Email Authentication Explained

SMTP, the protocol that carries email between servers, has no built-in concept of identity. Anyone with a mail server can send a message claiming to be from your domain. There is no password, no signature, no receipt at the protocol layer.

For decades, this asymmetry has powered phishing campaigns, business email compromise, and brand impersonation. SPF, DKIM, and DMARC are the layered DNS-based controls the industry has converged on to close the gap.

Each one is a TXT record you publish. Receivers fetch them during delivery, run the corresponding check, and decide whether to accept, quarantine, or reject.

What It Does

SPF is a public list of the IP addresses authorized to send mail for your domain. A receiver looks at the sender's IP, fetches your SPF record, and asks: "is this IP allowed to send for this domain?"

How To Read One

example.com.   IN  TXT  "v=spf1 include:_spf.google.com ip4:198.51.100.0/24 -all"

• v=spf1 — version tag. Always present, always first.
• include:_spf.google.com — delegate authorization to another domain's SPF record. Used for SaaS senders (Google Workspace, Microsoft 365, Mailchimp).
• ip4:198.51.100.0/24 — explicit IP range that may send.
• -all — the trailing mechanism. -all means "fail any other sender." ~all means softfail. ?all means neutral. +all means allow anything and provides no protection.

The 10-Lookup Limit

RFC 7208 §4.6.4 caps SPF evaluation at 10 DNS lookups across the entire chain. Each include, redirect, a, mx, exists, and ptr mechanism counts. Exceeding the limit returns permerror, and the receiver treats SPF as broken. The lookup tool tells you where you stand.

Alignment

SPF alone authenticates the SMTP envelope sender — not the From header users actually see. DMARC requires the envelope domain to align with the From header for SPF to count toward a DMARC pass.

What It Does

DKIM puts a cryptographic signature in the message header. The sending server signs the message with a private key; the receiver fetches the matching public key from DNS and verifies the signature.

How The Public Key Lives In DNS

s1._domainkey.example.com.   IN  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ..."

• s1 — the selector. A sender chooses any label and publishes the public key at <selector>._domainkey.<domain>. The selector travels with each signed message in the DKIM-Signature header.
• v=DKIM1 — version tag.
• k=rsa — key algorithm. RSA is universal; Ed25519 is supported but rare.
• p=... — the base64-encoded public key.

What DKIM Authenticates

A valid DKIM signature proves the message was signed by something holding the private key for that selector + domain, and that the signed headers and body have not been modified in transit. It does not by itself prove the message is from the domain in the From header — that is what DKIM alignment is for.

Alignment

The DKIM signature carries a d= tag naming the signing domain. DMARC requires d= to align with the From header. Aligned + valid DKIM contributes to a DMARC pass; an aligned-but-invalid signature does not.

What It Does

DMARC is the record that ties SPF and DKIM together. It says: "if SPF and DKIM both fail alignment with the From header, here is what receivers should do, and here is where to send me the reports."

It lives at _dmarc.<domain> and is the only one of the three records that names a destination for telemetry.

How To Read One

_dmarc.example.com.   IN  TXT  "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; pct=100; rua=mailto:dmarc@auspex-labs.com; fo=1"

• v=DMARC1 — version tag.
• p — the policy. none means observe only. quarantine means spam-folder failures. reject means refuse the message at SMTP time. The whole point of reading reports is to earn the confidence to move from none to reject.
• sp — the subdomain policy. If absent, subdomains inherit p. If present and weaker than p, subdomains are softer targets.
• adkim / aspf — alignment mode. r (relaxed) allows subdomain matches; s (strict) requires exact-domain match.
• pct — percentage of failing mail the policy is applied to. Values below 100 are intentional ramps; persistent low pct means the policy is not really enforced.
• rua — where receivers send aggregate reports. The address Auspex DMARC processes.
• fo — forensic-report options. 1 requests reports for any failure (SPF or DKIM); rarely supported by receivers.

The Policy Progression

Almost every domain starts at p=none. Reports come in. You identify the legitimate senders you forgot about (the SaaS that sends invoices, the marketing tool nobody documented). You add them to SPF or get them DKIM-signing. When the reports show only authorized senders failing, you move to p=quarantine. When that has been quiet for weeks, you move to p=reject. Without reading the reports, this progression never starts.

For a message to pass DMARC:

• SPF passes and the envelope sender domain aligns with the From header; or
• DKIM verifies and the signing d= domain aligns with the From header.

Either path is enough. The two are complementary: DKIM survives forwarding (the signature stays); SPF survives subject-line rewrites by mailing lists (the signature breaks). A domain with both is robust against both common failure modes.

DMARC's role is not to authenticate any one message. It is to publish your policy decision and to make the receiver's verdict observable through reports. The records authenticate; DMARC governs and reports.