[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"page_blog-slug_s7jokRspTPJsf1VPLCwjzAFTkrjShvM5li2cqpIvXc":3},{"__nuxt_island":4,"id":94,"head":9,"html":95},{"key":5,"params":6,"result":8},"page_blog-slug_s7jokRspTPJsf1VPLCwjzAFTkrjShvM5li2cqpIvXc",{"url":7,"props":-1},"/blog/understanding-email-authentication",{"head":9},{"script":10,"meta":27,"link":83,"title":69,"style":91},[11,17,21,22,23,24,25,26],{"id":12,"type":13,"processTemplateParams":14,"innerHTML":15,"tagPosition":16},"nuxt-og-image-options","application/json",true,"[{\"component\":1,\"props\":2},\"OgImageBlogPost\",{\"title\":3,\"description\":4},\"Understanding Email Authentication: SPF, DKIM, and DMARC\",\"A beginner-friendly guide to email authentication protocols. Learn what SPF, DKIM, and DMARC are, how they work together, and why they matter for email deliverability and security.\"]","bodyClose",{"key":18,"tagPosition":16,"tagPriority":19,"innerHTML":20},":NIiDfe5__B:","critical","document.querySelectorAll('[data-prehydrate-id*=\":NIiDfe5__B:\"]').forEach(e=>{let t=window._nuxtTimeNow||=Date.now(),n=(e,t)=>t>0?e[0].toUpperCase()+e.slice(1):e,r=e.getAttribute(`datetime`);if(!r)return;let i=new Date(r);if(Number.isNaN(i.getTime()))return;let a={};for(let t of e.getAttributeNames())if(t.startsWith(`data-`)){let r=t.slice(5).split(`-`).map(n).join(``);r===`relativeStyle`&&(r=`style`),a[r]=e.getAttribute(t)}if(a.relative){let n=(i.getTime()-t)/1e3,r=[{unit:`second`,seconds:1,threshold:60},{unit:`minute`,seconds:60,threshold:60},{unit:`hour`,seconds:3600,threshold:24},{unit:`day`,seconds:86400,threshold:30},{unit:`month`,seconds:2592e3,threshold:12},{unit:`year`,seconds:31536e3,threshold:1/0}],{unit:o,seconds:s}=r.find(({seconds:e,threshold:t})=>Math.abs(n/e)\u003Ct)||r[r.length-1],c=n/s;e.textContent=new Intl.RelativeTimeFormat(a.locale,a).format(Math.round(c),o)}else e.textContent=new Intl.DateTimeFormat(a.locale,a).format(i)})",{"key":18,"tagPosition":16,"tagPriority":19,"innerHTML":20},{"key":18,"tagPosition":16,"tagPriority":19,"innerHTML":20},{"key":18,"tagPosition":16,"tagPriority":19,"innerHTML":20},{"key":18,"tagPosition":16,"tagPriority":19,"innerHTML":20},{"key":18,"tagPosition":16,"tagPriority":19,"innerHTML":20},{"key":18,"tagPosition":16,"tagPriority":19,"innerHTML":20},[28,31,34,37,39,41,44,46,49,51,54,57,60,63,65,67,68,70,71,74,78,81],{"property":29,"content":30},"og:image","/__og-image__/image/blog/understanding-email-authentication/og.png",{"property":32,"content":33},"og:image:type","image/png",{"name":35,"content":36},"twitter:card","summary_large_image",{"name":38,"content":30},"twitter:image",{"name":40,"content":30},"twitter:image:src",{"property":42,"content":43},"og:image:width",1200,{"name":45,"content":43},"twitter:image:width",{"property":47,"content":48},"og:image:height",600,{"name":50,"content":48},"twitter:image:height",{"hid":52,"property":52,"content":53},"og:type","article",{"hid":55,"property":55,"content":56},"og:url","https://emailshot.io/blog/understanding-email-authentication/",{"property":58,"content":59},"og:title","Understanding Email Authentication: SPF, DKIM, and DMARC",{"name":61,"content":62},"description","A beginner-friendly guide to email authentication protocols. Learn what SPF, DKIM, and DMARC are, how they work together, and why they matter for email deliverability and security.",{"property":64,"content":62},"og:description",{"property":29,"content":66},"/img/emailshot-screenshot.png",{"name":61,"content":62},{"property":58,"content":69},"Understanding Email Authentication: SPF, DKIM, and DMARC - EmailShot Blog",{"property":64,"content":62},{"property":72,"content":73},"article:published_time","2026-02-10",{"property":75,"content":76,"key":77},"article:modified_time","2026-03-16","0",{"property":79,"content":80,"key":80},"article:tag","email-security",{"property":79,"content":82,"key":82},"technical",[84,86],{"rel":85,"href":56},"canonical",{"rel":87,"type":88,"title":89,"href":90},"alternate","application/rss+xml","EmailShot Blog RSS Feed","https://emailshot.io/blog/rss.xml",[92],{"innerHTML":93},"pre code .line{display:block;min-height:1rem}","s7jokRspTPJsf1VPLCwjzAFTkrjShvM5li2cqpIvXc","\u003Cdiv class=\"blog-view\" data-island-uid>\u003Cmain>\u003C!