Skip to content

Outreach · Guide

Email Authentication: SPF, DKIM, DMARC

Email authentication ties your domain to the messages you send so Gmail and Yahoo trust them. Set SPF, DKIM, and DMARC with this step-by-step guide.

June 11, 2026 13 min read Siddharth Gangal By Siddharth Gangal
Outreach

13 min read · June 11, 2026

Email authentication explained for sales teams

Email authentication is the set of DNS records that tie your sending domain to the messages you actually send. SPF, DKIM, and DMARC are the three load-bearing protocols. Together they answer one question every receiver asks before it routes a message to the inbox: did this mail really come from the domain in the From line, and was it altered in flight?

Direct answer. Email authentication uses three DNS records to prove your mail is legitimate. SPF lists allowed senders, DKIM signs every message with a 2048-bit key, and DMARC binds both to the From header and reports failures. Gmail and Yahoo require all three for any sender shipping more than 5,000 messages per day to consumer inboxes (Google sender requirements, 2024). Without them, bulk mail lands in spam by default.

Email authentication. The collection of DNS-based protocols (SPF, DKIM, DMARC, plus the newer BIMI and MTA-STS) that prove a sending server is authorized to use a domain and that the message body was not modified after signing. For a sales rep, authentication is the deliverability floor that every cold email, sequence, and reply must cross before any other deliverability lever matters.

This guide covers each protocol the way a rep or a founder running outbound actually needs them: the TXT record syntax, the policy ladder, the verification commands, and the eight mistakes that quietly cap your inbox rate. For a wider deliverability view, pair this with the cold email deliverability guide and the email deliverability glossary entry.

Why SPF, DKIM, and DMARC are mandatory in 2026

Authentication moved from best practice to gate in February 2024. Google and Yahoo jointly published bulk-sender requirements that block unauthenticated mail at the gateway. Microsoft followed in May 2025 with the same baseline. The result: a cold email program that ignores SPF, DKIM, or DMARC now starts with a spam-folder default and earns its way out, instead of starting inboxed and earning its way down.

95%

of inboxed B2B mail passes all three authentication checks

Google Postmaster Tools aggregate, 2025.

5×

higher spam rate for unauthenticated senders post-Feb 2024 rules

Google Workspace bulk-sender enforcement notes, 2024.

0.10%

Gmail spam-rate threshold before reputation collapses

Google sender requirements, 2024.

4min

median time to ship the three records on a fresh domain

Gangly customer benchmark, 2026 (n=212 domains).

Four numbers explain the new reality. Authenticated B2B mail clears the inbox gate at 95 percent. Unauthenticated mail draws a 5× higher spam rate post-rules. Gmail caps you at a 0.10 percent spam complaint rate before sender reputation collapses. And a sales team running Gangly ships the three records on a fresh domain in a median of 4 minutes (Gangly customer benchmark, 2026, n=212 domains).

Trap. Authentication is a delivery floor, not a delivery ceiling. Publishing all three records still leaves you exposed to high complaint rate, cold domain, and poor copy. Treat the three records as the entry ticket, then ship the rest of the deliverability stack.

The Authentication Trust Ladder (the Gangly framework)

The Authentication Trust Ladder is the five-layer model the Gangly deliverability team uses to set up new sending domains. Each layer compounds on the one below it. Skip a layer and the rest of the stack carries the load alone, which is what new senders consistently get wrong.

  1. 1

    Layer 1: SPF

    Publish a TXT record at the apex of the sending domain that lists every IP and platform allowed to send mail as you. SPF answers the receiver question, "Was this sender on the allow list at all?"

  2. 2

    Layer 2: DKIM

    Generate a 2048-bit asymmetric key pair, publish the public half as a TXT record at a named selector, and have the mail server sign every outgoing message with the private half. DKIM proves the message was not altered in flight.

  3. 3

    Layer 3: DMARC

    Publish a TXT record at _dmarc that tells receivers what to do when SPF or DKIM fail and where to send the daily report. DMARC binds the From header to the authenticated domain. Without it, SPF and DKIM are advisory.

  4. 4

    Layer 4: Alignment

    Force the From header domain to match the SPF Return-Path domain (relaxed or strict) and the DKIM d= tag. Misaligned auth passes SPF and DKIM individually but fails DMARC, which is the single biggest cause of new-domain spam-folder hits.

  5. 5

    Layer 5: BIMI + MTA-STS

    Once DMARC sits at p=reject, publish BIMI to show a verified brand logo in Gmail and MTA-STS to force inbound TLS. Both compound the trust signal that already exists.

