Why Email Authentication Is No Longer Optional
SPF, DKIM, and DMARC are the three DNS-based standards that let a receiving mail server verify that an email claiming to be from your domain was actually sent by you. SPF checks which servers are allowed to send mail for your domain, DKIM cryptographically signs each message so it cannot be altered in transit, and DMARC tells receiving servers what to do when a message fails those checks — and where to send reports about it. Without all three configured correctly, a growing share of your outbound mail lands in spam or gets rejected outright.
This is not a theoretical concern. Since February 2024, Gmail and Yahoo have required SPF, DKIM, and a published DMARC record for any domain sending bulk mail to their users — and both providers have shown they will enforce it by silently dropping or spam-foldering non-compliant mail. If you run your own mail server, this guide covers exactly how each standard works and how to configure them correctly. If your DNS is hosted on Cloudflare and you want a click-by-click walkthrough instead, see Cloudflare Email DNS Setup: SPF, DKIM, and DMARC Made Simple.
Who This Guide Is For
This is written for anyone running a self-hosted mail server — Postfix, Exim, or a managed panel stack — who wants to understand what these DNS records actually do rather than copy-pasting a value they don't fully trust. We cover the mechanics of each standard, the DNS records themselves, alignment rules, and the mistakes that quietly break deliverability.
SPF (Sender Policy Framework) Explained
SPF is a DNS TXT record published on your domain that lists which mail servers are authorized to send email on its behalf. When a receiving server gets a message claiming to be from yourdomain.com, it looks up the SPF record for that domain and checks whether the connecting IP address is in the authorized list.
SPF Record Syntax
yourdomain.com. TXT "v=spf1 mx a ip4:203.0.113.10 include:_spf.google.com ~all"
| Mechanism | Meaning |
|---|---|
v=spf1 | Version tag — always the first term, required |
mx | Authorize the domain's own MX record IPs |
a | Authorize the domain's own A record IP |
ip4:203.0.113.10 | Authorize a specific IPv4 address |
ip6:2001:db8::1 | Authorize a specific IPv6 address |
include:_spf.google.com | Authorize another domain's SPF record (third-party senders) |
~all | Soft fail — mark unauthorized senders as suspicious, do not reject |
-all | Hard fail — reject unauthorized senders outright |
Use -all once you're confident every legitimate sending source is listed. Starting with ~all during setup is safer — it lets you monitor DMARC reports before committing to a hard reject policy.
The 10-Lookup Limit
SPF evaluation is capped at 10 DNS lookups (each include, a, mx, ptr, or exists mechanism counts). Exceed it and the entire SPF check permanently fails — not just for the mechanism that pushed you over the limit. This is the single most common SPF misconfiguration: domains that stack includes for every marketing tool, CRM, and helpdesk they've ever used until the record silently stops validating.
# Check your lookup count with dig, then count manually:
dig TXT yourdomain.com +short
If you're close to the limit, flatten nested includes or remove services you no longer use.
Why SPF Alone Is Not Enough
SPF validates the envelope sender (the SMTP MAIL FROM address), not the visible "From" header the recipient sees. It also breaks completely when mail is forwarded, because the forwarding server's IP is what gets checked, not your original sending IP. This is exactly why DKIM and DMARC exist — SPF alone was never sufficient.
DKIM (DomainKeys Identified Mail) Explained
DKIM adds a cryptographic signature to every outgoing message. The sending server generates a public/private key pair, signs each email with the private key, and publishes the public key in DNS. The receiving server fetches the public key and verifies the signature — proving the message was sent by a server with access to the private key and that its content was not altered in transit.
How DKIM Signing Works
- A private/public key pair is generated (2048-bit RSA is the current standard)
- The public key is published as a DNS TXT record at
selector._domainkey.yourdomain.com - The sending mail server signs specific headers and the message body with the private key
- A
DKIM-Signatureheader is added to the outgoing message - The receiving server extracts the selector and domain from that header, fetches the public key, and verifies the signature
DKIM DNS Record
default._domainkey.yourdomain.com. TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq...(public key)...IDAQAB"
The selector (default in this example) lets you run multiple DKIM keys simultaneously — useful for key rotation without downtime, or when different sending services (your mail server, a marketing platform, a transactional email provider) each sign with their own key.
