Skip to content
InboxGreen

The Complete Guide to Email Deliverability in 2024

Everything you need to know about SPF, DKIM, DMARC, and staying out of spam

60 min read
Updated June 2026
Read Online

Introduction to Email Authentication

Email authentication is the foundation of modern email deliverability. Without proper authentication, your emails are more likely to be marked as spam, rejected entirely, or even used in phishing attacks. Understanding SPF, DKIM, and DMARC isn't just technical—it's essential for any business that relies on email communication.

When you send an email, receiving mail servers need to verify that the email actually came from your domain and wasn't forged by a spammer. Authentication protocols provide this verification through DNS records that prove your legitimacy. Think of it as showing your ID at airport security—without it, you're not getting through.

Receivers like Gmail, Yahoo, and Microsoft use authentication checks as a primary factor in their spam filtering algorithms. Proper alignment between your sending infrastructure and DNS records can be the difference between inbox placement and the spam folder.

How Email Authentication Works

1. You send email

2. DNS lookup

3. Authentication checks

Authentication Pass

Email delivered to inbox

Authentication Fail

Email sent to spam or rejected

Email authentication flow: When you send an email, the receiving server performs a DNS lookup to verify your authentication records (SPF, DKIM, DMARC). If authentication passes, the email is delivered to the inbox. If it fails, the email may be sent to spam or rejected entirely.

Why Alignment Matters

Authentication isn't just about having SPF, DKIM, and DMARC records—it's about proper alignment. Alignment means your visible "From" domain matches the domains used in authentication. Without alignment, even perfectly configured records won't provide full protection or deliverability benefits.

  • SPF Alignment: Return-Path domain matches From domain
  • DKIM Alignment: DKIM signature domain matches From domain
  • DMARC Alignment: At least one of SPF or DKIM must align
Start a Free ScanRead DMARC Basics

Understanding SPF Records

Sender Policy Framework (SPF) is an email authentication method that specifies which mail servers are authorized to send email on behalf of your domain. Think of it as a guest list for your domain—only servers on the list are allowed to send emails claiming to be from you.

When a receiving server gets an email from your domain, it checks your SPF record in DNS to see if the sending server is authorized. If the server isn't on your SPF record, the email may be rejected or marked as spam. SPF is critical for preventing spammers from forging your domain.

How SPF Validation Works

1

Email Sent

Your server sends email claiming to be from your domain

2

DNS Lookup

Receiver checks your SPF record in DNS

3

Validation

Server IP checked against authorized list

SPF validation process: When an email is sent from your domain, the receiving server performs a DNS lookup to retrieve your SPF record, then validates whether the sending server's IP address is authorized.

Interactive SPF Builder

Build your SPF record and see the lookup count in real-time. SPF has a hard limit of 10 DNS lookups—exceeding this will cause SPF validation to fail.

Current includes:

include:_spf.google.cominclude:sendgrid.net

DNS Lookups: 2/10

Your SPF record is within the lookup limit.

Generated SPF record:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

SPF Examples: Bad vs Good

Bad Example

Too many includes (>10 lookups)

v=spf1 include:_spf.google.com include:sendgrid.net 
include:mailgun.org include:amazonses.com 
include:sparkpost.com include:mailjet.com 
include:sendpulse.com ~all
Good Example

Optimized with fewer includes

v=spf1 include:_spf.google.com include:sendgrid.net ~all
Check Your SPF NowSee How InboxGreen Automates This

DKIM Explained

DomainKeys Identified Mail (DKIM) adds a digital signature to your emails that proves they haven't been tampered with in transit. Unlike SPF which validates the sending server, DKIM validates the actual message content using cryptographic signing.

When you send an email, your mail server signs it with a private key. The receiving server then retrieves your public key from DNS and uses it to verify the signature. If the signature is valid, the email hasn't been modified since it was sent. This provides both authentication and message integrity.

DKIM uses selectors to allow multiple keys per domain—useful when you send from different providers or want to rotate keys without disrupting service. Each selector points to a different public key in DNS.

DKIM DNS Record Structure

Selector

google

Subdomain

_domainkey

Your Domain

yourdomain.com

Full DNS Record Name:

google._domainkey.yourdomain.com

DNS Record Value (TXT):

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

The selector allows multiple DKIM keys per domain, enabling per-provider keys and key rotation

DKIM DNS record structure consists of a selector (like 'google'), followed by '_domainkey', followed by your domain name. The TXT record contains the public key used to verify signatures.

DKIM Selector Helper

Choose your email provider to get the recommended DKIM selector and DNS configuration.

Recommended Selector:

google

DNS Record Name:

google._domainkey.yourdomain.com

Recommended TTL:

3600 seconds (60 minutes)

Next Steps: Your email provider will give you the public key (p= value) to add as a TXT record at the DNS record name shown above.

