Press ESC to close

MailTester NinjaMailTester Ninja Increase your email deliverability

My Account

SPF, DKIM, and DMARC: The Complete Email Authentication Guide (2026)

    SPF DKIM DMARC complete email authentication guide 2026
    By MailTester.Ninja · June 20, 2026 · 20 min read · Email Authentication · Deliverability · DNS

    SPF DKIM DMARC are no longer optional in 2026. Google and Yahoo made them mandatory for bulk senders in February 2024. Microsoft followed in May 2025. As of June 2026, 69.2% of domains worldwide still have no effective DMARC protection (DmarcDkim.com, June 2026) and those domains are getting filtered, throttled, or rejected by the three largest email providers on the planet.

    If you have ever wondered why your emails land in spam despite having good content and a clean list, missing or misconfigured authentication records are the most likely cause. Authentication issues account for roughly 25% of total spam filter scoring weight and they are evaluated before your content is even read.

    This guide explains exactly what SPF, DKIM, and DMARC do, how to set each one up step by step, how to verify your records are working, and how to move from monitoring to full enforcement without breaking your email flow. Every example in this guide uses real DNS record syntax you can copy directly.

    69.2%
    of domains have no effective DMARC protection
    52.1%
    DMARC adoption rate globally (up from 27.2% in 2023)
    11.2%
    of domains have full p=reject enforcement
    $2.77B
    BEC losses in 2024 that DMARC helps prevent (FBI IC3)
    Search intents covered: "SPF DKIM DMARC setup guide", "what is SPF DKIM DMARC", "how to set up DMARC", "SPF record setup", "DKIM setup guide", "DMARC policy p=none p=quarantine p=reject", "email authentication 2026", "Gmail DMARC requirements", "how to check SPF DKIM DMARC records", "DMARC alignment", "email going to spam SPF DKIM", "SPF DKIM DMARC checker", "DMARC report setup", "email authentication DNS records"

    Contents

    1. What Are SPF, DKIM, and DMARC?
    2. Why They Are Mandatory in 2026
    3. SPF vs DKIM vs DMARC: Key Differences
    4. SPF: Setup, Syntax, and Common Mistakes
    5. DKIM: Setup, Key Generation, and Verification
    6. DMARC: Policy Progression from p=none to p=reject
    7. How to Read DMARC Reports
    8. DMARC Alignment Explained
    9. How to Verify Your Records Are Working
    10. 7 Common SPF, DKIM, and DMARC Mistakes
    11. Authentication Setup Checklist
    12. 2026 Adoption Benchmarks by Industry
    13. Frequently Asked Questions

    What Are SPF, DKIM, and DMARC?

    SPF, DKIM, and DMARC are three DNS-based email authentication protocols that work together to verify that an email actually comes from the domain it claims to come from. They are not redundant each one solves a different part of the authentication problem.

    THE 3 EMAIL AUTHENTICATION PROTOCOLS AND WHAT EACH ONE DOES SPF Sender Policy Framework Lists which IP addresses are authorised to send email for your domain Think: the guest list DKIM DomainKeys Identified Mail Cryptographic signature that proves the email was not tampered with in transit Think: the wax seal DMARC Domain-Based Auth + Reporting Policy layer: tells receivers what to do when SPF or DKIM fails. Sends you reports. Think: the bouncer

    SPF authenticates the sending IP. DKIM authenticates the message content. DMARC enforces the policy and reports on failures.

    The three protocols are complementary, not interchangeable. SPF can be bypassed through email forwarding. DKIM survives forwarding but does not authenticate the sending server. DMARC ties them together with a policy and provides visibility into who is sending on your behalf. You need all three for complete protection.

    Why SPF, DKIM, and DMARC Are Mandatory in 2026

    For most of their existence, SPF, DKIM, and DMARC were best-practice recommendations. Between February 2024 and May 2025, that changed permanently.

