Skip to content
PowerMTA Experts

Deliverability service

Email authentication, taken all the way to enforcement.

Email authentication is the set of DNS-published standards — SPF, DKIM and DMARC, with MTA-STS and BIMI alongside — that let a mailbox provider verify a message genuinely comes from the domain it claims. In 2026 it is the price of entry: Gmail, Yahoo and Microsoft bounce bulk mail that fails it, and a record left half-configured protects nothing.

Free 25-point audit Talk to an expert

Email authentication is the set of DNS-published standards — SPF, DKIM and DMARC, with MTA-STS and BIMI alongside — that let a mailbox provider verify a message genuinely comes from the domain it claims. Getting it right is a sequence, not a single record: publish SPF inside its ten-lookup limit, sign with a 2048-bit DKIM key, publish DMARC at p=none to gather reports, read those reports to find every legitimate sender, align each one on the visible From domain, and only then tighten DMARC to quarantine and reject. In 2026 it is the price of entry: Gmail, Yahoo and Microsoft reject bulk mail that fails authentication at the SMTP level, so the goal is enforcement reached without a single legitimate message lost.

In short

  • SPF, DKIM and DMARC do different jobs and only work together; the piece most setups miss is alignment, where the From domain must match the SPF or DKIM domain for DMARC to pass.
  • A DMARC record at p=none meets the letter of the requirement and protects nothing — real protection begins only at quarantine and reject.
  • The order is the method: reach enforcement only after every legitimate sender is aligned, or tightening the policy bounces your own invoices and receipts.
  • SPF is capped at ten DNS lookups; exceed it and SPF returns a permerror that can fail DMARC, so a managed include that stays inside the limit beats brittle flattening.
  • Since February 2024 (Gmail, Yahoo) and May 2025 (Microsoft), bulk mail that fails authentication is rejected at the SMTP level, not slipped into spam — broken records now bounce real mail.

Authentication is the part of deliverability with the clearest right answer and the most ways to get it subtly wrong. The standards themselves are settled and well documented. What trips senders up is that each one has a failure mode that still returns mail to the inbox for a while, so a broken setup can look healthy right up until a provider tightens and the bounces start. Getting authentication right is less about knowing what SPF, DKIM and DMARC are, and more about proving that all three line up on the domain a recipient actually sees.

The stakes changed when the largest providers stopped treating authentication as advice. A domain sending 5,000 or more messages a day to Gmail, Yahoo or Microsoft now needs SPF, DKIM and DMARC, and mail that fails is rejected at the SMTP level rather than slipped into spam. Broken authentication no longer means a quiet dip in placement; it means invoices, receipts and password resets disappearing with a bounce code attached. That is the difference between a best practice and a dependency.

What does each authentication record prove?

Four pieces carry the weight, with a fifth — TLS policy — increasingly expected on top. Each proves something different, and each fails in its own way.

Standard What it proves How it quietly fails
SPF Which servers are allowed to send for your domain — a DNS list of IPs and includes. Breaks past ten DNS lookups, or when a real sending source was never added to the record.
DKIM A cryptographic signature tying the message to your domain, verified against a public key in DNS. A 1024-bit key where 2048 is now expected, or a selector pointing at a key that was rotated away.
DMARC What a receiver should do when neither SPF nor DKIM aligns with the visible From domain, plus a request to report. Left on p=none, so it watches but never protects — or set to reject before the real senders are aligned.
Alignment The From-header domain has to match the SPF or DKIM domain for DMARC to pass. Where most “we have all three” setups fail in silence: the checks pass on the wrong domain.
MTA-STS / TLS-RPT A policy forcing TLS on inbound mail to your domain, with a reporting channel for failures. Absent on most domains, leaving delivery open to downgrade and giving you no visibility when TLS breaks.

SPF, DKIM and DMARC are the mandatory three for bulk senders; MTA-STS and TLS-RPT harden the transport layer and are checked as part of a full setup.

