SenderKit
GUIDEDeliverability

Email authentication: SPF, DKIM, DMARC, and BIMI

SPF, DKIM, and DMARC are the three DNS records that prove your mail is really yours. Get them right and your email reaches the inbox; get them wrong (or skip them) and it lands in spam — or anyone can spoof your domain. Here’s what each one does and how to set it up.
On this page

What email authentication is

Email authentication is a set of DNS-based standards that let a receiving server answer one question: did this message really come from the domain it claims to? Without it, anyone can put your domain in the Fromaddress. With it, receivers can verify the sender and detect tampering — which is why it’s the foundation of both deliverability and anti-spoofing.

There are three core pieces — SPF, DKIM, and DMARC — plus BIMI, which builds on top to show your logo. You want all three core records in place.

SPF — who is allowed to send

SPF (Sender Policy Framework) is a DNS TXT record listing the servers allowed to send mail for your domain. A receiver looks it up and checks whether the connecting server is on the list.

TXT @ (domain root)
v=spf1 include:amazonses.com include:_spf.google.com -all

The catch: SPF allows a maximum of 10 DNS lookups, and it doesn’t survive forwarding — which is exactly why DKIM and DMARC exist alongside it. Build a valid record with the SPF record generator.

DKIM — proof the message wasn't altered

DKIM (DomainKeys Identified Mail) signs each outgoing message with a private key. The matching public key is published in DNS, so receivers can verify the signature — proving the message genuinely came from your domain and wasn’t changed in transit.

TXT s1._domainkey
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...

Generate a keypair and the matching record with the DKIM record generator — the private key is created in your browser and never sent anywhere.

DMARC — the policy that ties it together

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the policy layer. It requires SPF or DKIM to not only pass but align with your From domain, tells receivers what to do when a message fails (none, quarantine, or reject), and sends you reports about who’s sending as you.

TXT _dmarc
v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com

Always start at p=none with a reporting address, watch the reports, then escalate to quarantine and reject. Build it with the DMARC record generator.

BIMI — your logo in the inbox

BIMI (Brand Indicators for Message Identification) is the optional fourth piece: once you’re at DMARC enforcement, it lets your brand logo appear next to your messages. It needs an SVG logo over HTTPS and, for Gmail and Apple Mail, a paid Verified Mark Certificate. Build the record with the BIMI record generator.

The Gmail & Yahoo sender requirements

Since February 2024, Gmail and Yahoo require anyone sending in volume to authenticate with all three — SPF, DKIM, and DMARC — and bulk senders must also keep spam complaints low and support one-click unsubscribe. Below those thresholds the rules are softer, but the same authentication is still what keeps you out of spam.

In short: SPF, DKIM, and DMARC aren’t optional any more. They’re the price of entry.

How to set it up, in order

  1. Publish an SPF record listing every service that sends for you, ending in ~all while you confirm it, then -all.
  2. Add DKIM signing and publish the public key, so messages are signed and verifiable.
  3. Publish a DMARC record at p=none with a rua address and read the reports.
  4. Once your legitimate mail passes and aligns, move DMARC to quarantine, then reject. Add BIMI last if you want your logo shown.

Frequently asked questions

What is email authentication?

Email authentication is a set of DNS-based standards — SPF, DKIM, and DMARC — that let receiving mail servers verify a message really came from your domain and wasn't spoofed or altered. It's the foundation of deliverability and anti-spoofing.

Do I need SPF, DKIM, and DMARC?

Yes — all three. Since February 2024, Gmail and Yahoo require SPF, DKIM, and a DMARC record for anyone sending in volume. Even below those thresholds, having all three is what keeps legitimate mail out of spam and stops others spoofing your domain.

What is the difference between SPF, DKIM, and DMARC?

SPF lists which servers may send for your domain. DKIM cryptographically signs each message so receivers can verify it wasn't changed. DMARC ties the two together — it requires SPF or DKIM to pass and align with your From domain, and tells receivers what to do (and where to report) when they don't.

What is a DMARC record?

A DMARC record is a DNS TXT record at _dmarc.yourdomain.com that sets your enforcement policy (none, quarantine, or reject) and the address where pass/fail reports are sent. Start at p=none with reporting, then escalate once your legitimate mail passes.

Related
Why your emails go to spam

Authentication is the most common cause — but not the only one. The full checklist.

SPF, DKIM, DMARC & BIMI generators

Free, no-sign-up generators for every record on this page.

Send transactional email that lands in the inbox

SenderKit handles SPF, DKIM, DMARC, and one-click unsubscribe for you — email, SMS, and push from one API. Free up to 3,000 messages a month.

Start for freeEmail API

By creating an account, you agree to our Terms.