Email Deliverability: SPF, DKIM, and DMARC Explained

Why email authentication matters in 2026

Email authentication is no longer optional. In February 2024, Google and Yahoo began enforcing strict authentication requirements for bulk senders: SPF and DKIM are mandatory, DMARC policies must be published, and unsubscribe headers are required. These requirements apply to any sender sending more than 5,000 emails per day to Gmail or Yahoo addresses. Even if you're below that threshold, proper authentication dramatically improves your deliverability. Without SPF, DKIM, and DMARC, your emails are significantly more likely to land in spam or be rejected entirely. Setting up authentication correctly is the single most impactful thing you can do for email deliverability.

SPF: Authorizing your sending servers

SPF (Sender Policy Framework) is a DNS TXT record that tells receiving mail servers which IP addresses and services are authorized to send email on behalf of your domain. When Gmail receives an email from your domain, it checks your SPF record to verify the sending server is listed. If it's not, the email fails SPF and is more likely to be marked as spam. Your SPF record should include all services that send email for your domain — your email API provider, your corporate email (Google Workspace, Microsoft 365), and any other services like CRM tools.

; SPF record — add as TXT record on your root domain
yourdomain.com.  TXT  "v=spf1 include:_spf.aisend.app include:_spf.google.com ~all"

; DKIM record — add as CNAME
aisend._domainkey.yourdomain.com.  CNAME  aisend._domainkey.aisend.app.

; DMARC record — start with monitoring
_dmarc.yourdomain.com.  TXT  "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"

DKIM: Cryptographic email signatures

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. The sending server signs the email with a private key, and the receiving server verifies this signature using a public key published in your DNS as a CNAME or TXT record. This proves two things: the email actually came from your domain (not a forger), and the content wasn't modified in transit. DKIM is critical for deliverability because ISPs use it as a strong signal of legitimacy. When you set up a custom domain with AISend, we generate DKIM keys for you and provide the DNS records to publish. Most email providers use 2048-bit RSA keys for DKIM, which provides strong security against forgery.

DMARC: The policy layer

DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together by telling receiving servers what to do when authentication fails. It supports three policies: p=none (monitor only, don't take action), p=quarantine (send failing emails to spam), and p=reject (reject failing emails entirely). Start with p=none to monitor your email flows and identify any legitimate services that aren't authenticated. Once you've verified all your senders are properly configured, upgrade to p=quarantine and eventually p=reject. DMARC also specifies a reporting address where ISPs send daily aggregate reports about your domain's email authentication results. These reports help you identify unauthorized use of your domain.

Setting up authentication with AISend

AISend simplifies email authentication. When you add a domain in the dashboard, we automatically generate the required DNS records for SPF and DKIM. You just copy them to your DNS provider (Cloudflare, Route 53, Namecheap, etc.) and click Verify. AISend checks your DNS records and confirms everything is configured correctly. We also monitor your domain's authentication status continuously and alert you if records expire, change, or are misconfigured. For DMARC, we recommend starting with a monitoring policy and gradually tightening it as you confirm all your email flows are authenticated. The dashboard provides a step-by-step guide for your specific domain setup.