--[-->\u003C!--[-->\u003C!---->\u003C!---->\u003C!---->\u003C!---->\u003C!---->\u003C!---->\u003C!--[-->\u003C!---->\u003C!---->\u003C!--]-->\u003C!--]-->\u003Carticle>\u003Cdiv class=\"container\">\u003Cheader class=\"mb-4\">\u003Cdiv class=\"section-heading\">\u003Ch1 class=\"blog-article-title mb-1 fw-bolder\">Understanding Email Authentication: SPF, DKIM, and DMARC\u003C/h1>\u003Cdiv class=\"line\">\u003C/div>\u003C/div>\u003Cdiv class=\"d-flex flex-wrap align-items-center gap-3 text-muted mb-3\">\u003Cdiv class=\"fst-italic\"> Published on \u003Ctime data-year=\"numeric\" data-month=\"long\" data-day=\"numeric\" datetime=\"2026-02-10T00:00:00.000Z\" data-prehydrate-id=\":NIiDfe5__B:\">February 10, 2026\u003C/time>\u003C/div>\u003Cdiv class=\"fst-italic\"> · Updated on \u003Ctime data-year=\"numeric\" data-month=\"long\" data-day=\"numeric\" datetime=\"2026-03-16T00:00:00.000Z\" data-prehydrate-id=\":NIiDfe5__B:\">March 16, 2026\u003C/time>\u003C/div>\u003C/div>\u003Cdiv class=\"mb-3\">\u003C!--[-->\u003Cspan class=\"badge bg-secondary me-1\">email-security\u003C/span>\u003Cspan class=\"badge bg-secondary me-1\">technical\u003C/span>\u003C!--]-->\u003C/div>\u003C/header>\u003Cdiv class=\"row\">\u003Cdiv class=\"col-lg-8\">\u003Cdiv class=\"blog-content\">\u003Cdiv>\u003Cp>\u003C!--[-->Email authentication might sound complex, but understanding the basics is essential for anyone who sends emails professionally. Whether you're running email marketing campaigns, managing a business domain, or simply want to understand why some emails land in spam, knowing how SPF, DKIM, and DMARC work will make you a more effective communicator.\u003C!--]-->\u003C/p>\u003Cp>\u003C!--[-->In this guide, we'll break down the three main protocols that protect your emails — and explain how they work together to keep your domain safe from spoofing and phishing.\u003C!--]-->\u003C/p>\u003Ch2 id=\"why-email-authentication-matters\">\u003Ca href=\"#why-email-authentication-matters\">\u003C!--[-->Why Email Authentication Matters\u003C!--]-->\u003C/a>\u003C/h2>\u003Cp>\u003C!--[-->Before we dive into the protocols, it's important to understand the problem they solve.\u003C!--]-->\u003C/p>\u003Cp>\u003C!--[-->Email was invented in the early days of the internet, when trust between systems was assumed. The original email protocol (SMTP) has no built-in way to verify that the sender is who they claim to be. This means anyone can send an email that appears to come from your domain — a technique known as \u003Cstrong>\u003C!--[-->email spoofing\u003C!--]-->\u003C/strong>.\u003C!--]-->\u003C/p>\u003Cp>\u003C!--[-->Spoofing enables:\u003C!--]-->\u003C/p>\u003Cul>\u003C!--[-->\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->Phishing attacks\u003C!--]-->\u003C/strong>: Attackers send emails that look like they come from your company, tricking recipients into revealing passwords, credit card numbers, or other sensitive information\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->Business Email Compromise (BEC)\u003C!--]-->\u003C/strong>: Criminals impersonate executives to authorize fraudulent wire transfers or data sharing\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->Brand damage\u003C!--]-->\u003C/strong>: Spam sent from spoofed versions of your domain hurts your reputation, even though you didn't send it\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->Deliverability problems\u003C!--]-->\u003C/strong>: If your domain is being spoofed, email providers may start treating your legitimate emails as suspicious\u003C!--]-->\u003C/li>\u003C!--]-->\u003C/ul>\u003Cp>\u003C!--[-->Email authentication protocols — SPF, DKIM, and DMARC — were created to solve these problems. They give receiving email servers a way to verify that an incoming email actually came from an authorized sender.\u003C!--]-->\u003C/p>\u003Ch2 id=\"what-is-spf\">\u003Ca href=\"#what-is-spf\">\u003C!--[-->What is SPF?\u003C!--]-->\u003C/a>\u003C/h2>\u003Cp>\u003C!--[-->\u003Cstrong>\u003C!--[-->Sender Policy Framework (SPF)\u003C!