Skip to main content
Emailens/Blog
Try Free
Blog
Mar 4, 2026·10 min read

SPF, DKIM, DMARC & BIMI: The Developer's Email Authentication Guide

Four protocols that determine whether your email lands in the inbox or the spam folder. Here's what each one does, how to configure the DNS records, and the mistakes that break them.

Why email authentication matters

Gmail and Microsoft now require SPF and DKIM for bulk senders, and strongly recommend DMARC. Without proper authentication, your emails are more likely to be flagged as spam or rejected outright. Google's February 2024 enforcement means senders of 5,000+ daily emails must have all three configured.

Authentication also protects your domain from spoofing — preventing others from sending email that appears to come from your organization.

The implementation order

Set these up in order. Each protocol builds on the previous one:

  1. SPF — authorize your sending servers
  2. DKIM — sign your emails cryptographically
  3. DMARC — set policy for authentication failures (start with p=none to monitor)
  4. BIMI — add your brand logo (optional, requires DMARC enforcement)

SPF Sender Policy Framework

Defines which mail servers are authorized to send email on behalf of your domain. Receiving servers check the SPF record to verify the sending server's IP is listed.

TXT record on your domain
v=spf1 include:_spf.google.com include:sendgrid.net ~all

Common failures

  • Too many DNS lookups (max 10 allowed — each 'include' counts as one)
  • Missing your email service provider's servers in the SPF record
  • Using '-all' (hard fail) before you've verified all senders, causing legitimate email to be rejected
  • Forgetting to include servers for transactional email (e.g., Resend, Postmark) alongside marketing email (e.g., Mailchimp)

DKIM DomainKeys Identified Mail

Adds a cryptographic signature to every outgoing email. The receiving server verifies the signature against a public key published in your DNS records. This proves the email hasn't been tampered with in transit.

TXT record at selector._domainkey.yourdomain.com
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ...

Common failures

  • Wrong selector name (must match what your email provider generated)
  • Truncated public key (some DNS providers have a 255-character limit per TXT record — use multiple strings)
  • Key rotation: forgetting to publish the new key before your provider switches to it
  • Multiple DKIM records from different providers conflicting

DMARC Domain-based Message Authentication, Reporting, and Conformance

Tells receiving servers what to do when SPF and DKIM fail: none (monitor only), quarantine (send to spam), or reject (bounce). Also enables aggregate reporting so you can see who's sending email as your domain.

TXT record at _dmarc.yourdomain.com
v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100

Common failures

  • Starting with p=reject before monitoring — causes legitimate email to bounce
  • Not setting up a reporting address (rua=) — you'll never know about failures
  • Third-party senders (CRM, marketing tools) that don't align with your SPF/DKIM
  • Subdomain policy not set (sp=) — attackers may spoof subdomains instead

BIMI Brand Indicators for Message Identification

Displays your brand logo next to your email in the inbox. Requires DMARC enforcement (p=quarantine or p=reject) and a Verified Mark Certificate (VMC) from a certificate authority. The newest of the four protocols.

TXT record at default._bimi.yourdomain.com
v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/vmc.pem

Common failures

  • DMARC not at enforcement level (p=none won't work — need quarantine or reject)
  • SVG logo not in the required Tiny PS format (specific profile required by BIMI)
  • VMC certificate expired or from a non-recognized authority
  • Logo not matching the trademarked logo exactly

Debugging authentication failures

When emails are rejected or land in spam, check the email headers for authentication results. Look for:

Authentication-Results: mx.google.com;
  spf=pass (google.com: domain of [email protected])
  dkim=pass header.d=yourdomain.com
  dmarc=pass (p=QUARANTINE) header.from=yourdomain.com

If any result shows fail or softfail, trace the issue: verify the DNS record exists, check that the sending IP is authorized (SPF), confirm the DKIM selector matches, and ensure DMARC alignment between the From header and the authenticated domain.

Checking your setup with Emailens

Emailens includes a deliverability checker that verifies all four protocols for your domain — SPF record validity, DKIM key publication, DMARC policy configuration, and BIMI record presence. It flags misconfigurations and suggests fixes.

You can try it from the deliverability tool page or run it as part of a full email preview from your dashboard.

Check your domain's email authentication

Verify SPF, DKIM, DMARC, and BIMI in one click — with actionable fix suggestions for every failure.

Check your domain

Free plan — 30 previews/day