Why is one record never enough?

The most common authentication mistake is believing that a single passing check is the finish line. SPF on its own proves a server was allowed to send, but says nothing about whether the message was altered or whether the visible sender is real. DKIM on its own proves the message is intact and signed, but a spoofer can sign with their own domain and still pass DKIM. DMARC is what binds the two to the address your recipient reads, and it only passes when SPF or DKIM validates on a domain aligned with that From header.

Alignment is where setups that look complete come apart. A message can sail through SPF on the ESP’s domain and through DKIM on a signing subdomain, and still fail DMARC because neither matches the From address the recipient sees. The records are all green; the policy still fails. Reading that gap correctly is most of the skill, and it is invisible to anyone checking the three records in isolation.

The path to enforcement: six steps, in order, with no real mail lost
PUBLISH THE RECORDS 1 · SPF inside the 10-lookup limit 2 · DKIM 2048-bit key, live selector 3 · DMARC p=none monitor, gather reports THE WORK THAT MAKES IT SAFE 4 · Read reports inventory every sender 5 · Align From matches SPF/DKIM 6 · Quarantine → reject tighten in stages Enforcement spoofers walled out, real mail untouched Steps 1–3 publish; steps 4–6 are the work — tighten before alignment and you bounce your own invoices.
Almost anyone can publish the three records; that is steps one to three, and it is where most “we are authenticated” setups stop. The protection lives in steps four to six — reading the reports to find every legitimate sender, aligning each on the visible From domain, and only then tightening the policy. The order is the entire method: tighten to reject before a billing system or a forgotten ESP is aligned, and enforcement bounces your own mail instead of the spoofers it was meant to stop.

What does the receiving server actually check?

It helps to picture the moment a message arrives, because authentication is judged in a fraction of a second and the verdict is unforgiving. The receiver reads your SPF record against the connecting IP, verifies the DKIM signature against the public key in your DNS, and then asks the question that matters most: does either result align with the domain in the From header? If alignment holds, DMARC passes and the message is judged on reputation and engagement from there. If it fails, your published DMARC policy decides what happens next.

When that policy and the providers’ own floor refuse the message, the bounce is specific. Gmail returns 550 5.7.26 for unauthenticated bulk mail; Yahoo answers with 550 5.7.9; Microsoft, since its own enforcement, with 550 5.7.515. None of these lands in spam to be reviewed later — the message is refused at the door and returned to your server. Reading those codes in your logs is often the first hard evidence that authentication, rather than content, is the thing breaking your mail.

The traps that keep senders from passing

A handful of specific faults account for most authentication failures we are called in to fix. None is exotic; all are easy to ship and hard to notice.

  1. The ten-lookup limit. SPF stops evaluating after ten DNS lookups and returns an error. Every third-party include spends part of that budget, so senders with many services blow through it. Flattening the record into raw IPs is brittle and breaks when a provider rotates its IPs; a managed include that updates itself is the durable answer.
  2. Short DKIM keys. A 1024-bit key configured years ago validates but sits below what providers now expect; Yahoo treats 1024 as the floor. Rotating to 2048 is simple, and a frequent place to break signing if the selector and the stream are not updated together.
  3. Selector drift. A DKIM selector left pointing at a key removed during a DNS cleanup means a whole stream leaves unsigned without anyone noticing until DMARC reports show it.
  4. Two SPF records. Only one SPF TXT record is valid per domain. A second one, often added by a well-meaning hand, voids both.
  5. From misalignment. Authentication passing on a domain other than the visible From is the single most common reason a fully-recorded domain still fails DMARC.
  6. Unscoped subdomains. No subdomain policy means subdomains inherit no protection and become the easy door for a spoofer.
  7. Third-party sender sprawl. Every tool that sends as you — CRM, helpdesk, billing, marketing — needs its own signing and inclusion. The ones nobody remembers are exactly what break the move to enforcement.
Checking all three records the way a receiver reads them
authentication check — DNS, read-only 
# SPF: is it inside the 10-lookup limit?
$ dig +short TXT example.com | grep spf1
"v=spf1 include:_spf.google.com include:sendgrid.net include:mktomail.com ~all"
# 11 lookups across the includes — over the limit, SPF returns permerror

