Email authentication records: SPF, DKIM, DMARC, and BIMI explained

Email authentication records are DNS entries that let receiving mail servers verify whether the sender is authorized to use a given domain. Four standards form the authentication stack: SPF, DKIM, DMARC, and BIMI. Together they establish a trust system without which messages risk landing in spam or being rejected outright.

SPF (Sender Policy Framework)

SPF answers the question: which servers are allowed to send mail for this domain? The domain owner publishes a TXT record in DNS listing authorized IP addresses and server names. When a receiving server gets a message, it extracts the domain from the envelope sender (MAIL FROM) and checks the SPF record. If the sending IP is listed, the check passes.

The -all directive means all unlisted servers are unauthorized (hard fail). ~all (soft fail) is more lenient: the message is not rejected but flagged as suspicious. SPF has a 10-DNS-lookup limit; exceeding it causes a PermError, which counts as a failed check.

DKIM (DomainKeys Identified Mail)

DKIM attaches a cryptographic signature to each outgoing message. The sending server signs selected headers and the body with a private key. The corresponding public key is published in DNS as a TXT record. The receiving server retrieves the public key and verifies the signature. If valid, the message has not been altered in transit and originates from an authorized source.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC unifies SPF and DKIM under a single policy. It introduces alignment: the domain in the visible From header must match the domain authenticated by SPF or DKIM. DMARC also tells the receiving server what to do with messages that fail: p=none (monitor only), p=quarantine (send to spam), or p=reject (reject entirely). The rua tag specifies where aggregate reports should be sent.

BIMI (Brand Indicators for Message Identification)

BIMI displays a brand logo next to the message in the recipient's mailbox. Gmail, Yahoo, and Apple Mail support it. Prerequisites: DMARC with p=quarantine or p=reject, and a verified SVG logo. Gmail additionally requires a VMC (Verified Mark Certificate) from DigiCert or Entrust. BIMI does not affect deliverability directly but improves brand recognition and open rates.

2024 requirements

Since February 2024, Google and Yahoo require bulk senders (over 5,000 messages per day) to have SPF, DKIM, and a DMARC record (at minimum p=none), alignment between the From domain and SPF/DKIM, one-click unsubscribe (RFC 8058), and a spam rate below 0.1%. Senders that fall short face throttling and rejections. As of late 2025, Microsoft has joined Gmail, Yahoo, and Apple Mail with the same DMARC requirement for outlook.com, hotmail.com, and live.com.