Do I need all five of SPF, DKIM, DMARC, BIMI, and ARC?

SPF, DKIM, and DMARC are the required baseline; Google and Yahoo's 2024 rules require DMARC at p=none or stricter for bulk senders. BIMI is optional and only pays off if you have a recognized brand and are willing to buy a VMC certificate. ARC is configured by forwarders, not by original senders.

What is DMARC alignment?

Alignment means the domain that authenticated via SPF or DKIM matches the domain in the visible From header. A message can pass SPF or DKIM but still fail DMARC if the authenticating domain (SPF Return-Path or DKIM d=) is a different organizational domain than the From header. Strict alignment requires an exact match; relaxed allows the organizational domain.

How long before I can move DMARC from p=none to p=reject?

Plan on 4 to 8 weeks. Start at p=none with a monitored rua address, parse the aggregate reports daily, identify every legitimate sender using your domain, get each one DKIM-signing correctly, then move to p=quarantine. After another week or two of clean reports at quarantine, move to p=reject.

Guide

The Complete Email Authentication Guide (2026)

An RFC-grounded technical reference for the five email authentication standards, with DNS examples, troubleshooting, and a scenario-based implementation checklist.

Why Authentication Exists

SMTP, the protocol that moves email across the internet, has no built-in way to verify who actually sent a message. Anyone can claim to be anyone. Email authentication is the layered system mailbox providers now use to answer three questions: was the message authorized by the sending domain, was the content unaltered in transit, and what should happen if either check fails.

Five standards cover those answers today. SPF (RFC 7208) authorizes sending IPs. DKIM (RFC 6376) cryptographically signs headers and body. DMARC (RFC 7489) tells receivers what to do when SPF or DKIM fails and publishes alignment requirements. BIMI (IETF draft) lets authenticated senders display a logo in the inbox. ARC (RFC 8617) preserves authentication results across legitimate forwarders.

SPF (Sender Policy Framework)

SPF is a TXT record at the root of your sending domain that lists the IPs or hostnames authorized to send mail using that domain in the Return-Path (bounce) address. Receivers look up the record during SMTP negotiation and compare the actual sending IP to the published list.

DNS record (TXT at the apex):

v=spf1 include:_spf.google.com include:amazonses.com ~all

The qualifier at the end tells receivers what to do with mail from non-listed IPs: ~all means soft-fail (deliver to spam), -all means hard-fail (reject), ?all is neutral, and +all authorizes everyone (never use this).

The most common SPF failure is the ten-DNS-lookup limit defined by RFC 7208 §4.6.4. Each include:, a, mx, exists, redirect, and ptr mechanism counts, and they stack recursively through every included record. Records exceeding the limit return PermError, which most receivers treat as a fail. Validate your record with the SPF checker before going live.

Want every check on this page run automatically?

EmailQo runs SPF, DKIM, DMARC, blacklist, and content checks before every campaign — on your own Gmail, Outlook, or AWS SES sending account. Start the 7-day free trial, no card.

Start free trial →

DKIM (DomainKeys Identified Mail)

DKIM attaches a cryptographic signature to every outgoing message. The sending server signs a canonicalized subset of headers plus the body using a private key, and publishes the matching public key in DNS under a selector name. Receivers fetch the public key, verify the signature, and reject or flag mismatches.

DNS record (TXT at <selector>._domainkey.example.com):

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ...

The signature itself lives in a DKIM-Signature header on every message and identifies which selector to look up. RFC 6376 recommends 2048-bit RSA keys; 1024-bit keys still work but Google now marks them as weak. Rotate selectors every 6 to 12 months to limit exposure if a private key leaks.

Verify your active selector with the DKIM checker. The most common failure is forgetting to publish the key before the sending service starts signing.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

SPF and DKIM tell receivers whether a message authenticated. DMARC tells them what to do about failures, requires header-from alignment, and collects reports so you can see who is sending under your domain.

DNS record (TXT at _dmarc.example.com):

v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; adkim=s; aspf=s; pct=100

Policies escalate: p=none only reports (monitoring mode), p=quarantine sends failures to spam, and p=reject tells receivers to bounce them. Google and Yahoo's 2024 bulk-sender rules require at least p=none with a valid rua address; most teams progress to quarantine or reject within 4 to 8 weeks of reviewing aggregate reports.

Alignment is what makes DMARC stricter than SPF or DKIM alone. A message passes DMARC only if the domain that authenticated (via SPF Return-Path or DKIM d=) aligns with the visible From header domain. Strict mode (adkim=s, aspf=s) requires an exact match; relaxed mode allows the organizational domain.

