Glossary

Email Authentication — SPF, DKIM, and DMARC Explained

Email authentication is a set of DNS-based standards — SPF, DKIM, and DMARC — that verify an email was genuinely sent by the domain it claims to be from. Without authentication, anyone can forge the From: header and send email impersonating your domain. All three standards work together: SPF authorises sending servers, DKIM signs messages, and DMARC enforces policy and provides reporting.

The Three Standards

SPF — lists authorised sending servers in DNS
DKIM — adds cryptographic signatures to email
DMARC — enforces policy and ties SPF/DKIM to the From: domain

Why All Three Matter

SPF alone can be bypassed. DKIM alone doesn't prevent From: forgery. DMARC requires both to align with your From: domain — closing the gap.

Check all three on your domain

Open DNS Preflight →

Also read: SPF record · DKIM · DMARC · DNS Preflight

FAQ

What is email authentication?

The set of DNS standards (SPF, DKIM, DMARC) that verify email was sent by an authorised server for the claimed domain.

Do I need all three — SPF, DKIM, and DMARC?

Yes for full protection. SPF and DKIM alone have gaps. DMARC ties them together and provides reporting.

Is email authentication required?

Gmail and Yahoo now require DMARC for bulk senders (February 2024). It is effectively mandatory for anyone sending significant email volume.

← All glossary terms