Skip to content
Inbox OSS
All guides

Authentication · 15 min read

DKIM, SPF, and DMARC in plain English

These three records together prove to mailbox providers that an email is legitimately from you.

SPF (Sender Policy Framework). A DNS TXT record listing the IP addresses allowed to send mail for your domain. Mailbox providers check the sending IP against this list. If the IP is not authorized, SPF fails.

DKIM (DomainKeys Identified Mail). A cryptographic signature in the email headers proving the message was authorized by your domain. The signature is verified against a public key published in DNS. If the signature does not verify, DKIM fails.

DMARC (Domain-based Message Authentication, Reporting and Conformance). A policy record telling mailbox providers what to do when SPF or DKIM fail. Three policy options: p=none (monitor only), p=quarantine (route to spam), p=reject (refuse delivery).

Alignment. The key concept. DMARC requires that the domain in SPF or DKIM matches the domain in the From header. A passing DKIM signature on a different domain than From is not aligned and counts as a DMARC failure.

The migration path. Start with p=none and watch the aggregate reports for 30 days. Once you have confirmed that all legitimate mail aligns, move to p=quarantine. After another 30 days, move to p=reject.

Inbox OSS handles all three automatically for sending domains you authenticate through us.

Start sending email in under 5 minutes.

Free plan includes 3,000 emails/month forever. No credit card required.