    ProviderEnforcement dateRequirementConsequence of non-compliance
    Gmail (Google)Feb 2024, stricter Nov 2025SPF + DKIM + DMARC (p=none min)Throttling then rejection for bulk senders
    YahooFeb 2024SPF + DKIM + DMARC (p=none min)Rejection for bulk senders
    Microsoft (Outlook)May 2025SPF + DKIM + DMARCRouted to junk, then rejected
    What "bulk sender" means: Google and Yahoo define it as 5,000 or more emails per day to their users. Microsoft has not published a specific threshold. In practice, any cold email or marketing operation sending regularly should treat these requirements as universal regardless of volume.

    The impact has been dramatic. The EasyDMARC 2026 DMARC Adoption Report recorded a 79% growth in valid DMARC records between 2023 and 2026. Proofpoint's telemetry, covering 2.8 trillion emails across 230,000 organizations, flagged 2024 to 2025 as the fastest improvement in email authentication adoption it has ever measured. Despite this, 69.2% of domains still lack effective DMARC protection as of June 2026 (DmarcDkim.com) meaning the gap between compliant and non-compliant senders has never been larger.

    SPF vs DKIM vs DMARC: Key Differences

    A common question before setup: do you need all three, or will one or two suffice? The short answer is that all three serve different purposes and none can fully replace the others.

    SPFDKIMDMARC
    What it authenticatesThe sending IP addressThe message content and sender domainPolicy + alignment of SPF and DKIM
    Survives forwardingNoYesDepends on which passes
    Protects against spoofingPartialPartialYes (at p=reject)
    Provides reportingNoNoYes (rua= and ruf=)
    Required by Gmail/YahooYesYesYes (p=none min)
    DNS record locationyourdomain.com (TXT)selector._domainkey.yourdomain.com (TXT)_dmarc.yourdomain.com (TXT)
    Configured byYou (domain owner)Your ESP or email providerYou (domain owner)
    The dependency chain: DMARC depends on SPF and DKIM. Without at least one of them passing and aligning, DMARC has nothing to enforce. Set up SPF and DKIM first, verify they pass, then add DMARC on top.

    SPF: Setup, Syntax, and Common Mistakes

    What SPF does

    SPF (Sender Policy Framework) is a DNS TXT record that lists every IP address and service authorised to send email on behalf of your domain. When an email arrives, the receiving server checks whether the sending IP is on your SPF list. If it is not, the email fails SPF.

    SPF
    Example SPF record
    DNS TXT record
    ; Published at: yourdomain.com (DNS TXT record)
    v=spf1 include:_spf.google.com include:sendgrid.net include:_spf.mailchimp.com ip4:203.0.113.10 ~all

    v=spf1 declares the SPF version. include: authorises third-party senders. ip4: authorises a specific IP. ~all is a soft fail for anything not listed (use -all for hard fail once fully configured).

    How to set up SPF step by step

    1
    List every service that sends email for your domain
    Include your email provider (Google Workspace, Microsoft 365), your ESP (Mailchimp, SendGrid, HubSpot), any CRM that sends email, your transactional email service (Postmark, Mailgun), and any other tool. Every service you miss will cause SPF failures.
    2
    Get the SPF include string for each service
    Every major sending service publishes its SPF include string in its documentation. Common examples: Google Workspace uses include:_spf.google.com, SendGrid uses include:sendgrid.net, Mailchimp uses include:servers.mcsv.net.
    3
    Build your SPF record
    Combine all includes into a single TXT record starting with v=spf1. End with ~all (soft fail) while testing. Switch to -all (hard fail) once you are confident all sending sources are listed. Never create more than one SPF record for the same domain.
    4
    Publish in your DNS
    Add the record as a TXT record at the root of your domain (@ or blank host field). DNS propagation takes up to 48 hours but is usually complete within a few hours.
    5
    Verify with MXToolbox
    Go to mxtoolbox.com/spf.aspx, enter your domain, and confirm the record is found and passes validation. Check that all your sending services appear in the lookup results.
    The SPF 10-lookup limit: SPF records are limited to 10 DNS lookups during evaluation. Every include: tag counts as one lookup, and some includes trigger further lookups. Exceeding 10 causes SPF to return a PermError, which is treated as a fail. If you send from many services, use an SPF flattening tool to stay within the limit.

