SPF, DKIM, and DMARC Explained: Email Authentication for Deliverability
Published 2026-07-05 · Zeluto
SPF, DKIM, and DMARC are the three email authentication standards that prove your mail is really from you. Without them, mailbox providers cannot trust your messages — and increasingly, they will not deliver them.
SPF (Sender Policy Framework)
SPF is a DNS record that lists which servers are allowed to send email for your domain. When a message arrives, the receiving server checks whether it came from an authorized source. It answers the question: "is this server allowed to send as this domain?"
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to each message, tied to a public key in your DNS. The receiver verifies the signature to confirm the message was not altered in transit and genuinely came from your domain.
DMARC (Domain-based Message Authentication)
DMARC ties SPF and DKIM together and tells receivers what to do when a message fails — nothing, quarantine, or reject. Crucially, it checks alignment: that the domain SPF or DKIM authenticated matches the visible From address. That is what stops a spoofer from passing SPF on their own domain while forging yours. It also sends you reports on who is sending mail as your domain, so you can spot abuse.
Why you need all three
SPF alone breaks when mail is forwarded; DKIM alone does not say what to do on failure. Together they give receivers a clear, trustworthy signal — and since 2024, Gmail and Yahoo require bulk senders to publish a DMARC record at all. Start it at "p=none" to monitor, then tighten to "quarantine" or "reject" once you have confirmed your legitimate mail passes.
Getting it right
Publish all three for your sending domain, start DMARC in monitoring mode, review the reports, then tighten the policy. A platform that verifies these for you removes the guesswork.
Zeluto checks SPF, DKIM, and DMARC health on your dedicated sending domains — see email deliverability, or read how to improve email deliverability.