Every day, billions of emails are sent by businesses like yours. And every day, a significant chunk of them never reach the inbox — not because of bad content, but because of bad infrastructure.
One of the most important — and most ignored — pieces of that infrastructure is email authentication.
Let me break it down.
The Three Protocols Every Sender Needs to Know
SPF — Sender Policy Framework
SPF is a DNS record that tells inbox providers which mail servers are allowed to send email on behalf of your domain.
When Gmail receives an email claiming to be from @yourcompany.com, it checks your SPF record. If the sending server isn't on the approved list, the email fails SPF.
DKIM — DomainKeys Identified Mail
DKIM adds a cryptographic signature to every email you send. The receiving mail server uses a public key published in your DNS to verify that the email actually came from you and wasn't tampered with in transit.
Think of it as a wax seal on a letter — if it's broken or missing, something went wrong.
DMARC — Domain-based Message Authentication, Reporting & Conformance
DMARC sits on top of SPF and DKIM. It answers a single question: "If an email fails these checks, what should happen to it?"
You have three options:
- None — monitor only, take no action
- Quarantine — send suspicious emails to spam
- Reject — block them entirely
DMARC also enables aggregate reporting — inbox providers like Gmail and Outlook send you regular XML reports showing exactly which servers sent mail from your domain, and whether each message passed or failed authentication.
Why This Actually Matters for Your Business
1. Without it, anyone can impersonate you
Without proper DMARC, bad actors can send emails that look like they came from your domain — to your customers, your partners, your employees. This is email spoofing, and it's behind the majority of phishing attacks.
Your domain is your reputation. Authentication protects it.
2. Your emails are probably landing in spam
Gmail and Yahoo now require proper SPF, DKIM, and DMARC configuration for bulk senders. Without them, your campaigns hit spam folders — or get blocked entirely — before anyone has a chance to read them. This isn't a future concern. It's happening now.
3. The reports tell you things you won't find anywhere else
DMARC aggregate reports reveal every server sending email from your domain. That includes:
- Your ESP (email service provider)
- Your CRM, if it sends emails on your behalf
- Your support desk, your transactional email tool, your calendar invites
- Any bad actor trying to spoof you
Most businesses never look at these reports. They're dense XML files that require tooling or technical knowledge to interpret. So authentication failures go unnoticed, reputation quietly erodes, and deliverability suffers.
The Setup Problem Most Businesses Ignore
Setting up SPF, DKIM, and DMARC once is a start. But it's not the end of the job.
Here's what usually happens: you configure everything correctly. Six months later, a new tool your team onboarded — a CRM, a support platform, a new automation — starts sending emails from your domain. Those emails fail DMARC. Your domain reputation takes a hit. Your deliverability drops.
Nobody noticed. Nobody got an alert.
This is more common than you'd think, and the fix starts with actually understanding what's in those DMARC reports.
How to Get Started
Step 1: Check your SPF record
Search your DNS for a TXT record starting with v=spf1. If you don't have one, add it. Most ESPs give you the exact record to copy.
Step 2: Configure DKIM
Your email platform should give you CNAME or TXT records to add to your DNS. These enable DKIM signing for mail sent through their infrastructure.
Step 3: Add a DMARC record
Start with p=none — this monitors without affecting delivery. Add it as a TXT record at _dmarc.yourdomain.com:
v=DMARC1; p=none; rua=mailto:[email protected]
The rua= tag is where aggregate reports get sent. Set it to an address you'll actually check.
Step 4: Read the reports
After a few weeks, you'll have data. Look for:
- Which servers are sending on your behalf
- Whether SPF and DKIM are passing for each
- Any unexpected senders you didn't authorise
Step 5: Tighten the policy
Once you've reviewed your legitimate senders and confirmed they're all passing, move from p=none to p=quarantine, then eventually p=reject. That's full protection.
The Bottom Line
Email authentication isn't optional anymore. SPF, DKIM, and DMARC are table stakes for anyone serious about inbox placement and domain security.
But setting them up is only step one. The real work is staying on top of what's happening — reading the reports, catching new senders, tightening your policy as you go.
If your emails matter to your business, your domain health should too.