Want to learn more?
Master email authentication with SPF, DKIM, and DMARC to improve deliverability and prevent spoofing.
Read the guideUnderstanding Email Authentication
What is Email Authentication?
Email authentication is a collection of techniques and protocols designed to verify the legitimacy of email messages. The three core protocols - SPF, DKIM, and DMARC - work together to prevent email spoofing, reduce spam, and protect your domain reputation.
SPF (Sender Policy Framework)
SPF allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. When a receiving server gets an email, it checks the SPF record in DNS to verify the sender is authorized. SPF records are TXT records in DNS that list allowed IP addresses and domains.
DKIM (DomainKeys Identified Mail)
DKIM adds a digital signature to every email sent from your domain. This signature is created using a private key held by the sending server and can be verified using a public key published in DNS. DKIM ensures the email has not been modified in transit and confirms it was authorized by the domain owner.
DMARC (Domain-based Message Authentication)
DMARC builds on SPF and DKIM by telling receiving servers what to do when an email fails authentication checks. It also provides a reporting mechanism so domain owners can monitor authentication failures and identify potential spoofing attempts. DMARC policies can be set to none (monitoring only), quarantine (mark as spam), or reject (block delivery).
Why Email Authentication Matters
Email authentication protects your brand and recipients from phishing attacks, prevents your domain from being used by spammers, improves email deliverability rates, and builds trust with email providers and recipients. Major email providers like Gmail and Yahoo now require DMARC for bulk senders.
Best Practices
Start by implementing SPF and DKIM for all sending sources. Add DMARC in monitoring mode (p=none) to collect data without affecting delivery. Review DMARC reports to identify legitimate senders and fix authentication issues. Gradually increase DMARC policy enforcement to quarantine and then reject. Keep your SPF record under the 10 DNS lookup limit. Use strong DKIM keys (2048-bit RSA). Rotate DKIM keys periodically for security.
Emails Landing in Spam?
Misconfigured SPF/DKIM/DMARC causes deliverability issues. We configure and monitor email authentication.
What Is Email Authentication Validation
Email authentication validation checks whether a domain has properly configured the three core email security protocols: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance). Together, these DNS-based protocols prevent email spoofing, phishing, and unauthorized use of your domain in email headers.
Email remains the primary attack vector for phishing and business email compromise (BEC). Without authentication protocols, anyone can send email that appears to come from your domain. SPF, DKIM, and DMARC work together to verify sender identity and instruct receiving mail servers on how to handle unauthenticated messages—making them foundational to email security.
How Email Authentication Protocols Work
SPF (Sender Policy Framework) publishes a DNS TXT record listing IP addresses and servers authorized to send email on behalf of your domain. When a receiving server gets an email, it checks the sending server's IP against the SPF record. If the IP isn't listed, the message fails SPF.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails using a private key. The corresponding public key is published as a DNS TXT record. Receiving servers use the public key to verify the signature, confirming the message was not altered in transit and originated from an authorized sender.
DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together with a policy that tells receivers what to do when authentication fails: none (monitor), quarantine (spam folder), or reject (block entirely). DMARC also enables aggregate and forensic reporting, giving domain owners visibility into authentication results.
| Protocol | DNS Record | Purpose | Authentication Method |
|---|---|---|---|
| SPF | TXT on domain | Authorize sending IPs | IP address matching |
| DKIM | TXT on selector._domainkey | Sign message content | Cryptographic signature |
| DMARC | TXT on _dmarc.domain | Set policy + reporting | Alignment of SPF/DKIM |
Common Use Cases
- Domain security auditing: Verify that SPF, DKIM, and DMARC are correctly configured and aligned
- Email deliverability troubleshooting: Diagnose why legitimate emails land in spam folders
- Vendor risk assessment: Check third-party domains for proper email authentication before trust decisions
- Compliance requirements: Many frameworks (NIST, FedRAMP, CMMC) require DMARC enforcement
- Brand protection: Prevent attackers from spoofing your domain in phishing campaigns targeting customers or employees
Best Practices
- Deploy DMARC progressively — Start with p=none to monitor, move to p=quarantine, then p=reject once you've identified all legitimate sending sources
- Include all third-party senders in SPF — Marketing platforms, CRMs, and ticketing systems all need to be in your SPF record
- Keep SPF under 10 DNS lookups — The SPF specification limits DNS lookups to 10; exceeding this causes authentication failures
- Rotate DKIM keys annually — Use 2048-bit keys and rotate them periodically to limit exposure from key compromise
- Monitor DMARC reports — Aggregate reports reveal unauthorized senders and configuration issues; review them weekly
References & Citations
- Internet Engineering Task Force (IETF). (2014). Sender Policy Framework (SPF) - RFC 7208. Retrieved from https://datatracker.ietf.org/doc/html/rfc7208 (accessed January 2025)
- IETF. (2011). DomainKeys Identified Mail (DKIM) - RFC 6376. Retrieved from https://datatracker.ietf.org/doc/html/rfc6376 (accessed January 2025)
- IETF. (2015). Domain-based Message Authentication, Reporting, and Conformance (DMARC) - RFC 7489. Retrieved from https://datatracker.ietf.org/doc/html/rfc7489 (accessed January 2025)
Note: These citations are provided for informational and educational purposes. Always verify information with the original sources and consult with qualified professionals for specific advice related to your situation.