    DKIM: Setup, Key Generation, and Verification

    What DKIM does

    DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. The signature is generated using a private key stored on your sending server. The corresponding public key is published in your DNS. When a receiving server gets your email, it retrieves the public key from your DNS and uses it to verify that the signature is valid and that the message body has not been modified in transit.

    Unlike SPF, DKIM survives email forwarding because it is tied to the message content rather than the sending IP. This makes it the more reliable of the two authentication methods and the one DMARC alignment depends on most heavily.

    DKIM
    Example DKIM DNS record
    DNS TXT record
    ; Published at: google._domainkey.yourdomain.com
    v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

    ; The selector "google" identifies which key to use.
    ; p= is your base64-encoded public key.

    The record is published at selector._domainkey.yourdomain.com. The selector is defined by your email provider and allows multiple DKIM keys to coexist on one domain (one per sending service).

    How to set up DKIM

    DKIM setup is done through your email provider or ESP, not manually. Most providers generate the key pair for you and give you the DNS record to publish.

    ProviderWhere to find DKIM setupSelector format
    Google WorkspaceAdmin Console › Apps › Google Workspace › Gmail › Authenticate emailgoogle
    Microsoft 365Microsoft 365 Defender › Email policies › DKIMselector1, selector2
    MailchimpAccount › Domains › Authenticatek1, k2
    SendGridSettings › Sender Authentication › Domain Authentications1, s2
    PostmarkSender Signatures › DKIMpm
    Key rotation best practice: DKIM keys should be rotated at least once per year. Microsoft 365 does this automatically with its two-selector system (selector1 and selector2). For other providers, check your documentation for key rotation procedures. A compromised DKIM key can be used to forge email signatures from your domain.

    DMARC: Policy Progression from p=none to p=reject

    What DMARC does

    DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the policy layer that sits on top of SPF and DKIM. It tells receiving servers what to do when an email from your domain fails authentication: monitor only, quarantine it, or reject it. It also sends you aggregate and forensic reports so you can see exactly who is sending email using your domain.

    DMARC
    Example DMARC record
    DNS TXT record
    ; Published at: _dmarc.yourdomain.com
    v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; fo=1

    p= is the policy (none, quarantine, or reject). pct= is the percentage of failing messages the policy applies to. rua= receives aggregate reports. ruf= receives forensic reports. fo=1 generates reports when either SPF or DKIM fails.

    The 3 DMARC policies explained

    DMARC POLICY PROGRESSION SAFE DEPLOYMENT PATH p=none Monitor only Emails delivered normally. Reports sent to rua address. Start here. Run 2-4 weeks. p=quarantine Failing emails go to spam Failing messages routed to spam folder, not rejected. Move here after 4-6 weeks. p=reject Full enforcement Failing messages rejected outright. Maximum protection. Target destination.

    Always start at p=none, move to p=quarantine after reviewing reports, then p=reject once all sending sources are aligned

    Never jump straight to p=reject: If you set p=reject without first reviewing your DMARC reports at p=none, you risk blocking legitimate email from sending services you forgot to authenticate. Start at p=none, monitor for 2 to 4 weeks, fix all misaligned sources, then move to p=quarantine, then p=reject.

    How to set up DMARC step by step

    1
    Create a DMARC reporting inbox
    Create a dedicated email address for DMARC aggregate reports (e.g. dmarc@yourdomain.com). Reports arrive as XML files and can be difficult to read manually use a free DMARC report analyzer like Dmarcian, Postmark's DMARC digests, or EasyDMARC.
    2
    Publish your initial p=none record
    Add a TXT record at _dmarc.yourdomain.com with the value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1. This starts sending you reports without affecting email delivery.
    3
    Review reports for 2 to 4 weeks
    Check your reports for any sending sources that are failing SPF or DKIM alignment. Common culprits: forgotten marketing tools, old SMTP servers, third-party applications. Fix each misaligned source before moving to the next policy level.
    4
    Move to p=quarantine at pct=10
    Start with p=quarantine; pct=10 to apply the policy to only 10% of failing messages. Monitor for a week. If no legitimate email gets caught, increase pct gradually to 25, 50, then 100.
    5
    Move to p=reject
    Once you are confident all legitimate sending sources are authenticated and aligned, change the policy to p=reject. This gives you maximum protection against domain spoofing and phishing. Only 11.2% of domains globally have reached this level as of June 2026.

