New: MCP Connectors for ClaudeClaude & ChatGPTChatGPT — Use Sendburg inside your AI assistantTry it free
Sendburg
Log inStart free
← Back to Blog
EmailJune 10, 20269 min read

SPF, DKIM & DMARC Explained: The Email Authentication Setup Guide

Google and Yahoo now reject bulk email that fails authentication — SPF, DKIM, and DMARC stopped being optional in 2024. All three are DNS records you can configure in under an hour. This guide covers what each one does, the exact records to publish, and the rollout order that will not break your mail.

Why authentication is non-negotiable now

Since 2024, Google and Yahoo require SPF, DKIM, and DMARC for anyone sending bulk email — unauthenticated mail is rejected or spam-foldered outright. Authentication is no longer an optimization; it is the entry ticket. The good news: all three are DNS records you can set up in under an hour.

SPF — who is allowed to send for your domain

SPF (Sender Policy Framework) is a TXT record listing the servers authorized to send email for your domain. When a mailbox provider receives your mail, it checks whether the sending server is on the list.

  • Record lives at your root domain as TXT: v=spf1 include:_spf.google.com ~all (example for Google Workspace)
  • Each email service you use (ESP, CRM, support tool) adds its own include:
  • Hard limit of 10 DNS lookups — exceeding it silently breaks SPF; flatten includes if you hit it
  • End with ~all (softfail) or -all (hardfail); never +all

DKIM — proving the message was not tampered with

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every message header. The public key sits in your DNS; receiving servers verify the signature matches. Your email provider generates the key pair — you publish the public half as a TXT record at selector._domainkey.yourdomain.com. Use 2048-bit keys, and rotate them annually.

DMARC — the policy that ties it together

DMARC tells receivers what to do when a message fails SPF or DKIM alignment, and sends you reports about who is sending as your domain. A TXT record at _dmarc.yourdomain.com:

  • Start monitoring: v=DMARC1; p=none; rua=mailto:[email protected]
  • After 2–4 weeks of clean reports: move to p=quarantine
  • Mature state: p=reject — spoofed mail is refused outright
  • Aggregate reports (rua) reveal shadow senders — tools and vendors emailing as your domain that you forgot about

Testing your setup

Send a message to a Gmail address and use "Show original" — it displays SPF, DKIM, and DMARC pass/fail directly. Free checkers like MXToolbox validate the records themselves. Authentication passes but mail still bouncing? The problem is usually list quality, not DNS — run your list through our free email verifier before blaming your records.

Related resources

Email Warmup Guide →Reduce Bounce Rate →Cold Email Best Practices →Free Email Verifier →How to Verify Emails →Cold Email Open Rates →