SPF, DKIM & DMARC: The Complete Guide for 2025

Why Email Authentication Matters

In February 2024, Google and Yahoo began enforcing strict authentication requirements for anyone sending more than 5,000 emails per day. If your domain isn't properly configured with SPF, DKIM, and DMARC, your emails will be rejected outright — not even filtered to spam, but bounced.

SPF (Sender Policy Framework)

SPF lets you declare which mail servers are authorized to send email on behalf of your domain. It works through a DNS TXT record that receiving servers check during the SMTP transaction.

Setting Up SPF

Add a TXT record to your domain's DNS with the following format:

v=spf1 include:_spf.google.com include:sendgrid.net -all

The include: mechanism delegates authorization to another domain's SPF record. The -all at the end means "reject everything not explicitly allowed."

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every outgoing email. The receiving server verifies this signature against a public key published in your DNS, proving the message wasn't tampered with in transit.

How DKIM Works

Your email service generates a public/private key pair. The private key signs a hash of selected headers and the body. The public key is published as a DNS TXT record under a selector subdomain.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It also enables reporting so you can monitor authentication results across all your sending sources.

DMARC Policy Levels

Start with p=none to monitor, then progress to p=quarantine, and finally p=reject once you're confident all legitimate sources are authenticated.

Putting It All Together

Authentication is a prerequisite, not a guarantee of inbox placement. But without it, you're fighting with one hand tied behind your back. Set up all three protocols, monitor your DMARC reports, and iterate.