--]-->\u003C/strong> is a DNS record that specifies which mail servers are authorized to send emails on behalf of your domain. Think of it as a guest list for your email domain — if a server isn't on the list, it shouldn't be sending emails claiming to be from you.\u003C!--]-->\u003C/p>\u003Ch3 id=\"how-spf-works\">\u003Ca href=\"#how-spf-works\">\u003C!--[-->How SPF Works\u003C!--]-->\u003C/a>\u003C/h3>\u003Col>\u003C!--[-->\u003Cli>\u003C!--[-->You publish an SPF record in your domain's DNS settings. This record lists all the IP addresses and servers authorized to send email for your domain.\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->When a receiving server gets an email from your domain, it looks up your SPF record.\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->The receiving server checks whether the sending server's IP address matches one of the authorized entries.\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->If it matches, the email passes SPF. If it doesn't, the email fails SPF.\u003C!--]-->\u003C/li>\u003C!--]-->\u003C/ol>\u003Ch3 id=\"example-spf-record\">\u003Ca href=\"#example-spf-record\">\u003C!--[-->Example SPF Record\u003C!--]-->\u003C/a>\u003C/h3>\u003Cp>\u003C!--[-->A typical SPF record looks like this:\u003C!--]-->\u003C/p>\u003C!--[-->\u003Cpre class=\"\" style=\"\">\u003C!--[-->\u003Ccode>v=spf1 include:_spf.google.com include:servers.mcsv.net -all\n\u003C/code>\u003C!--]-->\u003C/pre>\u003C!--]-->\u003Cp>\u003C!--[-->This record says:\u003C!--]-->\u003C/p>\u003Cul>\u003C!--[-->\u003Cli>\u003C!--[-->\u003Ccode class=\"\">\u003C!--[-->v=spf1\u003C!--]-->\u003C/code> — This is an SPF version 1 record\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Ccode class=\"\">\u003C!--[-->include:_spf.google.com\u003C!--]-->\u003C/code> — Google's mail servers are authorized (for Google Workspace users)\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Ccode class=\"\">\u003C!--[-->include:servers.mcsv.net\u003C!--]-->\u003C/code> — Mailchimp's servers are authorized (if you use Mailchimp for newsletters)\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Ccode class=\"\">\u003C!--[-->-all\u003C!--]-->\u003C/code> — Reject emails from any server not listed above (the \u003Ccode class=\"\">\u003C!--[-->-\u003C!--]-->\u003C/code> means hard fail; \u003Ccode class=\"\">\u003C!--[-->~\u003C!--]-->\u003C/code> would mean soft fail)\u003C!--]-->\u003C/li>\u003C!--]-->\u003C/ul>\u003Ch3 id=\"spf-limitations\">\u003Ca href=\"#spf-limitations\">\u003C!--[-->SPF Limitations\u003C!--]-->\u003C/a>\u003C/h3>\u003Cp>\u003C!--[-->SPF is a solid first layer of defense, but it has some limitations:\u003C!--]-->\u003C/p>\u003Cul>\u003C!--[-->\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->It only checks the "envelope from" address\u003C!--]-->\u003C/strong>, not the "From" header that the recipient sees. An attacker can still forge the visible "From" address.\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->SPF breaks when emails are forwarded\u003C!--]-->\u003C/strong>, because the forwarding server's IP address won't be in the original domain's SPF record.\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->There's a 10 DNS lookup limit\u003C!--]-->\u003C/strong>. Complex SPF records with many \u003Ccode class=\"\">\u003C!--[-->include\u003C!--]-->\u003C/code> statements can hit this limit, causing failures.\u003C!--]-->\u003C/li>\u003C!--]-->\u003C/ul>\u003Cp>\u003C!--[-->That's where DKIM comes in.\u003C!--]-->\u003C/p>\u003Ch2 id=\"what-is-dkim\">\u003Ca href=\"#what-is-dkim\">\u003C!--[-->What is DKIM?\u003C!--]-->\u003C/a>\u003C/h2>\u003Cp>\u003C!--[-->\u003Cstrong>\u003C!--[-->DomainKeys Identified Mail (DKIM)\u003C!--]-->\u003C/strong> adds a digital signature to your outgoing emails. This signature is created using a private key (held by your email server) and can be verified using a public key published in your DNS records.\u003C!--]-->\u003C/p>\u003Ch3 id=\"how-dkim-works\">\u003Ca href=\"#how-dkim-works\">\u003C!--[-->How DKIM Works\u003C!--]-->\u003C/a>\u003C/h3>\u003Col>\u003C!--[-->\u003Cli>\u003C!