SPF, DKIM, and DMARC: The Complete Guide for 2026

Why Authentication Matters

Email was designed in an era with no built-in sender verification. Anyone can send an email claiming to be from any address. SPF, DKIM, and DMARC are the three-layer system that ISPs use to verify that email claiming to come from your domain was actually authorized by you.

Without proper authentication, your email looks suspicious to filtering algorithms — even if your content is legitimate. With it, you establish a track record of authenticated sends that ISPs can use to build trust in your domain.

SPF — Sender Policy Framework

SPF is a DNS TXT record that lists the IP addresses and services authorized to send email on behalf of your domain. When a receiving mail server gets a message from you, it checks whether the sending IP is in your SPF record.

A basic SPF record looks like:

v=spf1 include:mailsflux.net ~all

The ~all (soft fail) vs -all (hard fail) distinction matters. Use-all for maximum strictness once you're confident you've listed all legitimate senders. Use ~all while you're still auditing your email sources.

Common SPF mistake: exceeding 10 DNS lookups. Each include: directive triggers a DNS lookup, and the SPF spec allows a maximum of 10. Chains of include: statements from multiple email services can silently exceed this limit, causing SPF to fail.

DKIM — DomainKeys Identified Mail

DKIM works differently from SPF. Rather than validating the sending IP, it attaches a cryptographic signature to the email header, signed with a private key that only you control. The corresponding public key is published in your DNS as a TXT record. Receiving mail servers verify the signature using your public key.

The key advantage of DKIM over SPF: the signature travels with the email. This means DKIM survives email forwarding, where SPF frequently breaks (because the forwarding server's IP isn't in your SPF record).

Key size matters: Use 2048-bit DKIM keys. Google deprecated 1024-bit keys in 2024. If you set up DKIM before 2023, check your key size — many older setups still use 1024-bit and are silently failing quality checks.

DMARC — Domain-based Message Authentication

DMARC builds on top of SPF and DKIM. It tells receiving mail servers what to do when an email fails authentication — and critically, it asks them to report back to you about what they're seeing.

A DMARC record looks like:

v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100

The p= tag sets the policy: none (monitor only), quarantine(send failures to spam), or reject (block failures entirely). The rua= tag specifies where aggregate reports are sent.

The DMARC Rollout Strategy

Don't jump straight to p=reject. A staged approach prevents accidental blocking of legitimate mail:

• Week 1–2: p=none. Monitor only. Review aggregate reports to identify all sources sending email as your domain.
• Week 3–4: p=quarantine, pct=10. Apply quarantine to 10% of failing mail. Monitor for false positives.
• Week 5–6: p=quarantine, pct=100. Full quarantine on failures. Fix any remaining SPF/DKIM gaps.
• Week 7+: p=reject. Maximum protection. Unauthenticated mail claiming to be from your domain is rejected outright.

Reading DMARC Reports

DMARC aggregate reports (RUA) arrive as XML files — readable but not human-friendly raw. Use a DMARC report analyzer to make sense of them. Key things to look for:

• Unknown sources sending as your domain (potential phishing or misconfigured services)
• SPF pass rate by source — low rates indicate missing include: statements
• DKIM pass rate — failures usually indicate key misconfiguration or email modification in transit

The Mailsflux Setup Flow

Mailsflux's dashboard includes a step-by-step DNS configuration wizard that generates the exact records you need for your domain, validates them in real time, and surfaces a compliance score. Most customers complete SPF, DKIM, and DMARC setup in under 10 minutes.

We also run a continuous authentication health check on all sending domains — if something changes in your DNS that breaks authentication, you'll receive an alert before it impacts your deliverability.