# DKIM: is the selector live, and the key 2048-bit?
$ dig +short TXT sel1._domainkey.example.com
"v=DKIM1; k=rsa; p=MIIBIjANBgkq..."   # 2048-bit, resolves

# DMARC: is it enforcing, or parked at p=none?
$ dig +short TXT _dmarc.example.com
"v=DMARC1; p=none; rua=mailto:[email protected]"
# p=none: monitoring only — a spoofer still passes as your domain
Three read-only DNS queries tell most of the story. Here the SPF record crosses the ten-lookup limit and returns a permerror, which can fail DMARC alignment outright; the DKIM selector resolves to a healthy 2048-bit key; and the DMARC policy sits at p=none, watching but protecting nothing. Two of the three need work, and none of it shows up in an open-rate report — only in queries like these, read the way a receiving server reads them.

How does DMARC move from monitoring to enforcement?

DMARC has three policy levels, and the entire value of the standard sits in moving through them deliberately. At p=none the receiver monitors and reports but takes no action; this is the starting point, useful only for the report data it produces. At p=quarantine failing mail is sent to spam. At p=reject it is bounced outright, which is the only level that actually stops someone spoofing your domain.

Most domains never leave p=none. The reasons are always the same: nobody is reading the aggregate reports, the full list of legitimate senders was never established, and the team is — reasonably — afraid that tightening the policy will bounce real mail. The way through is methodical rather than brave. The monitoring phase exists to turn the report data into a complete inventory of every source that legitimately sends as your domain. Each is aligned. Only then does the policy tighten, often staged with a percentage tag so a fraction of mail is enforced first and watched before the rest follows. Approached this way, reaching p=reject costs you no legitimate mail and shuts the door on impersonation. The fear is real; the loss is avoidable.

Reading the aggregate reports

The monitoring phase produces a stream of DMARC aggregate reports — XML files the receivers send daily to the address in your record — and learning to read them is what turns p=none from a holding pattern into progress. Each report groups the mail a receiver saw by sending source, and for each source it shows the volume, whether SPF and DKIM passed, and whether either aligned with your domain. Read across a couple of weeks, they become a map of everything sending as you.

That map is the whole point. It surfaces the marketing platform signing correctly, the billing system that was never aligned, and the unfamiliar source that turns out to be either a forgotten internal tool or someone spoofing you. Tooling makes the XML legible; the judgement — which unknown source is friend and which is foe, and what to fix first — stays human. We work from the reports until every legitimate source is accounted for and aligned, which is the only safe basis for tightening the policy.

The wider stack

Three standards beyond the core round out a serious setup. MTA-STS tells sending servers to require TLS when they deliver to your domain, with TLS-RPT giving you a report when that encryption fails — together they close a downgrade gap most domains leave open. ARC preserves authentication results across intermediaries like mailing lists and forwarders, so legitimate forwarded mail is not punished for a break it did not cause. And BIMI, which places your verified logo beside authenticated mail in supporting clients, depends on reaching DMARC enforcement first — the reason it belongs to its own piece of work rather than this one.

Defensive authentication for the domains you do not send from

Spoofers prefer the domains you forget. A parked domain bought for brand protection, a subdomain that never sends mail, an old domain left over from a past campaign — each is a usable identity for impersonation if it carries no policy. DMARC handles this with a subdomain tag, sp=, that sets a separate policy for everything beneath the organisational domain, and with reject policies published on non-sending domains so anyone trying to send as them is refused outright. It costs nothing to send and closes a door most setups leave open. We map every domain and subdomain you own, not only the ones you actively mail, because the unguarded ones are precisely where impersonation starts.