--[-->When your email server sends a message, it creates a cryptographic hash of certain email headers and the message body.\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->This hash is encrypted with your domain's private key, creating a digital signature.\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->The signature is added to the email as a special \u003Ccode class=\"\">\u003C!--[-->DKIM-Signature\u003C!--]-->\u003C/code> header.\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->When the receiving server gets the email, it looks up your public key in DNS.\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->The receiving server decrypts the signature and compares it to its own hash of the email.\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->If they match, the email passes DKIM — confirming that it came from your domain and wasn't altered in transit.\u003C!--]-->\u003C/li>\u003C!--]-->\u003C/ol>\u003Ch3 id=\"what-dkim-proves\">\u003Ca href=\"#what-dkim-proves\">\u003C!--[-->What DKIM Proves\u003C!--]-->\u003C/a>\u003C/h3>\u003Cp>\u003C!--[-->DKIM ensures two important things:\u003C!--]-->\u003C/p>\u003Col>\u003C!--[-->\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->Authenticity\u003C!--]-->\u003C/strong>: The email was actually sent by (or authorized by) the claimed domain\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->Integrity\u003C!--]-->\u003C/strong>: The email content hasn't been tampered with during transit — no one has modified the subject, body, or headers since it was signed\u003C!--]-->\u003C/li>\u003C!--]-->\u003C/ol>\u003Ch3 id=\"dkim-vs-spf\">\u003Ca href=\"#dkim-vs-spf\">\u003C!--[-->DKIM vs. SPF\u003C!--]-->\u003C/a>\u003C/h3>\u003Cp>\u003C!--[-->While SPF checks whether the \u003Cem>\u003C!--[-->sending server\u003C!--]-->\u003C/em> is authorized, DKIM checks whether the \u003Cem>\u003C!--[-->email itself\u003C!--]-->\u003C/em> is legitimate and unmodified. They complement each other:\u003C!--]-->\u003C/p>\u003Ctable>\u003C!--[-->\u003Cthead>\u003C!--[-->\u003Ctr>\u003C!--[-->\u003Cth>\u003C!--[-->\u003C!--]-->\u003C/th>\u003Cth>\u003C!--[-->SPF\u003C!--]-->\u003C/th>\u003Cth>\u003C!--[-->DKIM\u003C!--]-->\u003C/th>\u003C!--]-->\u003C/tr>\u003C!--]-->\u003C/thead>\u003Ctbody>\u003C!--[-->\u003Ctr>\u003C!--[-->\u003Ctd>\u003C!--[-->\u003Cstrong>\u003C!--[-->What it checks\u003C!--]-->\u003C/strong>\u003C!--]-->\u003C/td>\u003Ctd>\u003C!--[-->Sending server IP\u003C!--]-->\u003C/td>\u003Ctd>\u003C!--[-->Email content signature\u003C!--]-->\u003C/td>\u003C!--]-->\u003C/tr>\u003Ctr>\u003C!--[-->\u003Ctd>\u003C!--[-->\u003Cstrong>\u003C!--[-->Survives forwarding\u003C!--]-->\u003C/strong>\u003C!--]-->\u003C/td>\u003Ctd>\u003C!--[-->No\u003C!--]-->\u003C/td>\u003Ctd>\u003C!--[-->Yes\u003C!--]-->\u003C/td>\u003C!--]-->\u003C/tr>\u003Ctr>\u003C!--[-->\u003Ctd>\u003C!--[-->\u003Cstrong>\u003C!--[-->Detects tampering\u003C!--]-->\u003C/strong>\u003C!--]-->\u003C/td>\u003Ctd>\u003C!--[-->No\u003C!--]-->\u003C/td>\u003Ctd>\u003C!--[-->Yes\u003C!--]-->\u003C/td>\u003C!--]-->\u003C/tr>\u003Ctr>\u003C!--[-->\u003Ctd>\u003C!--[-->\u003Cstrong>\u003C!--[-->DNS record type\u003C!--]-->\u003C/strong>\u003C!--]-->\u003C/td>\u003Ctd>\u003C!--[-->TXT\u003C!--]-->\u003C/td>\u003Ctd>\u003C!--[-->TXT (public key)\u003C!--]-->\u003C/td>\u003C!--]-->\u003C/tr>\u003C!--]-->\u003C/tbody>\u003C!--]-->\u003C/table>\u003Cp>\u003C!--[-->For the strongest protection, you need both SPF and DKIM — plus DMARC to tie them together.\u003C!--]-->\u003C/p>\u003Ch2 id=\"what-is-dmarc\">\u003Ca href=\"#what-is-dmarc\">\u003C!--[-->What is DMARC?\u003C!--]-->\u003C/a>\u003C/h2>\u003Cp>\u003C!--[-->\u003Cstrong>\u003C!--[-->Domain-based Message Authentication, Reporting, and Conformance (DMARC)\u003C!--]-->\u003C/strong> builds on SPF and DKIM. It serves two critical functions:\u003C!--]-->\u003C/p>\u003Col>\u003C!--[-->\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->Policy\u003C!--]-->\u003C/strong>: It tells receiving servers what to do when an email fails both SPF and DKIM checks\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->Reporting\u003C!