Email Authentication: The Technical Foundation Your Deliverability Depends On
In February 2024, Google and Yahoo simultaneously implemented new requirements: bulk senders must authenticate their emails using SPF or DKIM and must have a DMARC policy in place, or their emails will be rejected. Email programs that properly implement SPF, DKIM, and DMARC enjoy dramatically better deliverability, better sender reputation scores, and stronger protection against domain spoofing and phishing attacks that use their brand.
SPF (Sender Policy Framework): The First Line of Authentication
SPF is a DNS TXT record that specifies which mail servers are authorized to send email from your domain. When a receiving mail server gets an email claiming to be from your domain, it checks your DNS for an SPF record and compares the sending server’s IP against the authorized list. For a business using Google Workspace and Mailchimp, the SPF record looks like: v=spf1 include:_spf.google.com include:servers.mcsv.net ~all. Critical limitation: SPF records may trigger a maximum of 10 DNS lookups. Businesses using many email services frequently exceed this limit, causing SPF to fail. Use SPF flattening tools to consolidate multiple includes into direct IP ranges.
DKIM (DomainKeys Identified Mail): Cryptographic Email Signing
DKIM adds a cryptographic signature to every email you send. The signature is generated using a private key held by your mail server and verified by receiving servers using a public key published in your DNS. This confirms the email originated from your authorized infrastructure and that the content hasn’t been modified in transit. For setup, generate a DKIM key pair in your ESP’s settings, add the provided DNS TXT record (e.g., selector1._domainkey.yourdomain.com), and verify in your ESP that DKIM is passing. Use 2048-bit keys — Google retired 1024-bit DKIM keys in 2024.
DMARC: The Policy Layer That Ties Everything Together
DMARC specifies what receiving servers should do with emails that fail SPF and/or DKIM checks (the policy), requires “alignment” between authenticated domain and the From: address domain, and enables reporting. A typical DMARC record: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100. The recommended phased rollout: Start with p=none to collect data, then move to p=quarantine with pct=10 gradually increasing to pct=100, then finally p=reject once all legitimate mail is properly authenticated. The combination of SPF, DKIM, DMARC, and BIMI represents the complete technical foundation for a secure, high-deliverability email program.