Four myths that keep domains exposed

A few durable misunderstandings keep otherwise careful teams from real protection. Each sounds reasonable, and each is wrong.

  1. “A strict SPF record stops spoofing.” SPF only governs the envelope path; a spoofer can pass SPF on their own domain while forging your From address. Closing that gap is DMARC alignment’s job, not SPF’s.
  2. “DKIM alone proves the sender.” DKIM proves a message was signed and left your domain intact; it says nothing on its own about whether the visible sender is real. A valid signature on the wrong domain still fails DMARC.
  3. “Publishing DMARC protects us.” At p=none it reports and does nothing else. Protection begins at quarantine and reject.
  4. “Authentication is a one-time setup.” Every new sending tool, DNS edit and key rotation can break it, which is why it needs watching rather than a single afternoon’s work.

What changes at high volume and across brands?

The mechanics are the same at any scale, but the cost of getting them wrong rises sharply with volume and with the number of brands under one roof. A high-volume sender past the per-provider bulk threshold has no soft landing: a misaligned stream bounces at the door rather than losing a little placement. A portfolio of brands multiplies the surface — each domain its own SPF budget, its own DKIM keys, its own DMARC policy and report stream — and a shortcut taken on one brand tends to surface as a problem on another. We treat each brand’s authentication as its own estate, with the isolation that keeps one brand’s misconfiguration from spending another brand’s reputation, and we keep the whole set documented so a change to one is never an accidental change to all.

Where do the tools stop, and where do we start?

The authentication market is full of capable platforms, and they earn their place. PowerDMARC, Valimail — now part of DigiCert — dmarcian, EasyDMARC and Red Sift’s OnDMARC all aggregate the DMARC reports into something readable, host records so you make fewer DNS edits, and automate the SPF include so it stays inside the lookup limit. If you run many domains, that automation is worth paying for, and we are glad to operate inside whichever one you already use.

What a dashboard cannot do is the judgement that gets a real domain to enforcement. The reports show you that mail is failing; they do not go and fix the misconfigured source, decide which unfamiliar sender is a forgotten legitimate tool versus an impersonator, or carry the responsibility for the moment the policy tightens. That work is hands-on, and it leans on the same infrastructure knowledge we use to run PowerMTA and KumoMTA — because aligning a sending stream is an operations problem before it is a DNS one. We bring it tool-agnostic and independent: we resell none of these platforms, so the advice is about your authentication rather than a subscription. Published pricing gives a sense of the market — automation tools start around 19 US dollars a month for basic alignment, while enforcement tiers are commonly quoted privately from roughly 2,000 a year — and we scope our work to the estate rather than a seat count.

How we run it

The method is the same whether you arrive with a tangle of half-configured records or a clean slate.

  1. Inventory the senders. Every service that sends as your domain is identified, from the report data and from a walk through your stack, until the list is genuinely complete.
  2. Fix the sources. SPF brought inside the lookup limit, DKIM rotated to 2048 with selectors and streams checked together, alignment corrected on each path.
  3. Monitor and read. Aggregate reports are read until the picture is stable and no legitimate source is still failing.
  4. Tighten in stages. The policy moves from none to quarantine to reject, staged where useful, each step watched before the next.
  5. Hand back a documented setup. Records, selectors and the sender inventory are written down, so the next DNS change does not quietly undo the work.

Authentication done to this standard pays off twice. It clears the bar the providers now enforce, so your mail stops bouncing on a technicality and competes for the inbox on its merits. And it takes your domain off the table for impersonation, which protects the recipients who would otherwise receive a convincing forgery in your name. The second payoff is the one your customers feel even on a day your own mail was never the problem.

The free 25-point audit is the place to start: it shows where your authentication stands today and how far it is from enforcement. From there the work is scoped to how many senders you have and how clean they are — and if your setup is already at reject and simply needs watching, we will tell you that rather than invent a project.