--]-->\u003C/strong>: It sends you reports about authentication results, so you can monitor who is sending email using your domain\u003C!--]-->\u003C/li>\u003C!--]-->\u003C/ol>\u003Ch3 id=\"how-dmarc-works\">\u003Ca href=\"#how-dmarc-works\">\u003C!--[-->How DMARC Works\u003C!--]-->\u003C/a>\u003C/h3>\u003Col>\u003C!--[-->\u003Cli>\u003C!--[-->You publish a DMARC record in your DNS settings\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->When a receiving server gets an email from your domain, it checks SPF and DKIM results\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->DMARC adds an important additional check called \u003Cstrong>\u003C!--[-->alignment\u003C!--]-->\u003C/strong>: the domain in the "From" header must match the domain used in SPF and/or DKIM\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->If the email fails alignment, the receiving server follows your DMARC policy\u003C!--]-->\u003C/li>\u003C!--]-->\u003C/ol>\u003Ch3 id=\"dmarc-policies\">\u003Ca href=\"#dmarc-policies\">\u003C!--[-->DMARC Policies\u003C!--]-->\u003C/a>\u003C/h3>\u003Cp>\u003C!--[-->DMARC offers three policy levels, allowing you to gradually increase protection:\u003C!--]-->\u003C/p>\u003Cul>\u003C!--[-->\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->\u003Ccode class=\"\">\u003C!--[-->p=none\u003C!--]-->\u003C/code>\u003C!--]-->\u003C/strong> (Monitor): Don't take any action on failed emails. This is the starting point — you'll receive reports about authentication failures without affecting email delivery. Use this phase to identify all legitimate email sources for your domain.\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->\u003Ccode class=\"\">\u003C!--[-->p=quarantine\u003C!--]-->\u003C/code>\u003C!--]-->\u003C/strong> (Quarantine): Send failed emails to the spam folder. This is a middle ground that protects recipients while still delivering the email (in spam) in case of false positives.\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->\u003Ccode class=\"\">\u003C!--[-->p=reject\u003C!--]-->\u003C/code>\u003C!--]-->\u003C/strong> (Reject): Block failed emails entirely. This is the strongest protection, telling receiving servers to reject any email that doesn't pass authentication. Only move to this level once you're confident that all your legitimate email sources are properly configured.\u003C!--]-->\u003C/li>\u003C!--]-->\u003C/ul>\u003Ch3 id=\"example-dmarc-record\">\u003Ca href=\"#example-dmarc-record\">\u003C!--[-->Example DMARC Record\u003C!--]-->\u003C/a>\u003C/h3>\u003C!--[-->\u003Cpre class=\"\" style=\"\">\u003C!--[-->\u003Ccode>v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100\n\u003C/code>\u003C!--]-->\u003C/pre>\u003C!--]-->\u003Cp>\u003C!--[-->This record says:\u003C!--]-->\u003C/p>\u003Cul>\u003C!--[-->\u003Cli>\u003C!--[-->\u003Ccode class=\"\">\u003C!--[-->v=DMARC1\u003C!--]-->\u003C/code> — This is a DMARC version 1 record\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Ccode class=\"\">\u003C!--[-->p=quarantine\u003C!--]-->\u003C/code> — Quarantine (send to spam) emails that fail authentication\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Ccode class=\"\">\u003C!--[-->rua=mailto:dmarc@example.com\u003C!--]-->\u003C/code> — Send aggregate reports to this email address\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Ccode class=\"\">\u003C!--[-->pct=100\u003C!--]-->\u003C/code> — Apply the policy to 100% of emails (you can start with a lower percentage during rollout)\u003C!--]-->\u003C/li>\u003C!--]-->\u003C/ul>\u003Ch3 id=\"dmarc-reporting\">\u003Ca href=\"#dmarc-reporting\">\u003C!--[-->DMARC Reporting\u003C!--]-->\u003C/a>\u003C/h3>\u003Cp>\u003C!--[-->One of DMARC's most valuable features is its reporting capability. Receiving servers send you XML reports containing:\u003C!--]-->\u003C/p>\u003Cul>\u003C!--[-->\u003Cli>\u003C!--[-->How many emails they received from your domain\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->How many passed or failed SPF, DKIM, and DMARC\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->Which IP addresses sent the emails\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->What actions were taken (none, quarantine, reject)\u003C!