DMARC, SPF, DKIM (Email Authentication)

Also known as: email authentication, SPF DKIM DMARC

SPF, DKIM, and DMARC are the three standards inbox providers use to verify that an email actually comes from the domain it claims to be from. SPF (Sender Policy Framework) publishes which IPs are allowed to send on behalf of a domain. DKIM (DomainKeys Identified Mail) cryptographically signs outgoing email so the recipient can verify it was not modified in transit. DMARC ties the two together and tells inbox providers what to do when authentication fails.

All three matter, but DMARC is the one that determines whether failed-auth emails go to spam, are rejected outright, or are silently let through. A DMARC policy of 'reject' tells Gmail and Outlook to drop any email that fails SPF or DKIM — this protects your domain from impersonation but requires that SPF and DKIM are correctly set up everywhere you send from.

Misconfiguration is common and silent: an email tool you connected six months ago is no longer in your SPF record, its DKIM key has rotated, and your DMARC policy is now causing a fraction of your legitimate email to fail. Modern cold-email platforms monitor for this and alert before deliverability degrades.