Why email authentication matters
Email authentication is a set of DNS-based protocols that prove an email was actually sent by the domain it claims to come from. Without authentication, anyone can send email pretending to be your domain — and inbox providers have no way to tell the difference.
Three protocols work together to solve this:
| Protocol | What it does | DNS record type | Required? |
|---|---|---|---|
| SPF | Lists which servers can send for your domain | TXT | Yes |
| DKIM | Cryptographically signs each email | TXT (CNAME) | Yes |
| DMARC | Policy for handling authentication failures | TXT | Yes |
Since February 2024, Gmail and Yahoo require SPF and DKIM for all bulk senders. DMARC is required for senders exceeding 5,000 emails per day. These are no longer optional.
Step 1: Set up SPF
SPF (Sender Policy Framework) tells receiving mail servers which IP addresses and servers are authorized to send email on behalf of your domain. It is a single TXT record on your root domain.
# Example SPF record for RelayPost
v=spf1 include:spf.relaypost.dev ~all
# If you also use Google Workspace:
v=spf1 include:spf.relaypost.dev include:_spf.google.com ~allKey rules:
- Only one SPF record per domain (multiple records cause failures)
- Maximum 10 DNS lookups — each
include:counts as one - Use
~all(softfail) during setup, switch to-all(hardfail) once verified - Add the record to your root domain, not a subdomain
Step 2: Set up DKIM
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. The receiving server verifies the signature against a public key published in your DNS. This proves the email was not modified in transit and was sent by an authorized system.
# DKIM DNS record (CNAME or TXT, depends on provider)
# Name: relaypost._domainkey.yourapp.com
# Type: CNAME
# Value: relaypost._domainkey.relaypost.dev
# Or as a TXT record (provider gives you the public key):
# Name: relaypost._domainkey.yourapp.com
# Type: TXT
# Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA...Key rules:
- Use 2048-bit RSA keys (1024-bit is deprecated)
- Each email service gets its own DKIM selector (e.g.,
relaypost._domainkey) - Rotate keys periodically (every 6-12 months)
- DKIM survives forwarding — unlike SPF, it stays valid when email is relayed
Step 3: Set up DMARC
DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together. It tells receiving servers what to do when an email fails authentication — and sends you reports about who is sending email using your domain.
# Start with monitoring mode (p=none)
# Name: _dmarc.yourapp.com
# Type: TXT
# Value:
v=DMARC1; p=none; rua=mailto:[email protected]; pct=100
# After reviewing reports, move to quarantine:
v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100
# Final enforcement:
v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100Key rules:
- Always start with
p=none(monitoring only) — jumping torejectcan block legitimate email - Set up a mailbox or service to receive DMARC aggregate reports (
rua) - Review reports for 2-4 weeks before tightening the policy
- DMARC requires either SPF or DKIM to pass with domain alignment
Step 4: Verify your setup
After adding all three DNS records, verify they are working correctly.
# Check SPF record
dig TXT yourapp.com +short
# Check DKIM record
dig TXT relaypost._domainkey.yourapp.com +short
# Check DMARC record
dig TXT _dmarc.yourapp.com +shortThen send a test email and check the headers. Look for these results:
Authentication-Results:
spf=pass (sender IP is authorized)
dkim=pass (signature verified)
dmarc=pass (policy satisfied)Common mistakes
- Multiple SPF records on the same domain (only one is allowed — merge them)
- Exceeding the 10 DNS lookup limit in SPF (use
ip4:directives to reduce lookups) - Setting DMARC to
p=rejectbefore monitoring (blocks legitimate email) - Forgetting to add email services to SPF when adding new tools (marketing platforms, CRMs)
- Using 1024-bit DKIM keys (use 2048-bit)
- Not monitoring DMARC reports (you won't know about failures until users complain)
Authentication with RelayPost
When you add a domain in RelayPost, the dashboard shows you the exact DNS records to add — SPF include, DKIM CNAME, and a recommended DMARC record. The domain verification page checks all three and shows their status in real time.
→ DKIM documentation · SPF documentation · DMARC documentation
Related guides
Frequently asked questions
Do I need all three — SPF, DKIM, and DMARC?
Yes. SPF authorizes which servers can send for your domain. DKIM cryptographically signs each email. DMARC tells receivers what to do when SPF or DKIM fails. All three work together — missing any one weakens your authentication.
What order should I set up SPF, DKIM, and DMARC?
Set up SPF first (fastest, one DNS TXT record), then DKIM (requires generating keys and adding a DNS record), then DMARC last (it depends on SPF and DKIM being in place). Allow 24-48 hours for DNS propagation between each step.
Will email authentication fix my spam problem?
Authentication is necessary but not sufficient. It proves your emails are legitimate, which is a prerequisite for good deliverability. But content quality, sending reputation, list hygiene, and engagement also affect inbox placement.
How long does email authentication take to set up?
The DNS records take 10-15 minutes to create. DNS propagation takes 1-48 hours depending on your provider. Most setups are fully propagated within 4 hours. You can verify propagation using dig or online DNS lookup tools.
What happens if I don't set up email authentication?
Your emails are more likely to land in spam. Anyone can spoof your domain (send emails pretending to be you). Gmail and Yahoo now require SPF and DKIM for bulk senders — unauthenticated email may be rejected outright.
Authenticate your domain with RelayPost
Add your domain and get the exact DNS records to copy-paste. Verification takes minutes.
Create free account