Validate your policy with the DMARC checker, and pipe rua reports into a parser so you can see which third-party senders (calendar tools, CRM, ticketing) need their own DKIM setup before you can safely enforce.

BIMI (Brand Indicators for Message Identification)

BIMI lets authenticated senders display their logo next to messages in supporting inboxes (Gmail, Yahoo, Fastmail, Apple Mail on iOS 16+). Two hard requirements: DMARC must be enforced at p=quarantine or p=reject, and the logo must be an SVG Tiny 1.2 file hosted on HTTPS. Gmail and Apple additionally require a Verified Mark Certificate (VMC) or Common Mark Certificate (CMC) issued by a certificate authority (DigiCert or Entrust today).

DNS record (TXT at default._bimi.example.com):

v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem

ARC (Authenticated Received Chain)

Legitimate forwarding (mailing lists, catch-all aliases, automatic forwards) breaks SPF because the forwarder is not in your SPF record, and can break DKIM if the forwarder modifies the body (footer insertion, subject prefix). ARC, defined in RFC 8617, lets each intermediary add a signed chain of authentication results so the final receiver can trust the results from before the forwarding happened.

ARC is a receiver-and-forwarder standard, not something the original sender configures. You do not publish a DNS record. What matters is whether the forwarders in your path (Google Groups, corporate mail gateways) sign ARC headers correctly. Gmail does; most consumer forwarders do not.

Implementation Checklist by Scenario

New domain, cold outreach only:

Publish SPF with only the sending service's include (Google, AWS SES, etc.) and ~all.
Publish a 2048-bit DKIM key under a fresh selector.
Publish DMARC at p=none with rua= pointing to a monitored inbox.
Warm the domain for 2 to 4 weeks before scaling volume.
Advance to p=quarantine once reports show no legitimate sources failing.

Existing domain with mixed transactional, marketing, and outreach:

Send outbound cold email from a sending subdomain (for example go.example.com) so a warmup misstep cannot damage your main domain.
Give the subdomain its own SPF, DKIM, and DMARC record independent of the apex.
Leave the apex DMARC untouched until subdomain reports are clean.

Multiple sending services on one domain: add each service's SPF include and publish a separate DKIM selector per service. Use distinct selectors (like ses1, gsuite, hubspot) so rotating one key does not affect the others.

Troubleshooting

When a deliverability issue shows up, check the headers of a failing message first. Most mail clients let you view source. Look for the Authentication-Results header; it reports the pass/fail verdict for each standard.

SPF permerror: you exceeded ten DNS lookups. Flatten includes or move to ip4: / ip6: entries.
DKIM temperror: the selector DNS record is missing or the receiver could not fetch it. Re-check propagation.
DMARC fail with SPF pass and DKIM pass: alignment failure. The authenticated domain differs from the visible From header domain. Fix by sending from an aligned subdomain.
Messages fine on Gmail, spam on Outlook: Outlook weighs content and sending history more heavily than headers. The authentication is probably passing; run the infrastructure grader to see what else might be off.

References

Related Resources

Keep the guide close — get deliverability tips monthly

One short, useful email per month covering SPF/DKIM/DMARC pitfalls, warmup, and cold-email content. No spam. Unsubscribe anytime.

By subscribing you agree to receive occasional tips at this address. See our Privacy Policy. Unsubscribe anytime from any email or at /unsubscribe.

Your emails deserve the inbox.

7 days free. No card. Cancel anytime.

Start free trial

No card needed

7 days free

Cancel anytime

Keep reading

Related resources

Guide

SPF Setup Guide for Cold Email Senders

Step by step SPF record setup for cold email. Includes DNS examples, common mistakes, and how to validate your record is working.

Guide

DKIM Setup for Amazon SES | Step by Step

Complete DKIM setup guide for Amazon SES. Generate keys, add DNS records, verify in AWS console, and start sending authenticated email.

Guide

DMARC Setup Guide for Cold Email Senders

Step by step DMARC setup for cold email. Choose the right policy, set up reporting, and protect your domain from spoofing.

Alternative

Instantly Alternative With Your Own Sending Infrastructure

Instantly uses shared sending pools. EmailQo routes through your own AWS SES. Own your reputation instead of sharing it with thousands of senders.

Alternative

Smartlead Alternative With Dedicated Sending Infrastructure

Smartlead shares your sending reputation with other users. EmailQo gives you your own AWS SES infrastructure. Dedicated sending from $19/mo.