How Email Deliverability Works: SPF, DKIM, and DMARC Explained

Why Email Authentication Exists

Every email actually carries two "from" addresses. There is the envelope sender (also called the Return-Path or MAIL FROM), which the receiving server uses during the SMTP conversation, and there is the header From: address that you see in your mail client. Spammers and phishers exploit the gap between them by putting a trusted brand in the visible From: line while sending from infrastructure that has nothing to do with that brand.

Authentication standards give a domain owner a way to publish, in public DNS, the rules for who may send mail on their behalf and how that mail should be cryptographically marked. Receiving servers read those published rules and decide whether to trust the message. The payoff is twofold: less spoofing of your domain and better inbox placement for the mail you genuinely send, because mailbox providers reward authenticated, consistent senders.

SPF: Which Servers Are Allowed to Send

SPF stands for Sender Policy Framework. It is a single DNS TXT record that lists the IP addresses and hostnames authorized to send mail for a domain. When a receiving server gets a message, it looks at the envelope sender's domain, fetches that domain's SPF record, and checks whether the connecting server's IP address is on the approved list.

A typical SPF record looks like this, published as a TXT record on the root of the domain:

example.com.  IN  TXT  "v=spf1 ip4:203.0.113.10 include:_spf.google.com -all"

Reading the mechanisms left to right:

• v=spf1 declares the record version. Every SPF record starts this way.
• ip4:203.0.113.10 authorizes that specific IPv4 address.
• include:_spf.google.com delegates to Google's SPF record, a common pattern when you send through a third-party provider.
• -all is the qualifier for everything else. The hyphen means "hard fail"—any server not listed is not authorized. A tilde (~all) means "soft fail," a weaker stance that receivers usually treat as suspicious but not disqualifying.

Two practical limits are worth remembering. First, SPF evaluation is capped at 10 DNS lookups; chaining too many include: statements causes a permerror and breaks authentication. Second, SPF validates the envelope sender, not the visible From: address, and it breaks when mail is forwarded, because the forwarding server's IP is rarely in your record. That gap is exactly why DKIM and DMARC are needed alongside it.

DKIM: A Cryptographic Signature on the Message

DKIM, or DomainKeys Identified Mail, takes a different approach. Instead of checking the connecting IP, it attaches a digital signature to the message itself. The sending server hashes selected headers and the body, signs that hash with a private key, and adds the result as a DKIM-Signature header. The matching public key lives in DNS, so any receiver can verify the signature.

The public key is published under a selector. If the signature header says s=mail2026; d=example.com, the receiver fetches the key from this hostname:

mail2026._domainkey.example.com.  IN  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."

Here v=DKIM1 is the version, k=rsa is the key type, and p= holds the base64-encoded public key (truncated above; real keys are 1024 or 2048 bits). Using a selector lets a domain rotate keys or run several providers at once, each with its own selector.

When the receiver recomputes the hash over the same headers and body and it matches the decrypted signature, two things are proven: the message was authorized by whoever holds the private key for d=example.com, and the signed parts of the message were not altered in transit. Because the signature travels with the message, DKIM usually survives forwarding, which is its key advantage over SPF.

DMARC: Policy, Alignment, and Reporting

SPF and DKIM each authenticate a domain, but neither one is tied to the From: address the recipient actually sees. DMARC—Domain- based Message Authentication, Reporting, and Conformance—fixes that. It does three jobs: it requires alignment with the visible From: domain, it tells receivers what to do when authentication fails, and it asks them to send reports.

A DMARC record is a TXT record published at the _dmarc subdomain:

_dmarc.example.com.  IN  TXT  "v=DMARC1; p=quarantine; rua=mailto:[email protected]; adkim=s; aspf=r; pct=100"

The important tags:

• p= is the policy for messages that fail DMARC: none (take no action), quarantine (treat as suspicious, usually route to spam), or reject (refuse the message outright).
• rua= is the address that receives aggregate reports—daily XML summaries of how much mail passed or failed, and from which sources.
• adkim and aspf set alignment mode to strict (s) or relaxed (r). Relaxed allows subdomains to align with the organizational domain; strict requires an exact match.
• pct= applies the policy to a percentage of failing mail, useful for a gradual rollout.

Alignment is the heart of DMARC

DMARC does not just ask "did SPF or DKIM pass?" It asks "did they pass for a domain that matches the visible From: address?" That match is called alignment, and a message passes DMARC if it satisfies at least one of these:

• SPF alignment: SPF passes and the envelope sender domain aligns with the From: domain.
• DKIM alignment: a valid DKIM signature exists and its d= domain aligns with the From: domain.

This is why a raw SPF or DKIM pass is not enough on its own. A message can pass SPF for bounces.mailer.example.net while the From: header reads [email protected]. Raw SPF passes, but SPF alignment fails because the two organizational domains differ. If DKIM is also unaligned, the message fails DMARC and the published policy kicks in.

How a Receiving Server Decides: A Walkthrough

Picture a message arriving at a large mailbox provider. Roughly, here is the sequence it runs through:

A crucial nuance: DMARC needs only one aligned pass. A forwarded message often fails SPF because the forwarder's IP is not in your record, but if the DKIM signature survives forwarding and stays aligned, the message still passes DMARC. This redundancy is the main reason all three mechanisms are deployed together rather than picking one.

Practical Setup Notes

Getting authentication right is mostly about a careful, staged rollout rather than flipping every switch at once:

1. Inventory your senders first. List every service that sends mail as your domain—your mail provider, marketing platform, support desk, billing system. Each one needs to appear in SPF and ideally sign with DKIM.
2. Publish SPF and DKIM, then verify. Add the SPF record and the DKIM keys each provider gives you. Send test messages and confirm both pass before touching DMARC.
3. Start DMARC at p=none. A monitoring-only policy with an rua address changes nothing about delivery but turns on reporting, so you can discover sources you forgot.
4. Read the aggregate reports. When every legitimate source shows aligned passes, you are ready to tighten. Many teams use a report-parsing tool, since the raw XML is hard to read by hand.
5. Move to quarantine, then reject. Step up to p=quarantine (optionally with pct= for a partial rollout), watch for fallout, then finish at p=reject for full protection.

Keep in mind that authentication is necessary but not sufficient for inbox placement. SPF, DKIM, and DMARC prove identity; reputation, recipient engagement, complaint rates, and list hygiene decide whether wanted mail actually lands in the inbox. A perfectly authenticated message to an unengaged list can still end up filtered.

Frequently Asked Questions