DKIM Best Practices

Use Separate Selectors Per Provider

If you send through multiple ESPs (e.g., Google Workspace + SendGrid), use different selectors for each. This allows independent key management and easier troubleshooting.

Rotate Keys Regularly

Security best practice is to rotate DKIM keys every 6-12 months. Use multiple selectors to rotate without downtime: publish the new key, update your sending config, then remove the old key.

Use 2048-bit Keys Minimum

While 1024-bit keys are technically supported, modern best practice requires 2048-bit RSA keys for adequate security. Many providers now reject 1024-bit keys.

Ensure DKIM Alignment

For DMARC to pass via DKIM, the domain in the DKIM signature (d= tag) must align with your From domain. Most providers handle this automatically, but verify your headers.

Monitor Signature Failures

Set up alerts for DKIM signature failures. Common causes include DNS propagation issues, expired keys, or message modification by email security gateways.

Why 2048-bit Keys Matter

1024-bit RSA keys can now be factored by determined attackers with sufficient computing resources. Gmail, Yahoo, and other major providers either require or strongly recommend 2048-bit keys:

  • Better protection against key compromise
  • Future-proofs your authentication setup
  • Required for compliance with modern security standards
  • Prevents deliverability issues with strict receivers
Verify DKIM HeadersRotate Keys Automatically

DMARC Policies

DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together, tells receiving servers what to do with unauthenticated mail, and provides reporting on your email ecosystem.

Policy Enforcement

Define what happens to emails that fail SPF or DKIM checks: none, quarantine, or reject.

Alignment Verification

Ensures SPF/DKIM domains align with your From: header domain for brand consistency.

Visibility & Reporting

Receive aggregate and forensic reports showing who is sending mail on your behalf.

DMARC Record Generator

Configure your policy and get a ready-to-publish TXT record

v=DMARC1; p=none; aspf=r; adkim=r

Publish this as a TXT record at: _dmarc.yourdomain.com

DMARC Enforcement Timeline

Progressively enforce DMARC policies to avoid disrupting legitimate mail while building protection.

1

Start: Monitoring

2-4 weeks

Threshold: Collect baseline data

2

Phase 2: Quarantine

4-8 weeks

Threshold: 95%+ alignment rate

3

Final: Reject

Ongoing

Threshold: 98%+ alignment rate

Example DMARC Record

A production-ready DMARC record with strict alignment and reject policy:

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; adkim=s; aspf=s; pct=100
v=DMARC1→ Protocol version
p=reject→ Policy for failures
rua=mailto:...→ Aggregate reports destination
adkim=s, aspf=s→ Strict alignment mode

Gmail & Yahoo Requirements (2024+)

Starting in February 2024, Gmail and Yahoo implemented strict sender requirements for bulk email. All senders must meet these standards or risk degraded deliverability.

Authentication Required

SPF, DKIM, and DMARC must all be configured and passing.

Mandatory for senders over 5,000 messages/day

One-Click List-Unsubscribe

Marketing emails must include RFC 8058 List-Unsubscribe headers.

Required as of February 2024

Low Spam Complaint Threshold

Keep spam complaint rate below 0.3%, ideally under 0.1%.

Enforced via feedback loops and internal metrics

Alignment & Domain Clarity

From: domain must align with SPF/DKIM and be consistent.

DMARC alignment in relaxed or strict mode

Key Implementation Points

  • Volume Thresholds: Requirements apply to senders of 5,000+ messages per day to Gmail or Yahoo users.
  • PTR Records: Sending IP addresses must have valid reverse DNS (PTR) records.
  • TLS Connections: All connections must support TLS 1.2 or higher for secure transmission.
  • Valid Reverse DNS: Ensure your sending servers have properly configured rDNS matching your domain.
  • Message Format: Follow RFC 5322 standards for email message formatting.

Common Issues & Solutions

Email authentication problems follow predictable patterns. Here are the most common issues and proven solutions to resolve them quickly.

Too Many SPF Lookups

Problem:

SPF record exceeds 10 DNS lookup limit, causing validation failures.

Solution:

Consolidate includes, flatten records where safe, or use SPF macros to reduce lookups.

Quick Tips:

  • Remove redundant includes
  • Use IP ranges instead of multiple IPs
  • Consider SPF flattening services cautiously
View detailed guide

Missing DKIM for Some Sources

Problem:

Third-party services or additional mail servers lack DKIM signatures.

Solution:

Generate unique selectors for each source, publish public keys in DNS, configure services.

Quick Tips:

  • Use source-specific selectors (e.g., mailchimp._domainkey)
  • Test signatures before deployment
  • Document all active selectors
View detailed guide

No DMARC Policy

Problem:

Domain lacks DMARC, leaving it vulnerable to spoofing and lacking visibility.

