Start free trial
Back to knowledge base

Authentication

SPF, DKIM, and DMARC basics for sender domains

A practical overview of authentication records and how misconfiguration affects inbox placement.

Updated Jan 15, 2026

SPF, DKIM, and DMARC basics

Sender authentication helps mailbox providers verify that mail from your domain is authorized and unmodified in transit.

SPF

SPF publishes which IP addresses and services may send mail for your domain. A common failure mode is stale includes after you change ESPs or add a new sending path.

DKIM

DKIM adds a cryptographic signature to each message. If signing breaks, providers may treat mail as suspicious even when SPF passes.

DMARC

DMARC tells providers what to do when SPF or DKIM fail, and where to send aggregate reports. Start with p=none while you collect data, then tighten policy once alignment is stable.

Next steps

  1. Verify all active sending sources appear in SPF.
  2. Confirm DKIM selectors match your provider documentation.
  3. Publish DMARC with reporting enabled before moving to quarantine or reject.