FAQ

Authentication questions

Is SPF, DKIM or DMARC enough on its own?

No. The three do different jobs and only work together. SPF says which servers may send; DKIM signs the message so it cannot be altered in transit; DMARC ties them to the visible From address and tells receivers what to do on failure. The piece people miss is alignment: DMARC only passes when SPF or DKIM validates on a domain that matches the From header. A setup with all three records present can still fail DMARC if neither aligns, which is why mail keeps bouncing for senders who are sure they are authenticated.

We published a DMARC record. Are we compliant?

Publishing a record at p=none meets the letter of the requirement and protects nothing. It tells receivers to monitor and report, not to act, so a spoofer can still pass mail as your domain. Real protection begins when the policy moves to quarantine and then reject — and that move is the hard part, because doing it before every legitimate sender is aligned will bounce your own mail. Compliance in the sense the providers care about, and protection in the sense your brand cares about, both live at enforcement, not at p=none.

Do we need a DMARC SaaS tool, or can you handle this?

Both paths work, and we are agnostic about it. The DMARC platforms — PowerDMARC, Valimail, dmarcian, EasyDMARC, Red Sift and others — do a genuine job aggregating the XML reports and hosting records. What none of them does for you is the judgement: identifying every legitimate source from the report data, fixing the ones that are misconfigured at the source, and deciding when it is safe to tighten. We can run your authentication with the tool you already pay for, recommend one if you have none, or do it directly against your DNS. The tool is optional; the operator reading it is not.

Will moving to p=reject block our legitimate mail?

It will, if you move before the legitimate senders are aligned — which is exactly why we do not. The whole method is to reach reject without a single real message being lost. We spend the monitoring phase finding every service that sends as your domain, from the obvious ESP to the billing system nobody remembered, align each one, and only then tighten the policy in stages. Done in that order, enforcement is a non-event for your real mail and a wall for everyone spoofing you.

What is the SPF ten-lookup limit, and how do you fix it?

SPF evaluation is capped at ten DNS lookups; exceed it and SPF returns a permanent error, which can fail DMARC alignment and drop your mail. Each third-party include eats into that budget, so senders with many services hit the ceiling quickly. The brittle fix is SPF flattening — expanding includes into raw IPs — which breaks the moment a provider changes its sending IPs and can block legitimate mail without warning. The durable fix is a managed or hosted include that stays inside the limit and updates as providers change, which is the approach the better tools and our own setups use.

What DKIM key length do we need?

Use 2048-bit. A lot of estates still sign with 1024-bit keys configured years ago, which validate but no longer match what providers expect; Yahoo treats 1024 bits as the floor, below which it will not accept the signature. Rotating to 2048 is straightforward, but it is a place where careless rotation breaks signing — a new key published without updating the selector, or an old selector left in a stream that quietly leaves unsigned. We rotate keys with the selectors and streams checked together so nothing slips through unsigned.

We send through our own MTA and an ESP. How does authentication work across both?

Each path needs its own complete, aligned authentication, and the seam between them is a common point of failure. Your ESP signs with its DKIM and expects you to publish its SPF include; your own MTA signs and sends on its own. If the From domain, the SPF includes and the DKIM selectors are not lined up across both, one stream passes while the other fails, and a single DMARC policy has to cover them both. We audit the two together and make sure they are not competing for the same domain reputation while one of them quietly fails alignment.

How long does reaching enforcement take?

It depends almost entirely on how many services send as your domain and how clean their setup is. A simple estate with one or two senders can reach reject in a couple of weeks; a sprawling one with dozens of third-party tools takes longer, because each has to be found in the report data and aligned before the policy tightens. The monitoring phase is what sets the pace, and rushing it is how senders block their own invoices and receipts. We move as fast as the data safely allows and no faster.

Start with the audit.

Twenty-five points across authentication, reputation, infrastructure and compliance — a written assessment, no charge and no obligation. It tells both of us exactly what we are working with.

Request the free audit Talk to an expert