Solution:

Start with p=none to monitor, analyze reports, then escalate to quarantine and reject.

Quick Tips:

  • Begin with monitoring mode for 2-4 weeks
  • Review aggregate reports weekly
  • Gradually increase policy strictness
View detailed guide

Broken Unsubscribe

Problem:

Missing or non-functional List-Unsubscribe headers in marketing emails.

Solution:

Add RFC 8058 List-Unsubscribe and List-Unsubscribe-Post headers to all marketing mail.

Quick Tips:

  • Test unsubscribe links regularly
  • Implement one-click unsubscribe
  • Process requests within 48 hours
View detailed guide

Mixed Sending Sources

Problem:

Unauthorized servers or services sending on your behalf, breaking SPF/DKIM.

Solution:

Inventory all sending sources, authorize legitimate ones, block or remove unauthorized senders.

Quick Tips:

  • Audit DMARC reports for unknown sources
  • Maintain a sending source registry
  • Revoke access for decommissioned services
View detailed guide

Alignment Failures

Problem:

SPF/DKIM domains don't align with From: header, causing DMARC failures.

Solution:

Ensure MAIL FROM and d= domains match or are subdomains of the From: header domain.

Quick Tips:

  • Use relaxed alignment mode initially
  • Coordinate with third-party services
  • Check alignment in test emails
View detailed guide

Need Help Diagnosing Issues?

InboxGreen automatically identifies and categorizes email authentication issues, providing step-by-step remediation guidance.

Best Practices

Follow these proven practices to maintain robust email authentication, minimize deliverability issues, and stay compliant with evolving standards.

SPF/DKIM Alignment

Do

  • Use relaxed alignment (aspf=r, adkim=r) initially for compatibility
  • Ensure all sending sources are documented and authorized
  • Test alignment with sample emails before production deployment

Don't

  • Don't enable strict alignment without testing all email flows
  • Don't forget to align third-party services like CRMs and marketing tools
  • Don't use different root domains in From: and envelope sender

Key Rotation & Management

Do

  • Rotate DKIM keys every 6-12 months as a security best practice
  • Keep multiple selectors active during rotation to prevent breakage
  • Store private keys securely with restricted access

Don't

  • Don't delete old selectors immediately after rotation
  • Don't use the same key across multiple domains or services
  • Don't expose private keys in version control or configuration files

Monitoring Cadence

Do

  • Review DMARC aggregate reports at least weekly
  • Set up alerts for sudden changes in failure rates or volumes
  • Track sender reputation metrics continuously

Don't

  • Don't ignore forensic reports - they indicate active issues
  • Don't wait for deliverability problems to review authentication
  • Don't rely solely on automated monitoring without manual reviews

Change Control

Do

  • Test DNS changes in staging before production when possible
  • Document all SPF includes, DKIM selectors, and DMARC policies
  • Notify stakeholders before changing DMARC enforcement levels

Don't

  • Don't make multiple DNS changes simultaneously
  • Don't skip the monitoring phase when implementing DMARC
  • Don't change policies during peak sending periods

Configuration Examples

Recommended TTL Values

Set appropriate Time-To-Live values for DNS records

# Initial deployment - short TTL for quick changes
SPF/DKIM/DMARC records: TTL 300 (5 minutes)

# After stabilization - longer TTL for efficiency
SPF/DKIM/DMARC records: TTL 3600 (1 hour)

# Production - balanced approach
SPF/DKIM/DMARC records: TTL 1800 (30 minutes)

DKIM Key Rotation Process

Safe key rotation without breaking email authentication

# Step 1: Generate new key pair with new selector
selector2024._domainkey.yourdomain.com

# Step 2: Publish new public key in DNS
# Keep old selector active

# Step 3: Update mail server to sign with new key
# Parallel signing: both old and new selectors

# Step 4: Monitor for 48-72 hours

# Step 5: Remove old selector from DNS after grace period

Weekly Monitoring Checklist

Essential metrics to review regularly

✓ DMARC pass rate: Target 95%+
✓ SPF alignment rate: Target 98%+
✓ DKIM alignment rate: Target 98%+
✓ Unknown sending sources: Should be 0
✓ Spam complaint rate: Keep below 0.1%
✓ Bounce rate: Keep below 5%
✓ DNS record TTL and propagation status
✓ Certificate/key expiration dates

Monitoring & Maintenance

Effective email authentication requires ongoing monitoring. Set up automated checks and regular reviews to catch issues before they impact deliverability.

What to Watch

Configuration Drift

Monitor DNS records for unauthorized changes or deletions.