--]-->\u003C/li>\u003C!--]-->\u003C/ul>\u003Cp>\u003C!--[-->These reports help you:\u003C!--]-->\u003C/p>\u003Cul>\u003C!--[-->\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->Discover unauthorized senders\u003C!--]-->\u003C/strong> using your domain\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->Identify configuration issues\u003C!--]-->\u003C/strong> with your legitimate email services\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->Track phishing attempts\u003C!--]-->\u003C/strong> targeting your domain\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->Build confidence\u003C!--]-->\u003C/strong> before moving to a stricter DMARC policy\u003C!--]-->\u003C/li>\u003C!--]-->\u003C/ul>\u003Ch2 id=\"how-spf-dkim-and-dmarc-work-together\">\u003Ca href=\"#how-spf-dkim-and-dmarc-work-together\">\u003C!--[-->How SPF, DKIM, and DMARC Work Together\u003C!--]-->\u003C/a>\u003C/h2>\u003Cp>\u003C!--[-->Think of these three protocols as layers of a security system:\u003C!--]-->\u003C/p>\u003Col>\u003C!--[-->\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->SPF\u003C!--]-->\u003C/strong> is the bouncer at the door — it checks if the mail server is on the approved list\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->DKIM\u003C!--]-->\u003C/strong> is the ID verification — it confirms the email is genuine and hasn't been tampered with\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->DMARC\u003C!--]-->\u003C/strong> is the security manager — it decides what happens when something doesn't check out and generates incident reports\u003C!--]-->\u003C/li>\u003C!--]-->\u003C/ol>\u003Cp>\u003C!--[-->For maximum protection, you need all three working together:\u003C!--]-->\u003C/p>\u003C!--[-->\u003Cpre class=\"\" style=\"\">\u003C!--[-->\u003Ccode>Email sent from your domain\n  ↓\nReceiving server checks SPF → Is the server authorized?\n  ↓\nReceiving server checks DKIM → Is the signature valid?\n  ↓\nDMARC checks alignment → Does the "From" domain match?\n  ↓\nDMARC policy applied → none / quarantine / reject\n  ↓\nDMARC report generated → Sent to your reporting address\n\u003C/code>\u003C!--]-->\u003C/pre>\u003C!--]-->\u003Ch2 id=\"implementing-email-authentication-a-practical-roadmap\">\u003Ca href=\"#implementing-email-authentication-a-practical-roadmap\">\u003C!--[-->Implementing Email Authentication: A Practical Roadmap\u003C!--]-->\u003C/a>\u003C/h2>\u003Cp>\u003C!--[-->If you're setting up email authentication for the first time, here's a step-by-step approach:\u003C!--]-->\u003C/p>\u003Ch3 id=\"phase-1-audit-week-1-2\">\u003Ca href=\"#phase-1-audit-week-1-2\">\u003C!--[-->Phase 1: Audit (Week 1-2)\u003C!--]-->\u003C/a>\u003C/h3>\u003Cul>\u003C!--[-->\u003Cli>\u003C!--[-->Inventory all services that send email on behalf of your domain (marketing platforms, CRM, transactional email services, etc.)\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->Check your existing SPF and DKIM records using our free \u003Ca href=\"/tools/dns-checker/\" class=\"\">\u003C!--[-->DNS Checker\u003C!--]-->\u003C/a> tool\u003C!--]-->\u003C/li>\u003C!--]-->\u003C/ul>\u003Ch3 id=\"phase-2-configure-week-2-4\">\u003Ca href=\"#phase-2-configure-week-2-4\">\u003C!--[-->Phase 2: Configure (Week 2-4)\u003C!--]-->\u003C/a>\u003C/h3>\u003Cul>\u003C!--[-->\u003Cli>\u003C!--[-->Set up SPF records that include all legitimate sending services\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->Enable DKIM signing for all email services (most providers like Google Workspace, Mailchimp, and SendGrid offer one-click DKIM setup)\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->Publish a DMARC record with \u003Ccode class=\"\">\u003C!--[-->p=none\u003C!--]-->\u003C/code> to start collecting reports without affecting delivery\u003C!--]-->\u003C/li>\u003C!--]-->\u003C/ul>\u003Ch3 id=\"phase-3-monitor-week-4-12\">\u003Ca href=\"#phase-3-monitor-week-4-12\">\u003C!--[-->Phase 3: Monitor (Week 4-12)\u003C!--]-->\u003C/a>\u003C/h3>\u003Cul>\u003C!--[-->\u003Cli>\u003C!