The five-layer view explains why partial setups fail. A domain that publishes SPF and DKIM but no DMARC passes individual checks but offers no enforcement and no reporting — the receiver has no policy to apply and the sender has no visibility into forged mail. A domain that publishes DMARC but never escalates past p=none signals to receivers that the owner is not serious about enforcement, which dilutes the trust signal. Climb the full ladder.

RecordTypeHostPurposeExample value
SPFTXT@ (apex)Lists allowed senders for the domain.v=spf1 include:_spf.google.com include:sendgrid.net ~all
DKIMTXT<selector>._domainkeyPublic key receivers use to verify the DKIM signature.v=DKIM1; k=rsa; p=MIIBIjANBgkqhki...
DMARCTXT_dmarcPolicy + reporting endpoint that ties SPF/DKIM to the From header.v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100; adkim=s; aspf=s
BIMITXTdefault._bimiPoints to the verified logo SVG and VMC certificate.v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem
MTA-STSTXT + HTTPS_mta-sts + mta-sts.<domain>Forces inbound mail over TLS with a published policy.v=STSv1; id=20260601

SPF setup: publish the TXT record that authorizes your senders

SPF (Sender Policy Framework) is a single TXT record at the apex of your sending domain that lists every IP, hostname, and platform allowed to send mail as you. It answers the receiver's first question: was this sender on the allow list at all? Publish exactly one SPF record per domain. RFC 7208 makes a second record invalidate both.

SPF. A DNS TXT record beginning with v=spf1 that enumerates the IPs and platforms authorized to send mail for the domain, terminated by a default-action qualifier. SPF authenticates the Return-Path (envelope sender), not the visible From header — that is the job of DMARC.

A working SPF record for a sales team running Google Workspace plus SendGrid plus Outreach looks like this:

v=spf1 include:_spf.google.com include:sendgrid.net include:_spf.outreach.com ~all

Three rules to remember. First, every platform you ship from needs an include or a4 entry — forgetting one sends mail through that platform straight to spam. Second, the chain cannot exceed ten DNS lookups; flatten the includes with a tool like dmarcian if the chain grows. Third, the closing qualifier should be ~all (softfail) during the first 30 days, then -all (fail) once the platform list is locked. Using +all or ?all tells the receiver to pass any sender — worse than publishing no record at all.

DKIM setup: sign every message with a 2048-bit key

DKIM (DomainKeys Identified Mail), defined in RFC 6376, signs every outgoing message with a private cryptographic key and publishes the matching public key in DNS. Receivers verify the signature on receipt. If the signature checks out, the receiver knows two facts: the sending server held the private key, and the message body was not altered between signing and delivery.

DKIM. An asymmetric-key authentication protocol that signs the headers and body of every outbound email with a 2048-bit private key. The matching public key lives at <selector>._domainkey.<domain> as a TXT record. DKIM proves message integrity in transit, which is what SPF cannot do.

The setup is platform-specific but follows the same four moves. Generate a 2048-bit RSA key pair on the sending platform (Google Workspace, SendGrid, Postmark, Outreach all expose a console button for this). Pick a unique selector per platform — gangly1, sendgrid1, outreach2026 — so two platforms never overwrite each other at the same DNS host. Publish the public key as a TXT record at <selector>._domainkey.<domain>. Activate signing on the platform.

Two failure modes account for almost every DKIM bug. The first is a 1024-bit key. Google began downgrading 1024-bit signatures in 2023 and now treats them as failed. Use 2048 bits and rotate the key annually. The second is selector collision — two platforms publishing google._domainkey overwrite each other in DNS, which silently breaks DKIM for both. Always pick a platform-specific selector before generating the key.

DMARC setup: enforce alignment from p=none to p=reject

DMARC (Domain-based Message Authentication, Reporting, and Conformance, RFC 7489) is the glue between SPF, DKIM, and the visible From header. It does two jobs: it tells receivers what to do when SPF or DKIM fail, and it requests aggregate reports of every message that claims to be from your domain. Without DMARC, SPF and DKIM are advisory. With DMARC at p=reject, they are policy.

DMARC. A DNS TXT record at _dmarc.<domain> that publishes a policy (p=none, p=quarantine, p=reject) plus aggregate (rua=) and forensic (ruf=) reporting endpoints. DMARC enforces alignment between the authenticated SPF and DKIM domains and the visible From header — the alignment check is where most new-domain mail fails.

