All Collections
NEW! CDXP & Marketing Automation
E-mail authentications
What are SPF, DKIM, and DMARC authentications?
What are SPF, DKIM, and DMARC authentications?

From this article, you will learn about SPF, DKIM, and DMARC records, and their impact on the delivery of your e-mails.

Written by Martyna Woźniszczuk
Updated over a week ago

During the process of sending e-mail messages, mail agents (such as Gmail, Outlook, Yahoo) need to determine whether a message is legitimate (i.e., sent from the owner of the domain or e-mail address) or forged (sent by a spammer or phisher). This also applies to e‑mails sent from the QuarticOn system.

Authentication, a type of security measure, is very helpful in making this decision and proving to mail agents that a message actually originates from you. In other words, it is the process of identifying the source or sending domain to eliminate the risk of spam and phishing.

There are three types of authentication: SPF, DKIM, and DMARC.

Why is it worth configuring e-mail authentication?

1. Removes the "via..." header in Gmail

Authentication strengthens brand credibility, resulting in the removal of the "via..." part in the message title header (DKIM authentication).

2. Builds sender reputation for e-mail messages under your own domain name

With authentication, you can avoid situations where your e-mails to customers end up in spam due to an untrusted domain (SPF authentication).

3. Enforces rigorous protections on your domain name

Authentication standards help protect your domain name from potential misuse (DMARC authentication).

Before proceeding to the descriptions of individual authentication methods, make sure you are using a valid (existing and established) sending domain that you own: Your domain should be older than 30 days and have a valid "A record".

It is also crucial for this domain to have an MX record that specifies the mail server responsible for receiving e-mail messages on behalf of the domain.

Does authentication solve all deliverability issues?

No, authentication alone does not solve all deliverability issues. Authentication helps with identifying the sender and establishing trustworthiness. However, to achieve a high deliverability rate for your e-mail messages, it is recommended to follow best practices such as sending high-quality personalized e-mails to a list of individuals who have given consent to receive them, and regularly maintaining an updated e-mail list.

Authentication allows legitimate senders to further strengthen their reputation and protect their domain from malicious senders who may try to impersonate them. Below, you will find information about each type of authentication that was mentioned earlier.


SPF (Sender Policy Framework) records are TXT records in your domain that authorize specific servers to send mail using your domain name.


DKIM (DomainKeys Identified Mail) is a type of signature that a sender can apply to their e-mail messages. It allows the sender to specify that the purported sender of the message is actually the sender. The signature can be for any domain. For example, a company named "QuarticOn" may sign their messages with the domain to confirm that the message was indeed sent by "QuarticOn".

Configuring DKIM records involves placing a hidden cryptographic signature in the header of the e-mail message, and then placing the public key on their website to verify the authenticity of the signature.


DMARC (Domain-based Message Authentication, Reporting & Conformance) is a standard based on SPF and DKIM. It allows the domain owner to create rules that inform e-mail providers (such as Google or Microsoft) what to do if an e-mail fails SPF and DKIM checks.

DMARC supports three main policy configurations:

  • "None" - indicates that e-mails should be treated normally if DMARC fails.

  • "Quarantine" - indicates that e-mails should be delivered to the spam folder if DMARC fails.

  • "Reject" - indicates that e-mails should be rejected (i.e., not delivered to the recipient) if DMARC fails.

Using "Quarantine" or "Reject" policies in DMARC will require proper configuration of DKIM records for the sending domain, otherwise all your e-mails may fail the DMARC test. This could result in e-mails being filtered to the spam folder ("Quarantine") or being completely blocked ("Reject"). Before configuring a strict DMARC record, make sure that DKIM configuration is correct for all your sending domains.

DMARC is not a tool to increase deliverability, and its configuration is optional. However, if:

  • Someone is consistently spoofing your domain, sending fraudulent e-mails, and damaging your reputation, DMARC will allow you to identify this activity and put an end to it.

  • Your organization has a strict e-mail security policy that requires DMARC authentication, such as a government institution or a financial organization.

  • You want to display your logo (BIMI) in your e-mails.

To start using DMARC, we recommend beginning with a "None" policy to avoid impacting deliverability in case of misconfiguration. In this case,

Did this answer your question?