Email Fast Get a sandbox key
Glossary

Email authentication

SPF, DKIM, and DMARC are one system with three parts. Here is how they fit, and why they stopped being optional.

Email authentication is the system of three DNS-based standards, SPF, DKIM, and DMARC, that lets a receiving server verify who sent a message. SPF authorizes sending servers, DKIM cryptographically signs the content, and DMARC ties both to the visible From address and declares what to do when they fail.

Why it matters

For most of email's history these were optional good citizenship. In February 2024, Gmail and Yahoo made them table stakes: senders of bulk mail (Gmail draws the line at 5,000 messages a day to Gmail addresses) must publish SPF and DKIM, carry a DMARC record, align the From domain, offer one-click unsubscribe, and keep spam complaints under 0.3%. Unauthenticated bulk mail is now rejected or junked outright, not merely scored down. Authentication is the entry ticket; deliverability work starts after it.

In practice

The three interlock rather than stack. Consider a subscriber whose employer auto-forwards their mail: forwarding changes the connecting IP, so SPF fails, but the DKIM signature travels inside the message and still verifies, so DMARC passes on the DKIM identity. That redundancy is the design. Each standard covers the others' blind spots, and DMARC needs only one aligned pass. The practical setup order is DKIM and SPF first, then DMARC at p=none to watch reports, then enforcement once every legitimate source authenticates.

How Email Fast handles it

Email Fast treats authentication as a gate, not a suggestion: domain verification checks your SPF, DKIM, and DMARC records before sending is enabled on the domain, and every message is DKIM-signed on the way out. For the transport-security layer on top of authentication, see MTA-STS and TLS-RPT.

See it for yourself

Sandbox keys run the real pipeline dry — real validation, real events, a hosted inbox, no email sent. Early access is onboarding now.