Authentication 101: SPF, DKIM, DMARC explained simply

Email authentication is how mailbox providers confirm that the messages you send are really from you and not forged by someone else. Without it, your emails are far more likely to be filtered as spam or rejected altogether.

The three core standards you need to know are SPF, DKIM, and DMARC.

SPF (Sender Policy Framework)
SPF lets you specify which mail servers are allowed to send email on behalf of your domain. When a receiving server gets your email, it checks your SPF record against the sending server’s IP. If the IP is not listed, the message may be flagged or blocked.

DKIM (DomainKeys Identified Mail)
DKIM attaches a digital signature to your email that proves it has not been altered in transit and that it really comes from your domain. The receiving server uses your public key (published in DNS) to verify the signature. This builds trust and protects against spoofing.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC ties SPF and DKIM together. It tells mailbox providers what to do if an email fails those checks, and it gives you reports so you can see who is sending on behalf of your domain and whether they are passing authentication.

Getting started with authentication
Usually when you first set up on an ESP, they will walk you through adding these DNS records and then confirm that they are configured correctly. For example, if you were using Klaviyo, you would log into your DNS provider (like GoDaddy or AWS Route 53), copy the SPF, DKIM, and DMARC records Klaviyo provides, and paste them into your DNS settings. Once the records propagate, Klaviyo will show that authentication has been verified.

Why you should check regularly
While it is not a one-time task setting up these records, over time, sometimes someone managing DNS might clean up records and accidentally remove an authentication entry. If that happens, your deliverability can suffer without you realizing it. It is worth checking your records from time to time.

One simple way to check is in Gmail. Open any email from your company, presumably the ones from your marketing ESP, click the three dots menu, and choose “Show original.” Gmail will show you if the message passed SPF, DKIM, and DMARC. This is often the first place we look when troubleshooting deliverability issues.

Why this matters
When SPF, DKIM, and DMARC are set up correctly, they act as a foundation of trust for your email program. They reduce the risk of phishing, protect your brand, and improve your chances of reaching the inbox.

In the next article, we will look at how internet service providers use reputation and engagement data to judge your emails, the third article

1. Intro to email deliverability

2. Authentication 101: SPF, DKIM, DMARC explained simply

3. How ISPs judge your emails: reputation, engagement, spam traps, complaints

4. List hygiene and data quality: why clean lists matter more than big lists

5. Content and design factors: subject lines, html, images, links, spam triggers

6. Infrastructure and sending practices: shared vs dedicated IP, warming, throttling

7. Monitoring and troubleshooting: how to use seed tests, blocklist checks, analytics

8. Future of deliverability: AI filters, gmail and yahoo changes, privacy trends

Next article →

This post is part of our deliverability series. Check out the full guide here.