Key Security Terms
Understand the essential concepts behind this tool
SPF (Sender Policy Framework)
Email authentication method that specifies which mail servers are authorized to send email on behalf of your domain.
DKIM (DomainKeys Identified Mail)
Email authentication method that uses cryptographic signatures to verify that email content has not been tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
Email validation system that builds on SPF and DKIM to prevent email spoofing and provide reporting on email authentication failures.
Phishing
A social engineering attack that uses fraudulent communications to trick recipients into revealing sensitive information or installing malware.
Frequently Asked Questions
Common questions about the Email Authentication Validator
Email authentication verifies sender identity using SPF, DKIM, and DMARC protocols. SPF lists authorized mail servers, DKIM adds cryptographic signatures, DMARC defines policy for failures. Prevents spoofing, phishing, domain impersonation. Improves deliverability - unauthenticated emails often marked spam. Required by Google/Yahoo (2024) for bulk senders. Authenticate your domain to protect brand reputation and ensure inbox delivery.
Sender Policy Framework (SPF) is DNS TXT record listing authorized mail servers for your domain. Example: v=spf1 ip4:192.0.2.0 include:_spf.google.com ~all. Recipient checks: sending server IP matches SPF record? Pass = authenticated, fail = potential spoof. Mechanisms: ip4, ip6, include, a, mx. Qualifiers: + (pass), - (fail), ~ (softfail), ? (neutral). Limit: 10 DNS lookups maximum.
DomainKeys Identified Mail (DKIM) adds cryptographic signature to email headers. Private key signs email, public key in DNS validates signature. Proves: email from authorized server, content unmodified in transit. Example DNS record: selector._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCS...". Survives forwarding. Required with SPF/DMARC. Multiple selectors supported (rotate keys). Signature header: DKIM-Signature: v=1; a=rsa-sha256...
Domain-based Message Authentication, Reporting and Conformance (DMARC) builds on SPF/DKIM. Defines policy for authentication failures: none (monitor), quarantine (spam folder), reject (block). Example DNS record: _dmarc.example.com TXT "v=DMARC1; p=quarantine; rua=mailto:reports@example.com". Provides aggregate reports (rua) and forensic reports (ruf). Start with p=none, monitor reports, gradually enforce to p=reject.
Common failures: SPF - sending from unauthorized server, too many DNS lookups, missing include. DKIM - invalid signature, key rotation without DNS update, email modified in transit. DMARC - SPF/DKIM alignment failure, no policy defined. Forwarding breaks SPF (but DKIM survives). Check: DNS records correct, selectors match, domains aligned (envelope vs header). Use email authentication validators to diagnose issues.
Implement all three: SPF (authorize servers), DKIM (sign emails), DMARC (enforce policy). Set DMARC policy p=reject for maximum protection. Enable DMARC reports to monitor. Add BIMI (Brand Indicators for Message Identification) for logo display. Monitor: spoofed domains using your brand, authentication failures. Train employees: verify sender, check for phishing. Use email security gateway. Report spoofing to authorities (FBI IC3).
DMARC requires identifier alignment - domain in From: header matches authenticated domain. SPF alignment: From header domain aligns with Return-Path domain (relaxed or strict mode). DKIM alignment: From header domain aligns with d= domain in DKIM signature. Example: email from @example.com must pass SPF/DKIM with @example.com domain. Alignment prevents display name spoofing. Check alignment in DMARC reports.
Authentication is foundation. Configure: SPF (authorize servers), DKIM (sign with 2048-bit key), DMARC (p=quarantine/reject). Best practices: warm up new IPs, maintain clean email list, low bounce/complaint rates, authenticate subdomains, enable BIMI, monitor blacklists, use dedicated IP for bulk sending, avoid spam trigger words, provide unsubscribe, follow CAN-SPAM/GDPR. Monitor inbox placement with seed lists.
ℹ️ Disclaimer
This tool is provided for informational and educational purposes only. All processing happens entirely in your browser - no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results. Use at your own discretion.