Email Authentication: SPF, DKIM, and DMARC Explained

When you purchase through links on our site, we may earn a commission. Here’s how it works.

Email authentication is used to not only ensure that you are able to send and receive messages without them ending up in your spam folder, but also to authenticate that the emails you are sending and receiving actually come from the specified sender or receiver. As spam and phishing attempts proliferate, the need for email authentication only grows stronger. The three main players in email authentication are the SPF, DKIM, and DMARC protocols. Sound like another language? Don’t worry, we break it all down into laymen’s terms for you.

Be Careful With This Message: Gmail Verification Alert

Did a friend tell you that email you sent them from your domain is getting flagged as spam? For example, they may have gotten a notice from Gmail that looks as follows:

Alert from Google that reads: Be careful with this message Gmail could not verify that it actually came Avoid clicking links, downloading attachments, or replying with personal information.
Does this alert look familiar? If so, you may need to setup email authentication. We’ll show you how.

Be Careful With This Message (Authentication Alert)

Gmail could not verify that it actually came from [domain redacted].com. Avoid clicking links, downloading attachments, or replying with personal information.

What your email provider may not have explained to you is the importance of email authentication (setting up your sending email server so it can prove that emails sent from your domain actually come from your domain).

What Are SPF, DKIM, And DMARC?

There are authentication protocols that can help verify the identity of the email sender. Which of these do you really need? As far as our experts are concerned:

  1. SPF is a must
  2. DKIM will fix the authentication alert above
  3. DMARC is only required sometimes


SPF, or Sender Policy Framework, is an email authentication method designed to detect forging sender addresses during the delivery of the email. The reason we recommend combining SPF with DKIM and DMARC is because SPF on its own is limited to detecting a forged sender claim in the envelope of the email (used when the mail gets bounced).


DKIM, or DomainKeys Identified Mail, is used to detect forged sender addresses in email (think phishing and email spam). DKIM allows the receiver to check that an email claimed to have come from a specific domain was authorized by the owner of that domain.


DMARC, or Domain-based Message Authentication, Reporting & Conformance, is used to give email domain owners the ability to protect their domain from unauthorized use (think spoofing – i.e. making it look like an email came from a particular domain when actually it was sent from elsewhere).

How To Setup SPF

You’ll want to add the following TXT DNS record to your email hosting provider (the provider hosting the domain name you use to send email from):

  • Type: TXT
  • Hostname: @
  • Value: v=spf1 ~all (where is your email domain). You can change the ~all value as follows to enforce SPF failures:
    • ~all: results in a soft fail (Not authorized, but not explicitly unauthorized – the one used in our example)
    • -all: results in a hard fail (Unauthorized)
    • ?all: neutral (As if there is no policy at all)
  • If you have more than one domain you send mails from (, you can add them with the include statement in the TXT value field:
    • v=spf1 ~all

Save your record and verify with your mail provider that it has taken hold.

How To Setup DKIM

Check with your mail hosting provider for a TXT DNS record to add (just like you did above) to enable DKIM. This will include a key for the hostname, and record for the value. For example:

  • Type: TXT
  • Hostname: 12345._domainkey
  • Value: v=DKIM1; k=rsa; p=1Cnao7#fn5WqGEUtSX (this will typically be a much longer string of randomly generated characters)

How To Setup DMARC

First, you can check to see if your email domain has an existing DMARC record with this DMARC checker. You can start the setup of your DMARC records by registering on dmarcian.


Once your DMARC record is setup, you can handle suspicious emails with the following tag values (you’ll need to change these from the default ‘p’ value):

  • Tag: v
    • Value: DMARC1
    • Translation: The DMARC version should always be “DMARC1”. Note: A wrong, or absent DMARC version tag would cause the entire record to be ignored
  • Tag: p (default)
    • Value: none
    • Translation: Policy applied to emails that fails the DMARC check. Authorized values: “none”, “quarantine”, or “reject”. “none” is used to collect feedback and gain visibility into email streams without impacting existing flows. “quarantine” allows Mail Receivers to treat email that fails the DMARC check as suspicious. Most of the time, they will end up in your SPAM folder. “reject” outright rejects all emails that fail the DMARC check.
  • Tag: rua
    • Value:
    • Translation: The list of URIs for receivers to send XML feedback to. Note: This is not a list of email addresses, as DMARC requires a list of URIs of the form “”.

Voila there you have it! If you setup at least an SPF record on your email domain you should now be well on your way to avoiding getting flagged as a spammer. Speaking of which, email authentication may help others using your email domain to send spam, but it will not prevent you from receiving spam. Don’t worry, we’ve got a solution for that as well

Stop Spam For Good

Our experts review the best spam blockers with pros, cons, compatibilities, and more.

Were you able to solve your email woes? Let us know in the comments!

Tagged With:

The information provided through this website should not be used to diagnose or treat a health problem or disease; it is not intended to offer any legal opinion or advice or a substitute for professional safety advice or professional care. Please consult your health care provider, attorney, or product manual for professional advice. Products and services reviewed are provided by third parties; we are not responsible in any way for them, nor do we guarantee their functionality, utility, safety, or reliability. Our content is for educational purposes only.

Notify of
1 Comment
Oldest Most voted
Inline Feedbacks
View all comments