Back to resources
7 min read

SPF, DKIM, DMARC: email authentication explained simply

The three protocols that prove your legitimacy to providers. What they do, how they fit together and why they shape your deliverability.

SPF, DKIM and DMARC are three authentication protocols that let providers verify that an email really comes from who it claims. Misconfigured or missing, they are enough to send your messages to spam, or even have them rejected. Properly configured, they form the indispensable technical foundation of any good deliverability. Here is what they do, explained without needless jargon.

Why authentication is indispensable

Email was designed without a native mechanism to verify the sender's identity. Anyone can technically claim to write from your domain, which opens the door to spoofing and phishing. SPF, DKIM and DMARC fill this gap. They form the first pillar of deliverability described in our complete guide, and it is the very first thing to fix if your emails land in spam.

SPF: who is allowed to send

SPF (Sender Policy Framework) is a DNS record that lists the servers authorized to send emails for your domain. On receipt, the provider compares the originating server to this list. If the server isn't on it, the message is considered suspicious. SPF therefore answers a simple question: does this sender have the right to use this domain?

SPF has a limitation, however: it relies on the envelope address, not the address visible to the recipient, and it doesn't always survive email forwarding. This is one of the reasons it isn't enough on its own and must be complemented by DKIM.

DKIM: a tamper-proof signature

DKIM (DomainKeys Identified Mail) adds a cryptographic signature tied to your domain to every email. The provider verifies this signature using a public key published in your DNS. If it is valid, it proves two things: the email really comes from your domain, and its content was not altered along the way. DKIM thus provides the integrity that SPF alone does not guarantee.

Because DKIM verification doesn't depend on the path the message took, it remains valid even after forwarding. By signing the key headers and the message body, DKIM guarantees that nothing was modified between sending and receipt, which makes it a particularly solid trust signal.

DMARC: the policy that ties it together

DMARC (Domain-based Message Authentication, Reporting and Conformance) builds on SPF and DKIM to define a rule: what to do with an email that fails authentication? Let it through, quarantine it, or reject it? DMARC also provides reports that reveal who is sending in your name, legitimately or not. It is the piece that turns two isolated checks into a real security policy.

DMARC aligns on the domain visible to the recipient, the one shown in the sender field. For an email to be compliant, SPF or DKIM must pass and the verified domain must match that visible domain: this is the notion of alignment. It is this alignment that prevents a fraudster from spoofing your brand, even if they manage to authenticate their own domain.

How the three protocols work together

The three protocols are complementary and reinforce one another:

  • SPF declares which servers are authorized to send for your domain.
  • DKIM signs every message and guarantees its integrity.
  • DMARC sets what to do on failure and provides reports.

The most common configuration mistakes

Authentication often fails because of avoidable errors:

  • Multiple SPF records on the same domain, when only one is allowed.
  • An SPF that exceeds the DNS lookup limit and becomes invalid.
  • A DKIM forgotten when changing sending provider.
  • A DMARC left in monitoring-only policy indefinitely, never hardening the rule.

How to check your configuration

Before any campaign, check your configuration. The simplest method is to send yourself an email to another mailbox, then inspect the header of the received message: it indicates whether SPF, DKIM and DMARC passed or failed. Many free tools also let you analyze a domain's DNS records and flag anomalies. Start with a DMARC policy in monitoring mode, analyze the reports, then gradually harden toward quarantine or reject once all your legitimate sends are correctly authenticated.

BIMI: the logical next step after a solid DMARC

Once SPF, DKIM and a strict DMARC are in place, you can go further with BIMI (Brand Indicators for Message Identification). This standard lets your brand logo appear next to your emails in compatible mailboxes. Beyond the visual aspect, BIMI rewards senders who have made the effort of rigorous authentication and strengthens recognition and trust. It doesn't directly improve placement, but it consolidates the sender identity your whole deliverability strategy seeks to establish.

Authentication is not enough

Correctly configuring SPF, DKIM and DMARC is necessary but not sufficient. These protocols prove your technical legitimacy, not the quality of your engagement. Once authentication is in place, the work continues on reputation, through warm-up and real engagement signals. To see how BraiseInbox takes over on that front, read how BraiseInbox works.

In short, authentication is the entry ticket: without it, nothing works, but it doesn't do everything. Pair it with a solid reputation and real engagement to turn a technical foundation into durable deliverability, as detailed in our complete guide.

Related reading