SPF, DKIM, DMARC: the only guide you'll actually need in 2026
In February 2024, Gmail and Yahoo started enforcing bulk-sender authentication requirements. Sending more than 5,000 emails a day? Your messages now require valid SPF, DKIM, and DMARC, plus a list-unsubscribe header.
SPF — who's allowed to send for your domain
A list of servers authorized to send email from your domain. When a receiving server gets mail claiming to be from @yourdomain.com, it checks SPF to confirm the sender is on the list.
TXT @ "v=spf1 include:amazonses.com include:_spf.google.com ~all"
DKIM — cryptographic signature
A cryptographic signature your sending server stamps on every outgoing email. The receiving server fetches your public key from DNS and verifies the signature.
CNAME abc123._domainkey "abc123.dkim.amazonses.com" CNAME def456._domainkey "def456.dkim.amazonses.com" CNAME ghi789._domainkey "ghi789.dkim.amazonses.com"
DMARC — what to do when SPF/DKIM fails
A policy that tells receivers what to do when an email claiming to be from your domain fails SPF or DKIM. Start with monitor mode:
TXT _dmarc "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100"
After 30 days of clean reports, tighten to p=quarantine. After another 30 days, tighten to p=reject. This is the path Gmail wants you on.
The hard truth: if you're sending more than 5,000 emails/day without all three records aligned, your deliverability is already worse than it should be — Gmail and Yahoo are quietly demoting you.