The minimum viable DMARC record on day one looks like this:

v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; pct=100; adkim=r; aspf=r

The policy starts at p=none so nothing breaks while you inventory legitimate senders. The rua mailbox receives daily XML reports — route it to a processor (dmarcian, Valimail, Postmark) that parses the XML, because raw reports are unreadable. The adkim and aspf tags control alignment strictness; start at relaxed (r) and tighten to strict (s) once alignment audits are clean.

Escalation follows the policy ladder over 8 to 12 weeks:

  1. P1

    p=none (Week 1–4)

    Monitor mode. Receivers report failures but deliver everything. Use rua= and ruf= aggregate reports to inventory every legitimate sender. Do not skip this stage on a real domain.

  2. P2

    p=quarantine pct=25 (Week 5–8)

    Quarter of failing mail lands in spam. Watch the daily DMARC reports. If a legitimate sender appears in the failure list, fix its SPF or DKIM record before raising the percentage.

  3. P3

    p=quarantine pct=100 (Week 9–10)

    All failing mail lands in spam. Reports should now show only forged or shadow-IT senders. Investigate every unknown source name in the rua reports.

  4. P4

    p=reject (Week 11+)

    Failing mail is dropped at the gateway. The domain now publishes the strongest signal a receiver can read. Only move here after two consecutive weeks of clean quarantine reports.

Fast tip. Never jump straight to p=reject on a real domain. The aggregate reports take two policy windows to surface every legitimate sender — the HR platform, the payroll vendor, the marketing form processor. Drop them before they appear in the report and you block your own mail for a week.

BIMI and MTA-STS: the two records that compound the trust signal

BIMI (Brand Indicators for Message Identification) and MTA-STS (Mail Transfer Agent Strict Transport Security) sit at the top of the Authentication Trust Ladder. They do not replace SPF, DKIM, or DMARC, and they do not improve raw deliverability for unauthenticated mail. They compound the trust signal that already exists for senders who finished the three-record stack.

BIMI publishes a verified brand logo in DNS, paired with a Verified Mark Certificate (VMC) issued by Entrust or DigiCert. Gmail and Yahoo render the logo next to the From line for authenticated senders at p=quarantine or p=reject. Valimail's 2024 State of Email Trust report measures a 3–10 percent open-rate lift on senders that ship BIMI on top of clean DMARC. The cost is a $1,500–$2,000 annual VMC and a registered trademark.

MTA-STS forces receivers to send inbound mail to your domain over TLS only, with the policy published at https://mta-sts.<domain>/.well-known/mta-sts.txt. It does nothing for outbound deliverability but closes a man-in-the-middle hole that opportunistic TLS leaves open. For a sales team that wins large enterprise deals, the procurement security review almost always asks for it. Ship both records after DMARC sits stable at p=reject for 30 days.

Pros of full authentication

  • Gmail and Yahoo deliver every authenticated bulk message past the bulk-sender gate (Google sender requirements, 2024).
  • Spam-folder hit rate drops 60–80 percent within two weeks of publishing the three records (Gangly customer benchmark, 2026; n=212 domains).
  • DMARC aggregate reports surface shadow-IT senders no security team had inventoried.
  • BIMI on top of p=reject shows a verified logo next to the From line in Gmail, lifting open rate 3–10 percent (Valimail State of Email Trust, 2024).

Cons / caveats

  • Authentication does not fix poor list hygiene, spammy copy, or a cold domain. Spam complaints above 0.30 percent still tank reputation.
  • DMARC at p=reject without alignment audits will block legitimate mail from forgotten senders (HR, payroll, marketing forms).
  • BIMI requires a paid Verified Mark Certificate ($1,500–$2,000/year) issued by Entrust or DigiCert.
  • Policy escalation from p=none to p=reject takes 8–12 weeks of report review. Shortcuts cost delivered mail.

Verify the records with a five-command audit

Five commands answer every authentication question a sales team has about a sending domain. Run them after every DNS change and before every campaign launch. Three are terminal commands; two are inbox-side checks. The full sweep takes under three minutes.

