Email authentication is three DNS records that together prove you are allowed to send email from your domain. SPF, DKIM, and DMARC. Without them, mailbox providers cannot tell you apart from someone spoofing your domain, so they treat you as suspicious by default.
In 2026 this is not optional. Google and Microsoft effectively require authentication for anyone sending at volume. If you take one thing from this guide: set up all three before you send a single cold email.
Why authentication matters
Email was designed without identity verification. Anyone can put your domain in the from field. Authentication is the layer that was bolted on to fix that, and it answers one question for the receiving server: is this sender actually allowed to send for this domain.
If the answer is yes, you clear the first trust hurdle. If the answer is no or unknown, you are filtered before your content is even read. Authentication does not get you to the inbox by itself, but the lack of it keeps you out.
SPF: who is allowed to send
SPF, or Sender Policy Framework, is a DNS record that lists which servers are authorized to send email for your domain. When a server receives your mail, it checks the sending server against your SPF record.
SPF is a single TXT record on your domain. The most common mistake is having more than one SPF record, or exceeding the lookup limit by stacking too many sending services into it. You get one SPF record, and every sending tool you use has to be included in that one record.
DKIM: proof the message was not tampered with
DKIM, or DomainKeys Identified Mail, adds a cryptographic signature to every email you send. The receiving server checks that signature against a public key published in your DNS. If they match, the message is verified as genuinely from you and unaltered in transit.
DKIM is published as a DNS record at a selector subdomain, and the value is usually provided by your email service. Each sending platform typically has its own DKIM key, so if you send through more than one tool, each one needs its own DKIM record published.
DMARC: what to do when checks fail
DMARC, or Domain-based Message Authentication, Reporting and Conformance, ties SPF and DKIM together. It is a DNS record that tells receiving servers what to do when a message fails authentication: do nothing, quarantine it, or reject it outright.
DMARC also enables reporting, so you get data on who is sending mail using your domain. For cold email, start with a monitoring policy so you can see what is happening, confirm your legitimate mail passes, then tighten the policy. Publishing an aggressive reject policy before your own mail passes will block your own campaigns.
How to set each one up
All three are DNS records you add through your domain registrar or DNS host. The exact values come from your email provider, but the order matters.
- SPF first. Create one TXT record that includes every service you send through. Confirm it is a single record.
- DKIM second. Get the DKIM record from each sending platform and publish each at its selector. Verify each one resolves.
- DMARC last. Add the DMARC record only after SPF and DKIM pass, starting with a monitoring policy. Tighten it once you confirm your legitimate mail is passing.
When all three are live, verify them with the free SPF, DKIM and DMARC checker. It tests across common DKIM selectors and shows you exactly which records pass.
Reading the results
A clean setup shows SPF pass, DKIM pass, and a DMARC record present and aligned. You can also confirm this on real mail by opening the raw headers of a test email and looking at the authentication results line. The free email header analyzer parses that for you.
The word to watch for is alignment. SPF and DKIM can technically pass while still failing DMARC if the domains do not align. If DMARC shows a fail despite SPF and DKIM passing, alignment is almost always the reason.
Common failures and how to spot them
- Two SPF records. Only one is allowed. A second one, often left over from an old tool, invalidates both.
- SPF lookup limit exceeded. Too many included services pushes you past the limit and SPF fails silently.
- Missing DKIM for a new tool. You added a sending platform but never published its DKIM record, so its mail is unsigned.
- DMARC too aggressive too early. A reject policy published before your own mail passes blocks your own campaigns.
- A record that broke and nobody noticed. DNS changes silently. Re-check authentication periodically, not just once at setup.
Authentication is the cheapest, fastest deliverability win there is, and the easiest to overlook. Once it is solid, move on to the rest of the system in the deliverability guide and warm your accounts properly with the warmup guide.