SPF, DKIM, DMARC: A No-BS Guide for 2026

SPF (Sender Policy Framework) tells receiving servers which IP addresses are authorized to send email on behalf of your domain. Set it up by adding a TXT record to your DNS: `v=spf1 include:sendgrid.net ~all`. The `~all` is a soft fail — it flags unauthorized senders but doesn't reject them. Use `-all` once you're confident your SPF record is complete.

DKIM (DomainKeys Identified Mail) cryptographically signs each message using a private key you hold, and publishes the corresponding public key in your DNS. Receiving servers verify the signature to confirm the message wasn't tampered with in transit. Every reputable ESP gives you DKIM keys to add to your DNS — just follow their guide and verify with a tool like MXToolbox.

DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving servers what to do when SPF or DKIM checks fail. The most common mistake? Setting DMARC to `p=none` and forgetting about it. That tells receiving servers to do nothing when authentication fails — effectively defeating the entire point.

The correct progression: start with `p=none; rua=mailto:dmarc@yourdomain.com` to collect reports without affecting deliverability. After two weeks of monitoring, move to `p=quarantine` (sends failures to spam). After another two weeks with clean reports, move to `p=reject` (blocks unauthenticated senders entirely). This is the gold standard.

Finally, set up BIMI (Brand Indicators for Message Identification) if you want your logo to appear next to your emails in Gmail and Apple Mail. It requires a verified Mark Certificate (VMC) and a published `p=reject` DMARC policy. It's the finishing touch that signals enterprise-grade seriousness to both ISPs and subscribers.