--[-->Review DMARC reports to identify any legitimate senders you missed\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->Fix SPF and DKIM configurations for any services that are failing\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->Use our \u003Ca href=\"/tools/dmarc-analyzer/\" class=\"\">\u003C!--[-->DMARC Analyzer\u003C!--]-->\u003C/a> to parse and understand your DMARC XML reports\u003C!--]-->\u003C/li>\u003C!--]-->\u003C/ul>\u003Ch3 id=\"phase-4-enforce-week-12\">\u003Ca href=\"#phase-4-enforce-week-12\">\u003C!--[-->Phase 4: Enforce (Week 12+)\u003C!--]-->\u003C/a>\u003C/h3>\u003Cul>\u003C!--[-->\u003Cli>\u003C!--[-->Move your DMARC policy from \u003Ccode class=\"\">\u003C!--[-->p=none\u003C!--]-->\u003C/code> to \u003Ccode class=\"\">\u003C!--[-->p=quarantine\u003C!--]-->\u003C/code>\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->Monitor for any delivery issues\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->Eventually move to \u003Ccode class=\"\">\u003C!--[-->p=reject\u003C!--]-->\u003C/code> for maximum protection\u003C!--]-->\u003C/li>\u003C!--]-->\u003C/ul>\u003Ch2 id=\"why-does-this-matter-for-everyday-email-users\">\u003Ca href=\"#why-does-this-matter-for-everyday-email-users\">\u003C!--[-->Why Does This Matter for Everyday Email Users?\u003C!--]-->\u003C/a>\u003C/h2>\u003Cp>\u003C!--[-->Even if you're not a system administrator, understanding email authentication helps you:\u003C!--]-->\u003C/p>\u003Cul>\u003C!--[-->\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->Improve your email deliverability\u003C!--]-->\u003C/strong>: Properly authenticated emails are more likely to land in the inbox, not spam\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->Protect your domain from spoofing\u003C!--]-->\u003C/strong>: Prevent attackers from sending phishing emails that appear to come from your domain. If you build apps with AI tools like Lovable, it's also worth running a \u003Ca href=\"https://vibe-eval.com/updates/lovable-security-scanner\" rel=\"external\">\u003C!--[-->Lovable security scanner\u003C!--]-->\u003C/a> to catch vulnerabilities before they reach production.\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->Build trust with email providers\u003C!--]-->\u003C/strong>: Gmail, Outlook, and other providers favor authenticated emails in their ranking algorithms\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->Reduce the chance of your emails landing in spam\u003C!--]-->\u003C/strong>: Authentication signals are a key factor in spam filtering decisions\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->Comply with sender requirements\u003C!--]-->\u003C/strong>: Google and Yahoo now require SPF, DKIM, and DMARC for bulk senders (5,000+ emails per day)\u003C!--]-->\u003C/li>\u003C!--]-->\u003C/ul>\u003Ch2 id=\"analyze-your-dmarc-reports\">\u003Ca href=\"#analyze-your-dmarc-reports\">\u003C!--[-->Analyze Your DMARC Reports\u003C!--]-->\u003C/a>\u003C/h2>\u003Cp>\u003C!--[-->Understanding your DMARC reports can be challenging. The raw XML format is dense and difficult to read manually — especially when you're receiving reports from dozens of email providers.\u003C!--]-->\u003C/p>\u003Cp>\u003C!--[-->That's why we built a free \u003Ca href=\"/tools/dmarc-analyzer/\" class=\"\">\u003C!--[-->DMARC Analyzer\u003C!--]-->\u003C/a> tool that helps you parse and understand your DMARC XML reports in seconds. Simply upload your report file, and the tool breaks down:\u003C!--]-->\u003C/p>\u003Cul>\u003C!--[-->\u003Cli>\u003C!--[-->Total email volume from your domain\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->Pass/fail rates for SPF, DKIM, and DMARC\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->Source IP addresses and their authentication results\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->Actionable recommendations for improving your email authentication\u003C!--]-->\u003C/li>\u003C!--]-->\u003C/ul>\u003Cp>\u003C!--[-->You can also use our \u003Ca href=\"/tools/dns-checker/\" class=\"\">\u003C!--[-->DNS Checker\u003C!--]-->\u003C/a> to verify that your SPF, DKIM, and DMARC records are correctly published and properly formatted.\u003C!--]-->\u003C/p>\u003Ch2 id=\"further-reading\">\u003Ca href=\"#further-reading\">\u003C!