Email authentication is non-negotiable in 2026. Gmail, Outlook, and Yahoo now require SPF, DKIM, and DMARC before they'll reliably deliver your email. Here's how to set all three up correctly.
SPF — Sender Policy Framework
SPF defines which servers can send email from your domain. Add one TXT record to DNS:
v=spf1 ip4:YOUR_IP include:your-esp.com ~allRules: maximum 10 DNS lookups total. Use ~all (softfail) until verified, then -all (hardfail).
DKIM — DomainKeys Identified Mail
DKIM signs every outgoing email with a private key. Receivers verify with the public key in your DNS:
default._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA..."Always use 2048-bit keys. Rotate annually. Confirm your ESP is signing with the correct selector.
DMARC — Policy + Reporting
DMARC ties SPF and DKIM together and tells receivers what to do on failure:
_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"Progression: p=none (monitor, 4 weeks) → p=quarantine → p=reject (full protection).
Testing
- MXToolbox.com — verify all three records
- mail-tester.com — full deliverability score
- Google Admin Toolbox — DNS propagation check
Common Mistakes
- Exceeding SPF 10-lookup limit
- Using 1024-bit DKIM keys
- Jumping to p=reject without monitoring first
- Forgetting third-party senders (CRMs, ESPs)
After authentication is set up, warm up your domain to build sending reputation.