    How to Read DMARC Reports

    DMARC aggregate reports (RUA) arrive as XML files sent to the address you specified in your rua= tag. They are sent by every inbox provider that processes email from your domain Gmail, Yahoo, Outlook, and others. Each report covers a 24-hour period.

    Reading raw XML is impractical. Use a free DMARC report analyzer: Postmark's DMARC Digest (free, weekly summary by email), Dmarcian (free tier available, visual dashboard), or EasyDMARC (free tier, good for smaller volumes).

    What a DMARC aggregate report contains

    FieldWhat it tells youWhat to look for
    source_ipThe IP address that sent email claiming to be from your domainUnrecognised IPs could mean spoofing or a forgotten sending service
    countNumber of messages sent from this IP in the reporting periodHigh counts from unknown IPs are a red flag
    spf resultPass or fail for SPF authenticationAny "fail" from a legitimate source means SPF record needs updating
    dkim resultPass or fail for DKIM signatureAny "fail" means DKIM is not configured for that sending service
    dispositionWhat the receiver did with the message (none, quarantine, reject)Should match your DMARC policy surprises indicate misalignment
    header_fromThe From domain in the email headerShould always be your domain if not, you are being spoofed

    The 3 things to check in every DMARC report

    1. Are there any unrecognised source IPs? If you see IP addresses you do not recognise sending email from your domain, either you have a forgotten sending service or someone is attempting to spoof your domain. Investigate before advancing to p=reject.

    2. Are all your legitimate sending sources passing both SPF and DKIM? Each tool you use to send email (your ESP, CRM, helpdesk, transactional email) should appear in your reports with spf=pass or dkim=pass. Any legitimate source showing as fail needs to be fixed before you tighten your DMARC policy.

    3. Is the volume matching what you expect? If your reports show 10,000 emails sent from an IP you do not control, your domain is being actively spoofed. Set DMARC to p=reject immediately and notify your email provider.

    Report reading shortcut: Send a test email from every service that sends on your behalf (your ESP, your CRM, your transactional tool), then check the next day's DMARC report. You should see one row per service, all with spf=pass or dkim=pass. This is the fastest way to confirm your setup is complete before moving to enforcement.

    DMARC Alignment Explained

    DMARC passes when either SPF or DKIM aligns with the domain in the "From" header of the email. Alignment is the most misunderstood concept in email authentication and the most common source of DMARC failures even when SPF and DKIM individually pass.

    Alignment typeSPF requirementDKIM requirement
    Relaxed (default)The SPF domain must share the organizational domain with the From header domain (subdomains allowed)The DKIM d= tag must share the organizational domain with the From header (subdomains allowed)
    Strict (aspf=s / adkim=s)The SPF domain must exactly match the From header domainThe DKIM d= tag must exactly match the From header domain
    Common alignment failure scenario: You send email from mail.yourdomain.com (a subdomain) with SPF configured only for yourdomain.com. In strict mode, this fails alignment. In relaxed mode (the default), it passes because both share yourdomain.com as the organizational domain. Use relaxed alignment unless you have a specific security reason to require strict.

    How to Verify Your SPF, DKIM, and DMARC Records

    Publishing the records is only half the job. You need to verify that they are syntactically correct, that they are actually resolving from your DNS, and that emails are passing authentication end to end.