--[-->Further Reading\u003C!--]-->\u003C/a>\u003C/h2>\u003Cul>\u003C!--[-->\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->\u003Ca href=\"/blog/what-are-eml-files/\" class=\"\">\u003C!--[-->What Are EML Files?\u003C!--]-->\u003C/a>\u003C!--]-->\u003C/strong>: Learn about the email file format and how to inspect email headers for authentication details\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->\u003Ca href=\"/blog/email-sharing-best-practices-for-teams/\" class=\"\">\u003C!--[-->Email Sharing Best Practices\u003C!--]-->\u003C/a>\u003C!--]-->\u003C/strong>: How to share emails securely within your team\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->\u003Ca href=\"/tools/dmarc-analyzer/\" class=\"\">\u003C!--[-->DMARC Analyzer Tool\u003C!--]-->\u003C/a>\u003C!--]-->\u003C/strong>: Parse your DMARC reports instantly\u003C!--]-->\u003C/li>\u003Cli>\u003C!--[-->\u003Cstrong>\u003C!--[-->\u003Ca href=\"/tools/dns-checker/\" class=\"\">\u003C!--[-->DNS Checker Tool\u003C!--]-->\u003C/a>\u003C!--]-->\u003C/strong>: Verify your DNS records including SPF, DKIM, and DMARC\u003C!--]-->\u003C/li>\u003C!--]-->\u003C/ul>\u003C/div>\u003C/div>\u003Cdiv class=\"mt-5 pt-4 border-top\">\u003Ca href=\"/blog/\" class=\"btn btn-outline-primary\"> ← Back to Blog \u003C/a>\u003C/div>\u003C/div>\u003Cdiv class=\"col-lg-4\">\u003Cdiv class=\"card mb-4\">\u003Cdiv class=\"card-header fw-semibold\"> Recent Posts \u003C/div>\u003Cdiv class=\"card-body\">\u003Cul class=\"list-unstyled mb-0\">\u003C!--[-->\u003Cli class=\"mb-3\">\u003Ca href=\"/blog/export-emails-markdown-pdf/\" class=\"text-decoration-none blog-sidebar-link\">Export Emails as Markdown or PDF — and Why Format Matters More Than Ever\u003C/a>\u003Cdiv class=\"text-muted small\">\u003Ctime data-year=\"numeric\" data-month=\"short\" data-day=\"numeric\" datetime=\"2026-04-07T00:00:00.000Z\" data-prehydrate-id=\":NIiDfe5__B:\">Apr 7, 2026\u003C/time>\u003C/div>\u003C/li>\u003Cli class=\"mb-3\">\u003Ca href=\"/blog/what-are-vcf-files/\" class=\"text-decoration-none blog-sidebar-link\">What Are VCF Files and How to Open Them\u003C/a>\u003Cdiv class=\"text-muted small\">\u003Ctime data-year=\"numeric\" data-month=\"short\" data-day=\"numeric\" datetime=\"2026-03-27T00:00:00.000Z\" data-prehydrate-id=\":NIiDfe5__B:\">Mar 27, 2026\u003C/time>\u003C/div>\u003C/li>\u003Cli class=\"mb-3\">\u003Ca href=\"/blog/what-are-ics-files/\" class=\"text-decoration-none blog-sidebar-link\">What Are ICS Files and How to Open Them\u003C/a>\u003Cdiv class=\"text-muted small\">\u003Ctime data-year=\"numeric\" data-month=\"short\" data-day=\"numeric\" datetime=\"2026-03-19T00:00:00.000Z\" data-prehydrate-id=\":NIiDfe5__B:\">Mar 19, 2026\u003C/time>\u003C/div>\u003C/li>\u003Cli class=\"mb-3\">\u003Ca href=\"/blog/what-are-eml-files/\" class=\"text-decoration-none blog-sidebar-link\">What Are EML Files and How to Open Them\u003C/a>\u003Cdiv class=\"text-muted small\">\u003Ctime data-year=\"numeric\" data-month=\"short\" data-day=\"numeric\" datetime=\"2026-03-12T00:00:00.000Z\" data-prehydrate-id=\":NIiDfe5__B:\">Mar 12, 2026\u003C/time>\u003C/div>\u003C/li>\u003Cli class=\"mb-3\">\u003Ca href=\"/blog/email-sharing-best-practices-for-teams/\" class=\"text-decoration-none blog-sidebar-link\">Email Sharing Best Practices for Teams\u003C/a>\u003Cdiv class=\"text-muted small\">\u003Ctime data-year=\"numeric\" data-month=\"short\" data-day=\"numeric\" datetime=\"2026-03-05T00:00:00.000Z\" data-prehydrate-id=\":NIiDfe5__B:\">Mar 5, 2026\u003C/time>\u003C/div>\u003C/li>\u003C!--]-->\u003C/ul>\u003C/div>\u003C/div>\u003Cdiv class=\"card\">\u003Cdiv class=\"card-header fw-semibold\"> About EmailShot \u003C/div>\u003Cdiv class=\"card-body\">\u003Cp class=\"small text-muted mb-2\"> Share any email easily with a simple direct link in just one click. \u003C/p>\u003Ca href=\"https://workspace.google.com/marketplace/app/emailshot/392337853098\" target=\"_blank\" class=\"btn btn-primary btn-sm text-white\"> Install EmailShot \u003C/a>\u003C/div>\u003C/div>\u003C/div>\u003C/div>\u003C/div>\u003C/article>\u003C!--]-->\u003C/main>\u003C/div>"]