DKIM signing is not enabled.
- The visible From domain does not align.
- DMARC is set to reject before legitimate senders are identified.
Authentication Does Not Guarantee Delivery
These records improve trust, but reputation, message content, sending patterns, complaints, and list quality still affect delivery.