SPF, DKIM, and DMARC Explained: Email Authentication for Developers
A developer-friendly guide to email authentication. Learn how SPF, DKIM, and DMARC work together to protect your domain and improve deliverability.
The Email Authentication Stack
Email was designed in the 1970s without built-in authentication. Anyone could send email claiming to be anyone. SPF, DKIM, and DMARC were created to fix this.
Together, they answer three questions:
- SPF: Is this server allowed to send email for this domain?
- DKIM: Was this email tampered with in transit?
- DMARC: What should I do if SPF or DKIM fails?
SPF (Sender Policy Framework)
SPF is a DNS TXT record that lists which servers can send email for your domain.
How It Works
- You send an email from
you@yourdomain.com - The receiving server checks the DNS for
yourdomain.com - It finds the SPF record listing authorized IPs
- If the sending IP matches → SPF passes
Setting Up SPF
Add a TXT record to your domain's DNS:
Name: @ (or yourdomain.com)
Type: TXT
Value: v=spf1 include:_spf.unosend.co ip4:217.217.250.114 ip6:2400:d321:2294:2881::1 ~allKey parts:
v=spf1— Version identifierinclude:_spf.unosend.co— Authorize Unosend mail serversip4:217.217.250.114— IPv4 sending addressip6:2400:d321:2294:2881::1— IPv6 sending address~all— Soft fail for unauthorized servers (use-allfor strict)
SPF Limitations
- Max 10 DNS lookups (nested includes count)
- Only checks the envelope "From" address, not the header "From"
- Breaks when emails are forwarded
DKIM (DomainKeys Identified Mail)
DKIM adds a digital signature to every email header, using public-key cryptography.
How It Works
- Your email service signs the email with a private key
- The signature is added to the email header
- The receiving server looks up the public key via DNS
- It verifies the signature matches the email content
Setting Up DKIM
When you verify a domain with Unosend, we generate a DKIM key pair. Add this DNS record:
Name: unosend._domainkey
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhki...What DKIM Protects
- Proves the email came from your domain
- Ensures content wasn't modified in transit
- Survives email forwarding (unlike SPF)
DMARC (Domain-based Message Authentication)
DMARC is the policy layer. It tells receiving servers what to do when SPF or DKIM fails.
How It Works
- Receiving server checks SPF and DKIM
- It then checks your DMARC policy
- Based on the policy, it accepts, quarantines, or rejects the email
- It sends you a report of the results
Setting Up DMARC
Name: _dmarc
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.comDMARC Policies (Gradual Rollout)
| Policy | Action | When to Use |
|---|---|---|
| `p=none` | Monitor only, deliver all | Start here for 2-4 weeks |
| `p=quarantine` | Send failures to spam | After monitoring looks clean |
| `p=reject` | Block failures entirely | Maximum protection |
Putting It All Together
Here's what your DNS should look like:
yourdomain.com TXT "v=spf1 include:_spf.unosend.co ip4:217.217.250.114 ip6:2400:d321:2294:2881::1 ~all"
unosend._domainkey TXT "v=DKIM1; k=rsa; p=MIIBIjAN..."
_dmarc TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com"With Unosend, domain verification automatically sets up SPF and DKIM. We recommend adding DMARC yourself for full protection.
Verification Checklist
- SPF includes your email provider
- DKIM key published and verified
- DMARC policy set (start with `p=none`)
- Test with mail-tester.com or Google Postmaster Tools
- Monitor DMARC reports for 2-4 weeks
- Upgrade DMARC to `p=quarantine` then `p=reject`
Ready to send your first email?
Get started with 5,000 free emails/month. No credit card required.
Start for freeRelated Articles
Email Deliverability Guide: How to Land in the Inbox
Everything you need to know about email deliverability. Learn SPF, DKIM, DMARC, sender reputation, and inbox placement strategies.
Transactional Email Best Practices for SaaS Apps
How to set up reliable transactional emails for your SaaS application. From infrastructure to templates to monitoring.