Reading a DKIM-Signature Header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=yourdomain.com; s=default; t=1718000000;
bh=base64hash...; h=From:To:Subject:Date;
b=base64signature...
| Tag | Meaning |
|---|---|
d= | Signing domain — must align with the From header for DMARC |
s= | Selector — points to the DNS record with the public key |
bh= | Hash of the message body |
h= | List of headers that were signed |
b= | The actual signature, base64-encoded |
Unlike SPF, DKIM survives most forwarding scenarios, because the signature travels with the message content rather than depending on the connecting IP address. This is why DKIM alignment matters so much more than SPF alignment for DMARC pass rates in practice.
DMARC Explained
DMARC ties SPF and DKIM together and tells receiving servers what to do when a message fails both. Without a DMARC record, a domain has no enforceable policy — SPF and DKIM can pass or fail, but nothing instructs the receiving server how to react, and no reports are generated so you have no visibility into who is sending mail as your domain.
DMARC Record Syntax
_dmarc.yourdomain.com. TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100; aspf=r; adkim=r"
| Tag | Meaning |
|---|---|
v=DMARC1 | Version tag, required |
p= | Policy: none (monitor only), quarantine (send to spam), reject (bounce) |
rua= | Where to send aggregate (daily summary) reports |
ruf= | Where to send forensic (per-message failure) reports |
pct= | Percentage of failing mail the policy applies to — useful for gradual rollout |
aspf= | SPF alignment mode: r (relaxed) or s (strict) |
adkim= | DKIM alignment mode: r (relaxed) or s (strict) |
The Rollout Path Everyone Should Follow
- Start with
p=none— collects aggregate reports without affecting delivery. Run this for at least two weeks. - Review the rua reports — identify every legitimate source sending mail as your domain, including transactional email services and marketing platforms you may have forgotten about.
- Move to
p=quarantine; pct=25— start enforcing gradually. - Increase
pctin stages — 25 to 50 to 100 over several weeks, watching for legitimate mail getting caught. - Finish at
p=reject— the strongest policy, telling receivers to bounce anything that fails alignment.
Jumping straight to p=reject without reviewing reports first is the most common way legitimate mail — including your own — starts silently disappearing.
Alignment: Where Most DIY Setups Fail
DMARC does not just check whether SPF and DKIM pass in isolation — it checks whether the domain in the visible From header aligns with the domain that passed SPF or DKIM.
- SPF alignment — the domain in the SMTP envelope
MAIL FROMmust match (or be a subdomain of) the visible From header domain - DKIM alignment — the
d=value in the DKIM signature must match (or be a subdomain of) the visible From header domain
A message only needs one of the two to align and pass for DMARC to pass overall. This is exactly why DKIM matters so much for forwarded mail and third-party senders: SPF alignment breaks under forwarding, but a correctly configured DKIM signature travels with the message and still aligns at the destination.
Relaxed alignment (r) allows subdomain matches — mail.yourdomain.com aligns with yourdomain.com. Strict alignment (s) requires an exact match. Most domains should use relaxed alignment unless they have a specific reason for stricter enforcement.
Why Gmail and Yahoo Require All Three
Since February 2024, both Gmail and Yahoo enforce sender requirements for any domain sending bulk mail (roughly 5,000+ messages per day to their users, though the practical threshold for spam-folder treatment is lower):
- Valid SPF or DKIM authentication — but publishing both is strongly recommended
- A published DMARC record at
p=noneor stricter - SPF and DKIM alignment with the visible From domain
- A spam complaint rate kept under 0.3% and a clean record on major DNS blacklists (DNSBL)
- One-click unsubscribe support for marketing and bulk mail (List-Unsubscribe header)
Domains without a DMARC record are increasingly treated as higher-risk by spam filters, independent of whether they send bulk volume — the absence of a policy is itself a signal. Reverse DNS matters just as much here; see PTR Record and Reverse DNS for why mail servers need a matching PTR record. For any domain that sends transactional mail (password resets, invoices, notifications), configuring all three records correctly is no longer a best practice. It is the baseline for reliable inbox delivery.
Testing Your Configuration
Before trusting your setup, verify each record resolves correctly and that outgoing mail actually carries valid signatures.
