What is Email Authentication?

Email authentication is a set of technologies that verify whether an email actually comes from who it claims to be from. Without it, anyone can send an email pretending to be your bank, your boss, or your brand — and there’s nothing built into email to stop them.

📧 Email Has No Built-In Sender Verification

The technology behind email was created in the 1980s with no way to verify who really sent a message. When you receive an email “from” your-bank@example.com, the receiving server has no built-in mechanism to confirm it was actually sent by example.com.

Think of it like postal mail — anyone can write any return address on an envelope. Email works the same way. The “From” address is just text that the sender fills in.

The Three Systems That Protect Your Email

To solve this problem, three complementary systems were created. Each checks something different, and together they make it very hard for anyone to fake your emails:

Email Security Foundation

SPF “Who is allowed to send email for this domain?” Checks the sending server’s IP address

DKIM “Is this email authentic and unmodified?” Cryptographic signature verified via DNS

DMARC “What to do when authentication fails + report back to me” Policy + alignment + aggregate reporting

Domain Protection

SPF — Authorised Sender List
A setting in your domain’s public directory (called a DNS record) that lists which servers are allowed to send email for your business. Like a guest list — if a server isn’t on the list, its emails can be flagged or rejected. (Full name: Sender Policy Framework.)
DKIM — Digital Signature
A digital seal added to every email you send, proving it genuinely came from your domain and hasn’t been tampered with along the way. Like a wax seal on a letter — it proves who sent it and that nobody changed it. (Full name: DomainKeys Identified Mail.)
DMARC — The Rulebook
Ties SPF and DKIM together with a policy that you control: what should email providers do with messages that aren’t genuinely from you? Let them through (and just report to you), send them to spam, or block them entirely. Plus you get daily reports showing who’s using your domain name. (Full name: Domain-based Message Authentication, Reporting & Conformance.)

How They Work Together

Each system checks something different. SPF verifies that the sending server is authorised, DKIM verifies that the message is genuine and unaltered, and DMARC ties it all together by checking that the verified identity actually matches the “From” address your recipients see — and tells email providers what to do when it doesn’t.

Here’s what happens when an email arrives at someone’s inbox:

  1. Server check (SPF): Is the sending server on this domain’s approved list?
  2. Signature check (DKIM): Does the email have a valid digital signature that proves it’s genuine?
  3. Identity match (DMARC alignment): Do the verified identities from SPF or DKIM actually match the “From” address that the recipient sees? This is the crucial step that catches sophisticated impersonation.
  4. Apply the policy (DMARC): If the identity doesn’t match, follow the domain owner’s instructions — either monitor only, send to spam, or block entirely.

Want a more detailed comparison? See SPF vs DKIM vs DMARC — How They Work Together.

Why It Matters Now

3.4B
phishing emails sent daily worldwide
$17,700
lost every minute to phishing attacks
90%
of data breaches start with a phishing email
⚠️ Google & Yahoo Now Require This (2024+)
Since February 2024, Google and Yahoo require businesses sending more than 5,000 emails per day to have SPF, DKIM, and DMARC properly set up. Emails from domains that don’t comply may be rejected or sent to spam — even if the content is perfectly legitimate.

Other Email Security Standards

Several newer technologies build on the SPF/DKIM/DMARC foundation. These are more advanced — most businesses should focus on SPF, DKIM, and DMARC first:

ARC (Authenticated Received Chain)
Preserves email verification results when messages are forwarded through mailing lists or auto-forwarders, where the original checks can sometimes break.
BIMI (Brand Indicators for Message Identification)
Displays your company logo next to your emails in supported inboxes (like Gmail). Requires your domain to be fully protected with DMARC first.
MTA-STS (Mail Transfer Agent Strict Transport Security)
Ensures emails are always encrypted while travelling between servers, preventing eavesdropping.
TLS-RPT (TLS Reporting)
Sends you reports when there are problems with email encryption between servers.

Getting Started

If you’re new to email authentication, here’s the recommended path:

  1. Learn the basics: Read What is SPF?, What is DKIM?, and What is DMARC?
  2. Check your current state: Use our Domain Checker to see what’s already in place
  3. Follow the implementation guide: How to Implement DMARC walks you through step by step
  4. Generate your DMARC record: Our DMARC Record Generator builds the DNS record for you