Email authentication is a set of technologies that verify whether an email actually comes from who it claims to be from. Without it, anyone can send an email pretending to be your bank, your boss, or your brand — and there’s nothing built into email to stop them.
📧 Email Was Built Without Security
SMTP (Simple Mail Transfer Protocol), the standard for sending email since 1982, has no built-in way to verify the sender. When you receive an email “from” your-bank@example.com, the receiving server has no native mechanism to confirm it was actually sent by example.com.
Think of it like postal mail — anyone can write any return address on an envelope. Email works the same way. The “From” address is just text that the sender fills in.
The Three Pillars of Email Authentication
To solve this problem, three complementary protocols were developed. Each addresses a different aspect of verification, and together they form a robust defense against email spoofing:
A DNS record listing the IP addresses and servers authorized to send email for your domain. Like a guest list — if the sender’s IP isn’t on it, something’s wrong.
A cryptographic signature added to outgoing emails. The receiving server verifies it using a public key in your DNS. Like a wax seal — proves the message is genuine and hasn’t been tampered with.
Ties SPF and DKIM together with a policy: what should receivers do with emails that fail? Monitor, quarantine, or reject. Plus sends you daily reports.
How They Work Together
Each protocol solves a different problem. SPF verifies the sending server, DKIM verifies the message integrity, and DMARC adds policy enforcement and alignment (making sure the verified domains actually match the “From” address the recipient sees).
Here’s what happens when an email arrives at the receiving server:
- SPF check: Is the sending server’s IP address listed in the domain’s SPF record?
- DKIM check: Does the email have a valid cryptographic signature that matches a public key in DNS?
- DMARC alignment: Do the SPF and/or DKIM results align with the domain in the visible “From” header? (This is the crucial step that prevents sophisticated spoofing.)
- DMARC policy: If alignment fails, apply the domain owner’s policy — none (monitor), quarantine (spam folder), or reject (bounce).
For a detailed comparison, see SPF vs DKIM vs DMARC.
Why It Matters Now
As of February 2024, Google and Yahoo require bulk senders (5,000+ messages/day) to have SPF, DKIM, and DMARC properly configured. Emails that don’t comply may be rejected or sent to spam — even if the content is legitimate.
Beyond the Big Three
Several newer standards build on the SPF/DKIM/DMARC foundation:
Preserves authentication results through email forwarding and mailing lists, where SPF and DKIM often break.
Displays your brand logo next to emails in supported inboxes. Requires DMARC at p=quarantine or stricter.
Enforces TLS encryption for email in transit, preventing downgrade attacks.
Sends reports about TLS connection failures, helping you monitor encryption issues.
Getting Started
If you’re new to email authentication, here’s the recommended path:
- Learn the basics: Read What is SPF?, What is DKIM?, and What is DMARC?
- Check your current state: Use our Domain Checker to see what’s already in place
- Follow the implementation guide: How to Implement DMARC walks you through step by step
- Generate your DMARC record: Our DMARC Record Generator builds the DNS record for you