Email Authentication: SPF, DKIM, DMARC, BIMI & MTA-STS Explained

Email authentication is how you prove to mailbox providers that a message claiming to come from your domain really did. It is built from a small stack of DNS-based standards — SPF, DKIM, DMARC, and increasingly BIMI, MTA-STS, ARC and TLS-RPT — and getting it right is no longer optional. Since February 2024, Google and Yahoo require bulk senders to authenticate, and Microsoft has followed. This hub is ToolTrusted’s complete, plain-English guide to each standard: what it does, how to set it up, how to troubleshoot it, and how to keep it healthy.

📊 New — original research: we measured live DNS for 10,000 top domains. SPF adoption is 84.5% and DMARC reaches 76.6%, but only 54% actually enforce it. Read the full 2026 email authentication statistics, or see how enforcement varies by DMARC adoption by TLD and country.

The authentication stack, in order

The standards build on each other. Set them up in this order and each one makes the next more effective.

  • SPF (Sender Policy Framework) — a DNS TXT record listing which servers are allowed to send mail for your domain. The first line of defense against spoofing.
  • DKIM (DomainKeys Identified Mail) — a cryptographic signature added to each message, letting receivers verify it was not altered and really came from your domain.
  • DMARC (Domain-based Message Authentication, Reporting & Conformance) — ties SPF and DKIM together with a published policy (none / quarantine / reject) and sends you reports on who is sending as your domain.
  • BIMI (Brand Indicators for Message Identification) — displays your verified logo next to authenticated mail; requires DMARC at enforcement.
  • MTA-STS & TLS-RPT — enforce and report on encrypted (TLS) delivery between mail servers.
  • ARC (Authenticated Received Chain) — preserves authentication results across forwarders and mailing lists.
  • Reverse DNS (PTR) & MX records — the supporting DNS that mailbox providers expect every legitimate sender to have configured.

Each standard gets the full treatment

For every standard above we publish a beginner guide (what it is and how to set it up), an advanced guide (alignment, edge cases, multi-vendor setups), a troubleshooting walkthrough (why it is failing and how to fix it), and a best-practices checklist. These live in the email authentication category and are written by ToolTrusted’s deliverability team.

Start with the core three

These are the three standards Google, Yahoo and Microsoft now require — set them up in this order:

Then go deeper

Once SPF, DKIM and DMARC are solid, these guides cover the rest of the authentication and infrastructure stack:

  • BIMI records — show your verified logo in the inbox (requires DMARC at enforcement).
  • MTA-STS — force encrypted, validated TLS delivery to your domain.
  • TLS-RPT — get daily reports on TLS delivery success and failure.
  • ARC — preserve authentication across forwarders and mailing lists.
  • Reverse DNS (PTR) — the sending-IP requirement Gmail and Yahoo enforce.
  • MX records — how inbound mail is routed to your servers.
  • DNSSEC — sign your DNS so the SPF, DKIM, DMARC and MX records above can’t be forged (and unlock DANE).

Score your email health in seconds

Run the free Email Health Check to score your domain out of 100 across authentication, infrastructure, security and reputation — it checks SPF, DKIM, DMARC, MTA-STS, TLS-RPT and BIMI in one pass and ranks the exact fixes. Prefer to inspect one record at a time? Our free email tools look up and generate each record individually, paired with the matching setup guide. When you are ready to monitor DMARC reports at scale and move safely to enforcement, compare the dedicated platforms in our best DMARC software guide.

Why it matters for deliverability

Authentication is the foundation everything else rests on. Without it, even a sender with a perfect list and great content gets filtered or rejected. With it, you unlock the reputation signals that decide inbox placement. Once your authentication is solid, move on to our email deliverability hub for reputation, warm-up and inbox-placement work.

Continue across the platform

ToolTrusted covers the whole email stack. Wherever you go next, it connects back here:

  • The ToolTrusted Platform — continuous monitoring, incidents, analytics, recommendations, benchmarking and automation.
  • How It Works — the whole Email Health journey — check, report, save, track and monitor.
  • Email Health Check — score your domain out of 100 across authentication, infrastructure, security and reputation.
  • Research & Benchmarks — original data on SPF, DKIM and DMARC across 10,000 domains.
  • Email Deliverability — reputation, warm-up, blacklists and inbox placement.
  • SMTP Services — SES, Mailgun, Postmark and more, ranked on deliverability.
  • Email Verification — list cleaning and inbox-placement testing tools.
  • Email Security — stop spoofing and phishing, and encrypt delivery.
  • Email APIs — transactional and marketing APIs for developers.
  • Email Marketing — hands-on platform reviews, comparisons and best-of roundups.

Frequently asked questions

What is the difference between SPF, DKIM and DMARC?

SPF says which servers may send for your domain. DKIM cryptographically signs each message so receivers can verify it was not altered. DMARC ties the two together: it tells receivers what to do when a message fails (nothing, quarantine, or reject) and sends you reports. You need all three — they solve different parts of the same problem.

Do I really need DMARC in 2026?

Yes. Google, Yahoo and Microsoft require a DMARC record for bulk senders, and DMARC is also what stops criminals from spoofing your domain in phishing attacks. Start at p=none to collect reports safely, fix any legitimate sources that fail, then move to p=quarantine and ultimately p=reject for full protection.

How long do authentication changes take to work?

DNS changes propagate within minutes to a few hours depending on your record’s TTL, but DMARC enforcement should be rolled out over weeks: publish p=none, review reports for one to two weeks to confirm all legitimate mail passes, then tighten the policy gradually so you never block your own mail.