# Check the SPF record
dig TXT yourdomain.com +short
# Check the DKIM record (replace 'default' with your actual selector)
dig TXT default._domainkey.yourdomain.com +short
# Check the DMARC record
dig TXT _dmarc.yourdomain.com +short
Send a test message to an address you control on a major provider (Gmail is convenient for this) and inspect the full headers. Look for spf=pass, dkim=pass, and dmarc=pass in the Authentication-Results header that the receiving server adds. If any of the three fail, the header will tell you exactly which check failed and why — mismatched domain, missing record, or an invalid signature.
Common Configuration Mistakes
| Mistake | Effect | Fix |
|---|---|---|
| Multiple SPF records for one domain | SPF becomes invalid — only one TXT record with v=spf1 is allowed per domain | Merge all sources into a single SPF record with multiple include mechanisms |
| Exceeding the 10-lookup SPF limit | SPF fails permanently for the entire record | Flatten nested includes, remove unused third-party senders |
| DKIM selector typo in DNS | Signature verification fails silently | Confirm the selector in the DKIM-Signature header matches the DNS record name exactly |
Jumping straight to p=reject | Legitimate mail from forgotten services gets bounced | Roll out gradually: none to quarantine to reject, reviewing reports at each stage |
| No DMARC record at all | No visibility into spoofing attempts, weaker sender reputation | Publish at minimum a p=none record with an rua address |
| Forwarding mail without DKIM | SPF breaks on forward, no DKIM means DMARC fails entirely | Ensure the original message keeps its DKIM signature intact through the forward |
How Panelica Automates Email Authentication
Panelica's built-in mail stack (Postfix and Dovecot) generates and manages all three records automatically for every domain you add. When a domain is created, Panelica generates a 2048-bit DKIM key pair, publishes the DKIM DNS record with a unique selector, builds an SPF record scoped to the server's actual sending IP, and can generate a DMARC record with a policy you choose from the panel.
- Automatic DKIM key generation — a unique key pair is created per domain, with the public key published to DNS without manual copy-pasting
- SPF record generation — scoped to the server's mail-sending IP, avoiding the "multiple SPF records" mistake from manually merging entries
- DMARC policy management — set the policy (none, quarantine, reject) and reporting address directly from the panel's email section
- DNS integration — records are published automatically through Panelica's built-in BIND DNS or synced through Cloudflare if that's your DNS provider
For anyone who has spent an afternoon debugging why a DKIM selector doesn't match or why SPF silently fails past 10 lookups, having these records generated and kept in sync automatically removes an entire category of deliverability incidents.
Frequently Asked Questions
Do I need SPF, DKIM, and DMARC, or is one enough?
Technically DMARC only requires one of SPF or DKIM to pass and align. In practice, publish all three. SPF alone breaks on forwarding, DKIM alone gives no enforcement policy or visibility, and DMARC without SPF or DKIM underneath has nothing to evaluate.
Will a wrong SPF or DKIM record get my email rejected immediately?
It depends on your DMARC policy. With p=none, failures are only reported, not acted on. With p=quarantine or p=reject, a misconfigured record can send legitimate mail to spam or cause outright rejection — which is exactly why the gradual rollout path matters.
Why does my email still land in spam even though SPF, DKIM, and DMARC all pass?
Authentication passing proves the message is legitimately from your domain — it does not guarantee inbox placement. Sender reputation, IP warm-up status, content patterns, and recipient engagement all factor into spam filtering independently of authentication results. For a complete troubleshooting walkthrough, see Why Are My Emails Going to Spam?
Can I use a subdomain for sending instead of my main domain?
Yes, and it's a common pattern for transactional or bulk mail (for example mail.yourdomain.com). Each subdomain needs its own DKIM selector and can have its own DMARC policy, which also isolates your main domain's reputation from bulk-sending activity.
Conclusion
SPF, DKIM, and DMARC each solve a different part of the same problem: proving a message actually came from your domain. SPF authorizes sending servers, DKIM cryptographically signs message content, and DMARC ties both together with an enforceable policy and reporting. None of the three is a substitute for the others.
Configure them in that order, verify with dig and real test messages before tightening policy, and roll out DMARC enforcement gradually. Get this right once and it keeps working — until you add a new sending service and forget to update the SPF record, which is exactly what the DMARC aggregate reports are there to catch.