    CheckToolWhat to confirm
    SPF record syntaxMXToolbox SPF CheckerRecord found, no syntax errors, under 10 lookups
    DKIM recordMXToolbox DKIM CheckerPublic key found at selector._domainkey.yourdomain.com
    DMARC recordMXToolbox DMARC CheckerRecord found at _dmarc.yourdomain.com, policy visible
    End-to-end authenticationMail-Tester.com or Google Admin ToolboxSPF pass, DKIM pass, DMARC pass in email headers
    Gmail alignmentGoogle Postmaster ToolsDomain reputation High or Medium, DMARC passing
    Inbox placementGlockAppsAbove 80% inbox across major providers
    Verify your sending infrastructure is working After setting up SPF, DKIM, and DMARC, verify your email list to ensure your authenticated domain is reaching real inboxes. MailTester Ninja checks SMTP response, MX records, and deliverability in real time.
    Verify your list

    7 Common SPF, DKIM, and DMARC Mistakes

    7 COMMON AUTHENTICATION MISTAKES IN 2026 1. Multiple SPF records on the same domain Only one SPF record is allowed per domain. Multiple records Fix: merge all includes into a single TXT record. 2. Exceeding the SPF 10-lookup limit Too many includes cause a PermError, treated as a fail. Fix: use SPF flattening to reduce lookup count. 3. Setting DMARC p=reject before reviewing reports Blocks legitimate email from unrecognised sending sources. Fix: always start at p=none, review reports for 4+ weeks. 4. Not configuring DKIM for every sending service Each ESP needs its own DKIM key. Missing one causes failures. Fix: enable DKIM in every tool that sends from your domain. 5. DMARC alignment failure despite SPF and DKIM passing SPF/DKIM can pass but fail DMARC if domains do not align. Fix: ensure the From domain matches SPF/DKIM domains. 6. No DMARC rua reporting address Without rua=, you get no visibility into failures or spoofing. Fix: always include rua= pointing to a monitored inbox.

    The 7 most common authentication setup mistakes and how to fix each one

    Mistake 7 Forgetting subdomains: Your DMARC record at _dmarc.yourdomain.com covers your root domain and, by default in relaxed mode, your subdomains. But if you send from a completely separate subdomain like newsletter.yourdomain.com, check that SPF, DKIM, and DMARC are configured for that subdomain specifically. Use the sp= tag in your DMARC record to set a separate policy for subdomains.

    SPF, DKIM, and DMARC Setup Checklist

    SPF

    • Only one SPF TXT record published at the root domain
    • All sending services included (email provider, ESPs, CRMs, transactional email)
    • Lookup count verified below 10 (use MXToolbox SPF checker)
    • Record ends with ~all during testing, -all for full enforcement
    • SPF passes in end-to-end test (Mail-Tester.com or Google Admin Toolbox)

    DKIM

    • DKIM enabled in every service that sends email from your domain
    • Public key published in DNS at selector._domainkey.yourdomain.com for each selector
    • DKIM signature verified in email headers (check via Gmail "Show original")
    • Key rotation schedule in place (minimum once per year)
    • DKIM d= domain aligns with the From header domain

    DMARC

    • DMARC TXT record published at _dmarc.yourdomain.com
    • Started at p=none with rua= pointing to a monitored inbox
    • DMARC reports reviewed for at least 2 to 4 weeks before moving to quarantine
    • All legitimate sending sources showing as aligned in reports
    • Policy moved to p=quarantine then p=reject progressively
    • Subdomain policy considered (sp= tag if needed)

    2026 DMARC Adoption Benchmarks by Industry

    DMARC ADOPTION BY INDUSTRY 2026 % OF DOMAINS WITH VALID DMARC RECORD 100% 75% 50% 25% 89% Financial 82% Healthcare 76% Tech / SaaS 52% Global avg 38% Retail 24% SMB general

    DMARC adoption rate by industry, 2026 (EasyDMARC Adoption Report 2026, AutoSPF Industry Analysis)