Frequency:Daily automated checks
Action:Alert on any SPF/DKIM/DMARC modifications

Key Expiry Dates

Track DKIM key rotation schedules and certificate expirations.

Frequency:Monthly reviews with 30-day warnings
Action:Rotate keys before 12-month mark

Volume Anomalies

Detect unusual spikes or drops in email sending volumes.

Frequency:Real-time monitoring with thresholds
Action:Investigate 50%+ deviations from baseline

Sender Reputation

Track domain and IP reputation scores across major providers.

Frequency:Weekly reputation checks
Action:Address reputation dips immediately

Complaint Rate

Monitor spam complaint rates from feedback loops.

Frequency:Daily tracking with trend analysis
Action:Keep below 0.1%, investigate above 0.3%

Authentication Failures

Watch for increases in SPF, DKIM, or DMARC failures.

Frequency:Continuous monitoring via DMARC reports
Action:Review forensic reports for patterns

How to Automate Monitoring

1

Daily Automated Checks

  • DNS record integrity verification
  • DMARC report collection and parsing
  • Authentication pass/fail rate calculation
  • Unknown sender source identification
2

Alert Configuration

  • Set thresholds for acceptable failure rates
  • Configure multi-channel alerts (email, Slack, SMS)
  • Define escalation paths for critical issues
  • Assign team members to alert categories
3

Dashboard Setup

  • Real-time authentication metrics display
  • Trend charts for pass rates over time
  • Top failing sources visualization
  • Compliance status summary
4

Weekly Reporting

  • Aggregate DMARC data summary
  • Policy compliance status
  • Sender source inventory updates
  • Reputation score tracking

Recommended Monitoring Cadence

Check TypeFrequencyTool/Method
DNS Record IntegrityEvery 6 hoursAutomated DNS lookup
DMARC Report ProcessingDailyReport parser + aggregation
Sender ReputationWeeklyReputation monitoring APIs
Key Expiration CheckMonthlyCertificate/key inventory
Full Compliance AuditQuarterlyManual review + testing

Automate Your Monitoring

InboxGreen provides continuous monitoring, automated alerts, and actionable dashboards so you never miss critical email authentication issues.

Interactive Tools Hub

Use these diagnostic tools to validate your email authentication configuration, test alignment, and troubleshoot DNS records.

Email Header Alignment Checker

Paste email headers to validate SPF/DKIM/DMARC alignment

DNS Record Lookup

Query DNS records for any domain

Need to Generate Records?

Jump back to the DMARC generator above, or use the SPF and DKIM tools in their respective sections.

Video Explainers

Watch these step-by-step video guides to get the most out of InboxGreen and master email authentication best practices.

Running Your First Domain Scan
3:24

Running Your First Domain Scan

Learn how to scan your domain for email authentication issues and interpret the results.

Chapters

  • 0:00Introduction to InboxGreen
  • 0:45Entering your domain
  • 1:30Understanding scan results
  • 2:15Next steps and recommendations
Connecting Email Service Providers
5:12

Connecting Email Service Providers

Step-by-step guide to connecting your ESP and authorizing sending sources.

Chapters

  • 0:00Why connect providers
  • 1:00Supported integrations
  • 2:30OAuth authentication flow
  • 4:00Verifying connections
Understanding Automatic Remediation
4:35

Understanding Automatic Remediation

How InboxGreen automatically fixes common authentication issues.

Chapters

  • 0:00What is auto-remediation
  • 1:15DNS record updates
  • 2:45Approval workflows
  • 3:50Monitoring changes
Using the Monitoring Dashboard
6:18

Using the Monitoring Dashboard

Navigate the monitoring dashboard and set up alerts for your team.

Chapters

  • 0:00Dashboard overview
  • 1:30Key metrics explained
  • 3:00Setting up alerts
  • 4:45Team collaboration features

Accessibility: All videos include captions, transcripts, and keyboard-navigable chapter markers. Press Tab to navigate and Enter/Space to play.

Ready to Secure Your Email?

You now understand the fundamentals of SPF, DKIM, and DMARC. Take action to protect your domain and improve deliverability.

Check Your SPF Record Now

Use our SPF builder tool to validate your current configuration and identify potential issues before they impact delivery.

See How InboxGreen Automates This

Let InboxGreen handle the complexity. Automated scanning, monitoring, and remediation for complete peace of mind.

Key Takeaways from This Guide

1

Start with Monitoring

Begin with DMARC p=none to gather data about your email ecosystem before enforcing policies. Monitor for 2-4 weeks minimum.

2

Align Your Domains

Ensure SPF and DKIM domains align with your From: header domain. This is critical for DMARC compliance and Gmail/Yahoo requirements.

3

Automate Monitoring

Set up continuous monitoring with automated alerts for DNS changes, authentication failures, and reputation issues.

Need to review a specific section?