Email Authentication: SPF, DKIM, and DMARC Explained

Did a friend tell you that email you sent them from your domain is getting flagged as spam? For example, they may have gotten a notice from Gmail that looks as follows:

Alert from Google that reads: Be careful with this message Gmail could not verify that it actually came Avoid clicking links, downloading attachments, or replying with personal information.

Be Careful With This Message (Authentication Alert)

Gmail could not verify that it actually came from [domain redacted].com. Avoid clicking links, downloading attachments, or replying with personal information.

What your email provider may not have explained to you is the importance of email authentication (setting up your sending email server so it can prove that emails sent from your domain actually come from your domain).

What Are SPF, DKIM, And DMARC?

There are authentication protocols that can help verify the identity of the email sender. Which of these do you really need? As far as our experts are concerned:

  1. SPF is a must
  2. DKIM will fix the authentication alert above
  3. DMARC is only required sometimes


SPF, or Sender Policy Framework, is an email authentication method designed to detect forging sender addresses during the delivery of the email. The reason we recommend combining SPF with DKIM and DMARC is because SPF on its own is limited to detecting a forged sender claim in the envelope of the email (used when the mail gets bounced).


DKIM, or DomainKeys Identified Mail, is used to detect forged sender addresses in email (think phishing and email spam). DKIM allows the receiver to check that an email claimed to have come from a specific domain was authorized by the owner of that domain.


DMARC, or Domain-based Message Authentication, Reporting & Conformance, is used to give email domain owners the ability to protect their domain from unauthorized use (think spoofing – i.e. making it look like an email came from a particular domain when actually it was sent from elsewhere).

How To Setup SPF

You’ll want to add the following TXT DNS record to your email hosting provider (the provider hosting the domain name you use to send email from):

  • Type: TXT
  • Hostname: @
  • Value: v=spf1 ~all (where is your email domain). You can change the ~all value as follows to enforce SPF failures:
    • ~all: results in a soft fail (Not authorized, but not explicitly unauthorized – the one used in our example)
    • -all: results in a hard fail (Unauthorized)
    • ?all: neutral (As if there is no policy at all)
  • If you have more than one domain you send mails from (, you can add them with the include statement in the TXT value field:
    • v=spf1 ~all

Save your record and verify with your mail provider that it has taken hold.

How To Setup DKIM

Check with your mail hosting provider for a TXT DNS record to add (just like you did above) to enable DKIM. This will include a key for the hostname, and record for the value. For example:

  • Type: TXT
  • Hostname: 12345._domainkey
  • Value: v=DKIM1; k=rsa; p=1Cnao7#fn5WqGEUtSX (this will typically be a much longer string of randomly generated characters)

How To Setup DMARC

First, you can check to see if your email domain has an existing DMARC record with this DMARC checker. You can start the setup of your DMARC records by registering on dmarcian.


Once your DMARC record is setup, you can handle suspicious emails with the following tag values (you’ll need to change these from the default ‘p’ value):

  • Tag: v
    • Value: DMARC1
    • Translation: The DMARC version should always be “DMARC1”. Note: A wrong, or absent DMARC version tag would cause the entire record to be ignored
  • Tag: p (default)
    • Value: none
    • Translation: Policy applied to emails that fails the DMARC check. Authorized values: “none”, “quarantine”, or “reject”. “none” is used to collect feedback and gain visibility into email streams without impacting existing flows. “quarantine” allows Mail Receivers to treat email that fails the DMARC check as suspicious. Most of the time, they will end up in your SPAM folder. “reject” outright rejects all emails that fail the DMARC check.
  • Tag: rua
    • Value: mailto:[email protected]
    • Translation: The list of URIs for receivers to send XML feedback to. Note: This is not a list of email addresses, as DMARC requires a list of URIs of the form “mailto:[email protected]”.

Voila there you have it! If you setup at least an SPF record on your email domain you should now be well on your way to avoiding getting flagged as a spammer. Speaking of which, email authentication may help others using your email domain to send spam, but it will not prevent you from receiving spam. Don’t worry, we’ve got a solution for that as well

Stop Spam For Good

Our experts review the best spam blockers with pros, cons, compatibilities, and more.

Tagged With:

About The Author

Notify of
1 Comment
Oldest Most voted
Inline Feedbacks
View all comments