    MetricDataSource
    Global DMARC adoption52.1% of top 1.8M domainsEasyDMARC 2026 Adoption Report
    Domains at p=none only56% of those with DMARCEasyDMARC 2026
    Full p=reject enforcement11.2% of all domainsDmarcDkim.com, June 2026
    Domains with no auth at all40.8% (no SPF, DKIM, DMARC)DMARCguard Research, Feb 2026
    DMARC adoption growth 2023-2026+79% in valid recordsEasyDMARC 2026
    BEC losses prevented by DMARC$2.77B annual target (FBI IC3 2024)FBI IC3 Annual Report

    Frequently Asked Questions

    Do I need both SPF and DKIM, or is one enough?
    You need both. Gmail and Yahoo require both SPF and DKIM for bulk senders since February 2024, not just one. DMARC requires at least one of the two to pass and align, but having both provides redundancy: DKIM survives email forwarding while SPF does not, and together they give DMARC more signals to work with.
    What happens if I set DMARC to p=reject too early?
    Legitimate email from sending services you forgot to authenticate will be rejected. This includes email from third-party marketing tools, CRMs, help desk software, or automated notification systems. Always start at p=none and review DMARC aggregate reports for at least 2 to 4 weeks before moving to quarantine or reject.
    Does SPF work with email forwarding?
    No. When an email is forwarded, the sending IP changes to the forwarding server's IP, which is not on your original SPF record. This causes SPF to fail on the forwarded copy. This is why DKIM is critical: DKIM is tied to the message content rather than the sending IP, so it survives forwarding. DMARC can pass on DKIM alignment alone, which is why having both is essential.
    How do I check if my SPF, DKIM, and DMARC are set up correctly?
    Use MXToolbox to check each record's syntax and publication. Then send a test email to a Gmail address and view the original headers (three dots in Gmail, "Show original") to see the authentication results. You should see "spf=pass", "dkim=pass", and "dmarc=pass". You can also use mail-tester.com for a complete end-to-end authentication check with a score and specific recommendations.
    How long does DMARC take to take effect?
    DNS changes propagate within 24 to 48 hours, but most providers pick them up within a few hours. Once published, DMARC reports start arriving within 24 to 72 hours. The policy takes effect immediately after propagation, which is why starting at p=none is so important before moving to enforcement levels.
    What is DMARC alignment and why does it matter?
    DMARC alignment means the domain in the From header must match the domain used in SPF authentication (the Return-Path domain) or the DKIM signature (the d= tag). You can pass both SPF and DKIM individually but still fail DMARC if these domains do not align. Relaxed alignment (the default) allows subdomain matches. Strict alignment requires an exact match.
    Does setting up SPF, DKIM, and DMARC improve my email deliverability?
    Yes, directly. Authenticated domains are significantly more likely to reach the inbox. Fully authenticated cold emails pull 15 to 20% higher response rates compared to unauthenticated ones, and unauthenticated bulk email now faces throttling or rejection from Gmail, Yahoo, and Outlook. Authentication does not override sender reputation, but it is the prerequisite for everything else to work. Read our guide on why emails go to spam for the complete picture.
    What is BIMI and do I need it?
    BIMI (Brand Indicators for Message Identification) displays your logo next to your emails in supported inboxes (Gmail, Yahoo, Apple Mail). It requires DMARC at p=quarantine or p=reject as a prerequisite. BIMI is optional but increases recipient trust and open rates, which generates positive engagement signals that improve deliverability over time. Only 0.04% of domains have the full authentication stack including BIMI as of February 2026 (DMARCguard).
    Danila Kozlov, COO at MailTester.Ninja
    About the author
    Danila Kozlov
    COO at MailTester.Ninja

    Danila has spent the last few years deep in email deliverability, helping SaaS companies and growth teams fix the infrastructure problems that silently kill their outbound results. As COO of MailTester.Ninja, he oversees product and operations with a single obsession: making email verification fast, accurate, and genuinely useful for the people who need it most.

    Authentication is step one. A clean list is step two.

    Once SPF, DKIM, and DMARC are set up, verify your email list before every send. MailTester Ninja checks every address with SMTP-level accuracy, spam trap detection, and MX record validation.

    Verify your list for free

    Real-time SMTP verification · Spam trap detection · Catch-all flagging · GDPR compliant