# 1. Confirm SPF is published and contains every sending platform
dig +short TXT example.com | grep spf1

# 2. Confirm DKIM is published at the active selector
dig +short TXT gangly1._domainkey.example.com

# 3. Confirm DMARC policy and report endpoint
dig +short TXT _dmarc.example.com

# 4. Send a synthetic message to a Gmail seed inbox and open "Show original"
#    Expect: SPF=PASS, DKIM=PASS, DMARC=PASS, Alignment=PASS

# 5. Check the DMARC aggregate report mailbox for new failing sources
#    Expect: only senders you recognize

The Show original view in Gmail is the receiver-truth check. If the four pass lines are present, the receiver accepted the authentication. If any line shows FAIL or NEUTRAL, fix the underlying record before the next send. Gangly customers run this sweep weekly as part of the deliverability cadence, which is why authentication regressions surface in days rather than after a campaign already damaged reputation.

Fast tip. Register the sending domain with Google Postmaster Tools and Microsoft SNDS on day one. Both surface spam rate, IP reputation, and authentication pass rate by receiver, which the synthetic test cannot do at scale.

Eight authentication mistakes that quietly send mail to spam

Eight failure modes account for the overwhelming majority of authentication regressions across the Gangly customer benchmark, 2026. Each one is one DNS edit away from a fix. Run this list before you debug anything else.

  1. 1

    Multiple SPF records on the same host

    RFC 7208 allows exactly one SPF TXT record per domain. A second record makes both invalid. Merge the include: list into one record.

  2. 2

    SPF +all or ?all

    Both qualifiers tell the receiver to pass mail regardless of source. Use ~all during testing and -all once the include list is locked. Anything looser is worse than no record.

  3. 3

    More than ten SPF DNS lookups

    RFC 7208 caps the include and redirect chain at ten lookups. Receivers return a permerror when you exceed the limit. Flatten the chain with a service like dmarcian or remove unused senders.

  4. 4

    DKIM key shorter than 2048 bits

    Google began downgrading 1024-bit keys in 2023 and now ignores them outright. Generate a fresh 2048-bit key on every platform and rotate annually.

  5. 5

    DKIM selector collision across platforms

    Two platforms publishing google._domainkey overwrite each other. Pick a unique selector per platform (gangly1, sendgrid1) so receivers can resolve the right public key.

  6. 6

    DMARC without aggregate reporting

    A DMARC record without rua= is a black box. You have no idea which senders are failing until reps complain. Always publish a rua mailbox or a third-party DMARC processor.

  7. 7

    Jumping straight to p=reject

    New domains that publish p=reject on day one block half their own mail. Climb the policy ladder over 8–12 weeks while the aggregate reports inventory every legitimate sender.

  8. 8

    Ignoring DMARC alignment

    Mail can pass SPF and DKIM but still fail DMARC when the From header domain does not match the authenticated domain. Set adkim=s and aspf=s only after both alignment paths are clean.

Five of the eight involve a partial setup that passes a casual inbox check but fails alignment under load. The other three are policy choices that look bold and end up self-inflicted (the SPF soft pass, the early p=reject, the absent rua). Treat the list as a pre-launch checklist on every new sending domain.

Verdict. Most teams that hit a spam-folder wall did not publish bad records. They published partial records, never escalated DMARC past p=none, and never reviewed an aggregate report. The fix is not more authentication — it is finishing the ladder.

How Gangly fits the email authentication workflow

Authentication is the deliverability floor. The work that earns the inbox sits above it: signal-led targeting, warm sequences, and the discipline to stop sending when reply rates drop. Gangly automates the parts of the rep workflow that quietly damage authentication when they go wrong — adding senders without updating SPF, rotating platforms without rotating DKIM keys, scaling sequences without watching the DMARC aggregate report.

  • Outreach Writer — ships every send through authenticated sender pools and rejects messages from unaligned domains before they leave the gateway.
  • Workflow Sequencer — caps sequence volume on any domain whose Postmaster Tools spam rate crosses the Gmail 0.10 percent threshold, which protects authentication ROI.
  • Signal Detection — ranks the inbox you should earn first, so the authenticated send goes to the prospect most likely to reply rather than a cold list that will drive a complaint rate.

Pair the three product surfaces with the wider deliverability stack documented in the cold email deliverability guide and the cold email warmup guide. For a glossary anchor on the next term, the domain reputation entry explains how authentication compounds with sender history. To see the full sales workflow that holds the cut, start a free trial or book a demo.

Frequently asked questions

What is email authentication? +

Email authentication is the set of DNS records that prove a message came from a sender authorized to use the From domain. The three load-bearing protocols are SPF (allowed senders), DKIM (cryptographic signature), and DMARC (policy plus reporting that ties the From header to the authenticated domain). Without all three, Gmail and Yahoo route bulk mail to spam by default under the February 2024 sender requirements. Authentication is necessary but not sufficient: spam complaint rate, list hygiene, and content still apply, but the three records are the gate every sender must clear before any other signal counts.

