Google started rejecting unauthenticated bulk email in February 2024. Microsoft followed in May 2025. Yahoo enforced the same rules alongside Google. If you're sending more than 5,000 emails a day and you haven't set up SPF, DKIM, and DMARC, your emails are already getting dropped.
This isn't optional anymore. Here's exactly what to set up and how.
SPF (Sender Policy Framework)
SPF tells receiving mail servers which IP addresses are allowed to send email on behalf of your domain. It's a single TXT record on your domain's DNS.
Example record
v=spf1 include:sendgrid.net ~allThis says: "SendGrid's servers are authorized to send email for this domain. Soft-fail everything else."
If you use multiple services (e.g., SendGrid for transactional, Google Workspace for internal), chain them:
v=spf1 include:sendgrid.net include:_spf.google.com ~allCommon mistakes
Too many DNS lookups. SPF allows a maximum of 10 DNS lookups per record. Every include: counts as at least one lookup, and nested includes count too. include:sendgrid.net alone resolves to 3 lookups. Add Google Workspace, Mailchimp, HubSpot, and Zendesk and you're over the limit. When you exceed 10 lookups, the entire SPF check fails — which is worse than having no SPF at all.
Check your lookup count with dig or an online SPF validator. If you're over 10, consolidate providers or use an SPF flattening service.
Using +all instead of ~all or -all. The +all mechanism authorizes every server on the internet to send as your domain. Never use it. Use ~all (soft-fail) during testing and -all (hard-fail) once you've confirmed everything works.
Multiple SPF records. You can only have one SPF TXT record per domain. If you add a second one, both are invalid. Merge them into a single record.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to every outgoing email. The receiving server uses a public key published in your DNS to verify that the message wasn't modified in transit and that it actually came from your domain.
What gets signed
The DKIM signature covers specific email headers (From, Subject, Date, Message-ID) and the message body. If anything is altered after signing — a mailing list adding a footer, for example — the signature breaks.
Setup
Your ESP generates a DKIM key pair. You publish the public key as a DNS TXT record, typically at a selector subdomain:
s1._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB..."The selector (s1 in this example) lets you rotate keys without downtime. Publish a new key with a new selector, update your ESP to sign with the new key, then remove the old DNS record.
Key rotation
DKIM keys should be rotated at least once a year. Most ESPs don't do this automatically. If your key has been published since 2022, rotate it. A compromised DKIM key lets an attacker send perfectly authenticated email as your domain.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It also gives you reporting so you can see who's sending email as your domain.
The alignment requirement
DMARC doesn't just check that SPF or DKIM passed — it checks that they align with the From header domain. If your email's From address is you@yourdomain.com, then either:
- The SPF-authenticated domain (the envelope sender) must match
yourdomain.com, OR - The DKIM signing domain (
d=tag) must matchyourdomain.com
This is what catches spoofing. A spammer can set up SPF for their own domain and send email with your address in the From header, but the alignment check will fail because the authenticated domain doesn't match.
Policy progression
Start with monitoring, then tighten:
Week 1-4: Monitor only
_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"p=none means take no action on failures, but send aggregate reports to the rua address. Use these reports to identify all legitimate services sending as your domain.
Week 5-8: Quarantine
_dmarc.yourdomain.com TXT "v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com"p=quarantine tells receivers to send failing emails to spam. The pct=25 applies this to only 25% of failing messages. Ramp up to pct=100 over a few weeks as you confirm no legitimate email is being caught.
Week 9+: Reject
_dmarc.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com"p=reject tells receivers to drop failing messages entirely. This is the strongest protection and what Google and Microsoft recommend for bulk senders.
Reading DMARC reports
The aggregate reports sent to your rua address are XML files. They're not human-readable. Use a free service like DMARC Analyzer or Postmark's DMARC tool to parse them into something useful.
One-click unsubscribe (RFC 8058)
This isn't strictly authentication, but it's part of the same enforcement wave. Google and Yahoo now require bulk senders to support one-click unsubscribe via the List-Unsubscribe-Post header:
List-Unsubscribe: <https://yourdomain.com/unsubscribe?id=abc123>
List-Unsubscribe-Post: List-Unsubscribe=One-ClickWithout this header, Gmail will start placing your marketing emails in spam regardless of your authentication setup. This only applies to marketing/bulk email — transactional messages (password resets, receipts) are exempt.
The checklist
| Record | Type | Name | Purpose |
|---|---|---|---|
| SPF | TXT | @ | Authorize sending IPs |
| DKIM | TXT | selector._domainkey | Cryptographic message signing |
| DMARC | TXT | _dmarc | Policy enforcement + reporting |
All three must be in place, and SPF or DKIM must align with your From domain for DMARC to pass.
How PushMail handles this
PushMail's managed sending configuration handles SPF, DKIM, and DMARC alignment automatically. When you set up a sending domain, we provision DKIM keys and guide you through the two DNS records you need to add. SPF alignment is handled through our SendGrid integration — no manual SPF changes required. DMARC is your responsibility to publish (since it's your domain policy), but our sending infrastructure is configured to pass alignment checks out of the box.
One-click unsubscribe headers are added automatically to all campaign and sequence emails.