SPF, DKIM, DMARC: the only guide you'll actually need in 2026
In February 2024, Gmail and Yahoo started enforcing bulk-sender authentication requirements. Sending more than 5,000 emails a day? Your messages now require valid SPF, DKIM, and DMARC, plus a list-unsubscribe header. This guide covers everything from DNS record setup to reading DMARC XML reports.
What each record actually does
Think of these three records as a layered security system. SPF answers "is this server allowed to send for this domain?" DKIM answers "was this message tampered with in transit?" DMARC answers "what should you do if either of the above fails?" All three work together — passing two out of three is not enough for full DMARC compliance.
SPF — who's allowed to send for your domain
A Sender Policy Framework record is a DNS TXT record that lists the IP addresses and services authorized to send email on behalf of your domain. When a receiving mail server gets a message claiming to be from @yourdomain.com, it checks the domain's SPF record against the sending IP.
# If you use AWS SES + Google Workspace together: TXT @ "v=spf1 include:amazonses.com include:_spf.google.com ~all" # AWS SES only: TXT @ "v=spf1 include:amazonses.com ~all"
What happens when SPF fails
When SPF fails, what happens next depends on your DMARC policy. With p=none, nothing — the email is delivered and you get a report. With p=quarantine, the message goes to spam. With p=reject, it is bounced entirely. SPF alone (without DMARC) does very little to protect your domain.
DKIM — cryptographic signature
DomainKeys Identified Mail adds a digital signature to every outgoing email. The signature is generated using a private key held by your sending server. The receiving server fetches your public key from a DNS CNAME record and verifies the signature. If the email was altered in transit — even a single character — the signature verification fails.
AWS SES provides Easy DKIM, which automatically signs every message. You add three CNAME records to your DNS:
CNAME abc123._domainkey.yourdomain.com abc123.dkim.amazonses.com CNAME def456._domainkey.yourdomain.com def456.dkim.amazonses.com CNAME ghi789._domainkey.yourdomain.com ghi789.dkim.amazonses.com
DMARC — what to do when SPF/DKIM fails
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a policy layer on top of SPF and DKIM. It does two things: tells receivers what to do with unauthenticated messages, and requests aggregate reports so you can see what's happening.
# Start here — monitor mode, get reports, nothing rejected: TXT _dmarc.yourdomain.com "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100" # After 30 days of clean reports — quarantine mode: TXT _dmarc.yourdomain.com "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100" # After another 30 days — full enforcement: TXT _dmarc.yourdomain.com "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100"
DMARC policy impact comparison
| Policy | What happens to failing messages | Gmail requirement | Use when |
|---|---|---|---|
p=none | Delivered normally, you get reports | ✓ Acceptable | Starting out, auditing |
p=quarantine | Sent to spam/junk folder | ✓ Recommended | After 30 days clean |
p=reject | Bounced, not delivered at all | ✓ Best | After 60 days, full protection |
DMARC alignment explained
Alignment is the concept that trips up most people. For DMARC to pass, either SPF or DKIM must be aligned with the domain in the From: header. Aligned means the domains match (exact match for strict alignment, subdomain match for relaxed).
AWS SES Easy DKIM handles alignment automatically when you verify your root domain. If you verify yourdomain.com in SES, DKIM alignment will pass for all mail sent from any address at yourdomain.com.
How to test with MXToolbox
- Go to mxtoolbox.com/SuperTool
- Select "SPF Record Lookup" and enter your domain — verify no syntax errors and that
include:amazonses.comis present - Select "DKIM Lookup", enter your DKIM selector (e.g.
abc123) and domain — verify the CNAME resolves - Select "DMARC Lookup" and enter your domain — verify the policy level and rua address
Reading DMARC XML reports
DMARC reports are delivered as gzipped XML files to the address in your rua tag. They arrive within 24 hours and contain aggregate data on every message received claiming to be from your domain. Key fields to look for:
- source_ip: which IP sent the mail — tells you if a rogue service is spoofing your domain
- spf/dkim pass/fail: shows which authentication method passed or failed
- disposition: what the receiver did — none, quarantine, or reject
- count: how many messages in the reporting period matched this row
Tools like DMARC Analyzer, Postmark's DMARC digests, or dmarcian parse these XML files into human-readable dashboards for free on low volumes.
BIMI: making your logo appear in the inbox
BIMI (Brand Indicators for Message Identification) is an emerging standard that displays your brand's logo next to your email in the inbox. Gmail, Apple Mail, and Yahoo all support it. Requirements:
- DMARC policy must be
p=quarantineorp=reject(p=none does not qualify) - A square SVG Tiny PS logo file hosted at an HTTPS URL
- A Verified Mark Certificate (VMC) from DigiCert or Entrust (~$1,500/year) for Gmail support
- A BIMI DNS record:
TXT default._bimi "v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/vmc.pem"
The hard truth: if you're sending more than 5,000 emails/day without all three records aligned, your deliverability is already worse than it should be — Gmail and Yahoo are quietly demoting you.
Frequently asked questions
Do I need SPF, DKIM, and DMARC if I only send transactional emails? +
Yes. Gmail and Yahoo enforce authentication requirements for all bulk senders sending more than 5,000 emails per day, regardless of whether the email is transactional or marketing. Even below that threshold, missing records hurt deliverability because receiving servers use them as reputation signals.
What is the difference between SPF softfail (~all) and hardfail (-all)? +
A softfail (~all) tells receiving servers that messages failing SPF are suspicious but should still be accepted and possibly marked. A hardfail (-all) instructs receivers to reject failing messages outright. Start with ~all so you can catch misconfigurations via DMARC reports before enforcing hard rejection.
Can I have multiple SPF records on the same domain? +
No. Having two TXT records both starting with "v=spf1" causes an SPF PermError, which is treated as a failure. If you use multiple sending services, combine them into a single record: "v=spf1 include:amazonses.com include:_spf.google.com ~all".
How long does it take DMARC to work? +
DMARC takes effect as soon as the DNS record propagates, which is typically 15–60 minutes but can take up to 48 hours. You will start receiving aggregate reports within 24 hours of setting p=none with a rua address. Wait at least 30 days of clean reports before moving to p=quarantine.
What is DMARC alignment and why does it matter? +
Alignment means the domain in the From: header must match the domain used for SPF or DKIM authentication. If you send from noreply@yourdomain.com but your SPF record covers a subdomain like mail.yourdomain.com, alignment will fail even if SPF passes. AWS SES Easy DKIM handles alignment automatically when you verify your root domain.
What tool should I use to test my SPF, DKIM, and DMARC records? +
MXToolbox (mxtoolbox.com/SuperTool) is the most comprehensive free option. For DMARC specifically, use mail-tester.com to send a test message and get a full report. Google Postmaster Tools is essential for monitoring your domain reputation with Gmail specifically.
What is BIMI and do I need it? +
BIMI (Brand Indicators for Message Identification) displays your brand logo next to your emails in supported inboxes like Gmail and Apple Mail. It requires a DMARC policy of p=quarantine or p=reject, a Verified Mark Certificate (VMC), and a DNS record pointing to an SVG logo file. It is optional but adds trust signals in the inbox.