Do I need SPF, DKIM, and DMARC, or just one? +

You need all three. Gmail and Yahoo require both SPF and DKIM to pass for any sender shipping more than 5,000 messages per day to consumer inboxes, plus a DMARC record at minimum p=none. SPF alone passes the allowed-sender check but does nothing about content integrity. DKIM alone signs the message but does not constrain who can use the domain. DMARC binds the two together and tells receivers what to do when either fails. Receivers in 2026 treat partial authentication as a soft fail signal that compounds with any other negative metric. Publish all three records on every sending domain, including subdomains.

How long does it take SPF, DKIM, and DMARC to start working? +

The DNS records propagate within 5 minutes to 48 hours depending on your registrar and the TTL on the existing zone. Most major receivers re-resolve TXT records every few hours, so you usually see SPF and DKIM pass within 24 hours of publishing. DMARC reports begin arriving on the first day after the policy is active, with a 24-hour reporting window. The full benefit of authentication, including the spam-folder drop, lands within 2 weeks. The Gangly customer benchmark, 2026 records median 4 minutes from key generation to a signed test message landing in a Gmail inbox.

What is the difference between p=none, p=quarantine, and p=reject? +

These are the three policy modes on a DMARC record. p=none asks receivers to send aggregate reports but deliver every message regardless of pass or fail. p=quarantine asks receivers to route failing mail to spam. p=reject asks receivers to drop failing mail at the gateway. New domains start at p=none for 4 weeks to inventory legitimate senders through the aggregate reports, escalate to p=quarantine for 4 weeks with a rising pct= percentage, then move to p=reject once reports show only forged sources. Skipping the ladder is the most common cause of self-inflicted mail loss.

What is DMARC alignment and why does it break legitimate mail? +

DMARC alignment is the rule that the From header domain must match the SPF Return-Path domain or the DKIM d= tag for the message to pass DMARC, even when SPF and DKIM individually pass. Strict alignment (adkim=s, aspf=s) requires exact matches. Relaxed alignment (the default) allows subdomain matches. Misaligned mail commonly comes from third-party platforms that ship from their own bounce domain. The fix is custom Return-Path setup on the platform plus DKIM signing with a key published under the From domain. Alignment audit is the single highest-yield activity inside the Authentication Trust Ladder.

Does email authentication fix cold email deliverability by itself? +

No. Authentication is the floor, not the ceiling. The 2024 bulk-sender rules from Gmail and Yahoo require SPF, DKIM, DMARC, easy one-click unsubscribe, and a spam-complaint rate under 0.30 percent. Authentication satisfies the first three. List hygiene, warm-up, sending volume, and copy quality drive the spam-rate metric. A cold email program with perfect auth and a 0.5 percent complaint rate still lands in spam. Pair the three records with sender warm-up, suppression discipline, and the rest of the cold email deliverability stack. Authentication clears the gate; the other levers earn the inbox.

How do I monitor SPF, DKIM, and DMARC after they are live? +

Three monitoring layers are mandatory. First, route the DMARC aggregate report mailbox (rua=) to a processor (dmarcian, Valimail, Postmark) that parses the XML and surfaces failing senders. Second, register the sending domain with Google Postmaster Tools and Microsoft SNDS to track spam rate, IP reputation, and authentication pass rate by receiver. Third, run a weekly synthetic test: send to a Gmail and Yahoo seed inbox, open the Show original view, confirm SPF=pass, DKIM=pass, DMARC=pass, and alignment=pass. The Gangly customer benchmark, 2026 finds teams that skip the synthetic test miss authentication regressions 70 percent of the time.

Can BIMI work without DMARC at p=reject? +

No. The BIMI specification requires the sending domain to publish DMARC at p=quarantine or p=reject with pct=100 before any receiver will render the verified logo. Gmail and Yahoo also require a Verified Mark Certificate issued by Entrust or DigiCert, which costs $1,500–$2,000 per year and verifies the logo against a registered trademark. BIMI is the final layer of the Authentication Trust Ladder for that reason: there is no shortcut. Publish DMARC at p=reject for at least 30 days first, then submit the logo SVG and VMC for the BIMI record.

Keep reading

Related posts

Ready to ship the workflow?

Start free for 14 days.

First rep live in under 30 minutes. Signals → outreach → call prep → live coaching → notes — one connected workflow.