Email β’ Deliverability
Email Authentication Explained: SPF, DKIM, DMARC β Why They Matter
Email authentication protects domains from impersonation and improves deliverability. The three pillars β SPF, DKIM, and DMARC β work together to help receivers decide whether a message is legitimate.
SPF β who can send email for your domain?
SPF is a DNS TXT record that lists authorized sending IPs or include mechanisms for third-party senders. Example:
v=spf1 include:sendgrid.net include:mailgun.org ~allUse ~all (softfail) when testing, then move to -all (hard fail) once youβre confident.
DKIM β sign messages cryptographically
DKIM signs emails with a private key; the public key goes in DNS. If a message is altered in transit, DKIM signatures fail and receivers can mark the message as suspicious.
DMARC β policy and reporting
DMARC tells receivers what to do when SPF and DKIM donβt align. Start with p=none to collect reports, then move to quarantine or reject as you gain confidence.
Quick deployment checklist
- Publish an SPF TXT record with all senders.
- Enable DKIM signing on your SMTP provider and publish the public key.
- Deploy DMARC with
p=none; rua=mailto:dmarc-reports@yourdomain.comand monitor reports. - Gradually increase DMARC enforcement after fixing issues.
