DKIM, DMARC, and SPF Explained: Email Authentication Guide

Email authentication is not optional in 2026. Google and Yahoo now require SPF, DKIM, and DMARC for bulk senders. Without them, your emails go to spam — or get rejected entirely.

This guide explains each protocol clearly, shows you what the DNS records look like, and tells you exactly how to set them up.

Why Email Authentication Exists

Email was designed in the 1970s with no verification. Anyone can send an email claiming to be anyone — a problem that enabled decades of phishing and spam.

The three authentication protocols — SPF, DKIM, and DMARC — were created to fix this at the DNS level. Together they form a chain of trust that lets receiving servers verify your email is genuine.

SPF: Sender Policy Framework

What it does: SPF publishes a list of IP addresses and services authorized to send email for your domain. When a receiving server gets an email from your domain, it checks your SPF record to see if the sending IP is on the list.

How to set it up: Add a TXT record to your domain's DNS:

v=spf1 include:spf.misarmail.io ~all

Key parts:

• v=spf1 — declares this is an SPF record
• include:spf.misarmail.io — authorizes MisarMail's sending IPs
• ~all — soft fail for any IP not listed (use -all for hard fail once you are confident)

SPF limitations: SPF only checks the "envelope from" address (the technical return-path), not the "From:" address visible to recipients. This is why DKIM and DMARC are also needed.

DKIM: DomainKeys Identified Mail

What it does: DKIM adds a cryptographic signature to every email you send. The signature is generated using a private key that only you hold. The corresponding public key is published in your DNS. Receiving servers verify the signature to confirm the email was sent by you and was not modified in transit.

How to set it up: MisarMail generates your DKIM key pair and tells you exactly what DNS record to add:

mail._domainkey.yourdomain.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0G..."

Why it matters: DKIM survives email forwarding (unlike SPF, which fails when email is forwarded). It is the most reliable authentication signal for inbox placement.

DMARC: Domain-based Message Authentication

What it does: DMARC ties SPF and DKIM together. It tells receiving servers what to do when an email fails SPF or DKIM checks — and sends you reports about who is sending email using your domain.

How to set it up: Add a TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-failures@yourdomain.com; fo=1

Policy levels:

• p=none — monitor only, do not block anything (start here)
• p=quarantine — send failing emails to spam
• p=reject — block failing emails entirely (gold standard for anti-phishing)

Migration path: Start with p=none and monitor reports for 2–4 weeks. Fix any legitimate sending sources that are failing. Then advance to p=quarantine, monitor again, then move to p=reject.

DMARC Alignment

For DMARC to pass, either SPF or DKIM must align — meaning the authenticated domain must match the "From:" domain visible to recipients.

• SPF alignment: the Return-Path domain matches the From domain
• DKIM alignment: the d= value in the DKIM signature matches the From domain

This is what prevents phishers from passing SPF checks on their own domain while using your domain in the visible From address.

BIMI: The Next Step

Brand Indicators for Message Identification (BIMI) is an emerging standard that displays your brand logo in the inbox when DMARC is at p=quarantine or p=reject. Supported by Gmail, Outlook, Yahoo, and Apple Mail.

BIMI requires a verified mark certificate (VMC) from a commercial authority (DigiCert, Entrust). It is optional but provides strong brand recognition and trust signals in the inbox.

Checklist: Email Authentication Setup

• SPF record published for your sending domain
• DKIM keys generated and DNS record added
• DMARC at p=none monitoring
• DMARC reports being received and reviewed
• DMARC advanced to p=quarantine after 30 days clean
• DMARC advanced to p=reject after 30 days at quarantine
• (Optional) BIMI record with VMC for logo display

MisarMail's authentication setup wizard walks you through every step with one-click DNS record generation.

Set up email authentication →