SPF, DKIM, DMARC: The Authentication Setup You Can't Skip

Why authentication matters more in 2026

Google and Yahoo's 2024 sender requirements raised the floor: any sender mailing more than 5,000 messages per day to Gmail addresses must have SPF, DKIM, and DMARC properly configured, or get rejected outright. Microsoft followed with similar enforcement in 2025.

For cold email, the volumes are smaller — but the heuristics are stricter. A misconfigured SPF or missing DKIM signature is a fast track to the spam folder, and most senders never realize it.

SPF — Sender Policy Framework

SPF is a DNS TXT record that lists which IP addresses or hostnames are allowed to send mail on behalf of your domain. When a receiver gets a message claiming to be from your domain, it checks this record.

The record itself

Type: TXT
Host: @
Value: v=spf1 include:_spf.google.com include:sendgrid.net -all

The 10-lookup rule

SPF allows a maximum of 10 DNS lookups per evaluation. Each include: is one lookup. If you exceed 10, the record fails silently — and many senders blow past this without realizing.

Hard fail (-all) vs soft fail (~all)

Use ~all while testing. Move to -all once you're confident every sending source is covered. Hard fail tells receivers "if it's not in this list, reject it."

DKIM — DomainKeys Identified Mail

DKIM cryptographically signs each outbound email. Receivers verify the signature against a public key in your DNS — proof the message wasn't altered in transit, and proof the sender controls the domain.

Setup

1. Generate a key pair in your mailbox provider (Google Workspace, M365, SendGrid, etc.)
2. Publish the public key as a TXT record at selector._domainkey.yourdomain.com
3. Wait 48 hours for DNS propagation, then enable signing

Key length

Use 2048-bit keys, not 1024. Most providers default to 1024 for backwards compatibility — manually upgrade. Some receivers downgrade trust on 1024-bit keys.

Rotation

Rotate DKIM keys every 6 months. Keep both keys live during a 14-day overlap window so in-flight mail isn't signature-orphaned.

DMARC — the policy layer

DMARC tells receivers what to do when SPF or DKIM fails — and where to send aggregate reports about every message claiming to be from your domain.

The progression

The record

Type: TXT
Host: _dmarc
Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100; adkim=s; aspf=s

adkim=s and aspf=s require strict alignment between the From-domain and the SPF/DKIM domains. Use these once you've verified all legitimate sources align correctly.

BIMI — the bonus layer

BIMI displays your verified logo next to email in supporting clients (Gmail, Apple Mail, Yahoo). It requires p=quarantine or p=reject on DMARC, plus a verified VMC certificate (~$1,500/year). Worth it for clients sending real volume; skip for cold-only.

Common misconfigurations we see weekly

• Two SPF records on one domain. Per RFC, only one is allowed; the second invalidates both. Merge into one.
• DKIM signing on the wrong selector. Provider sets selector google, you publish under default. Verify with dig TXT selector._domainkey.yourdomain.com.
• DMARC p=reject set immediately. Blocks legitimate mail from third-party tools. Always start at p=none and review reports.
• Forgetting subdomains. If you send from mail.yourdomain.com, that subdomain needs its own SPF/DKIM. DMARC inherits unless overridden.
• SPF over 10 lookups. Silent fail. Use a flattener.

Final checklist