Postalynk
Back to Blog
Technical

Understanding SPF, DKIM, and DMARC: A Complete Guide

A comprehensive guide to email authentication protocols and why they're essential for your sending reputation.

Marcus Johnson

Senior Engineer

January 10, 2026
12 min read

Email authentication might sound complex, but it's essential for protecting your domain from spoofing and ensuring your emails reach the inbox. This guide breaks down the three key protocols: SPF, DKIM, and DMARC.

Why Email Authentication Matters

Without authentication, anyone can send emails claiming to be from your domain. This leads to:

  • **Phishing attacks** using your brand name
  • **Damaged reputation** when spoofed emails are marked as spam
  • **Poor deliverability** as ISPs can't verify your legitimacy

Email authentication proves you are who you say you are. Let's explore each protocol.

SPF: Sender Policy Framework

SPF is the simplest authentication method. It tells receiving mail servers which IP addresses are authorized to send email for your domain.

How SPF Works

  1. You publish an SPF record in your domain's DNS
  2. When a server receives an email from your domain, it checks your SPF record
  3. If the sending IP isn't in the record, the email may be rejected or marked as spam

Setting Up SPF

Add a TXT record to your DNS with this format:

v=spf1 include:spf.postalynk.io ~all

This record says: - v=spf1 - This is an SPF record - include:spf.postalynk.io - Allow Postalynk's servers to send on your behalf - ~all - Soft fail emails from unauthorized sources (consider using -all for hard fail once confident)

SPF Limitations

  • SPF only checks the envelope "from" address, not the header "from" that recipients see
  • SPF breaks when emails are forwarded
  • You're limited to 10 DNS lookups per SPF record

DKIM: DomainKeys Identified Mail

DKIM adds a cryptographic signature to your emails, proving they haven't been modified in transit.

How DKIM Works

  1. Your email server signs outgoing emails with a private key
  2. The signature is added to the email header
  3. Receiving servers use your public key (from DNS) to verify the signature
  4. If the signature is valid, the email passes DKIM

Setting Up DKIM

DKIM requires two components:

1. Private Key (on your mail server) Postalynk handles this automatically when you add your domain.

2. Public Key (in DNS) Add a TXT record to your DNS:

selector._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBgk..."

The selector is typically a short string like "postalynk" or "default". Postalynk provides the exact record to add.

DKIM Benefits

  • Survives email forwarding (unlike SPF)
  • Verifies message integrity
  • Builds domain reputation over time
  • Required for DMARC alignment

DMARC: Domain-based Message Authentication

DMARC builds on SPF and DKIM, telling receivers what to do with emails that fail authentication.

How DMARC Works

  1. You publish a DMARC policy in DNS
  2. When an email arrives, the receiver checks SPF and DKIM
  3. DMARC also checks "alignment" - does the authenticated domain match the visible "From" domain?
  4. Based on your policy, failing emails are monitored, quarantined, or rejected
  5. You receive reports about authentication results

Setting Up DMARC

Add a TXT record to _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Key components: - v=DMARC1 - DMARC version - p=none - Policy (none, quarantine, or reject) - rua=mailto: - Address for aggregate reports

DMARC Policies Explained

p=none (Monitor) - Emails are delivered normally - You receive reports to understand your email ecosystem - Start here to avoid blocking legitimate emails

p=quarantine (Warning) - Failing emails go to spam/junk folder - Use after you've fixed legitimate email sources

p=reject (Strict) - Failing emails are blocked entirely - Maximum protection, but only use when fully confident

DMARC Implementation Strategy

  1. **Week 1-2**: Deploy with `p=none` and monitor reports
  2. **Week 3-4**: Identify and fix any legitimate sources failing authentication
  3. **Week 5-8**: Move to `p=quarantine` with a small percentage
  4. **Week 9+**: Gradually increase to `p=reject` if reports are clean

Putting It All Together

Here's a complete authentication setup:

SPF Record (@ TXT) `` v=spf1 include:spf.postalynk.io -all

DKIM Record (postalynk._domainkey TXT) `` v=DKIM1; k=rsa; p=MIIBIjANBgk... (your public key)

DMARC Record (_dmarc TXT) `` v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

Troubleshooting Common Issues

"SPF PermError: Too many DNS lookups" SPF has a 10 lookup limit. Consolidate your `include:` statements or use IP addresses directly.

"DKIM signature invalid" Usually caused by email content being modified after signing. Check for mailing list modifications or email forwarding rules.

"DMARC alignment fails" The domain in your "From" header must match the SPF or DKIM authenticated domain. Ensure you're sending from your verified domain.

Conclusion

Email authentication isn't optional anymore. SPF, DKIM, and DMARC work together to protect your domain and improve deliverability. Start with SPF and DKIM, then add DMARC monitoring before enforcing strict policies.

Postalynk automatically handles DKIM signing and provides clear instructions for DNS setup. Our dashboard shows your authentication status in real-time, making it easy to maintain a secure email configuration.

Share this article:

Related Articles

Best Practices

10 Best Practices for Improving Email Deliverability

Learn how to optimize your email sending practices to ensure your messages reach the inbox, not the spam folder.

Engineering

Scaling Your Email Infrastructure: Lessons from Sending 1B Emails

Insights and lessons learned from scaling our email infrastructure to handle billions of emails per month.

Ready to improve your email deliverability?

Start sending emails with Postalynk today. Free plan available.