The Complete Guide to Email Authentication
How SPF, DKIM, DMARC, and the newer ARC and BIMI standards prove your mail is really yours, and why cold email fails without them.
Product & Engineering · July 17, 2026 · 2 min read
Before you start
Anyone can type any address into the From field of an email. Nothing in the mail protocol stops it. Receiving servers know this, so a message that arrives without proof of who sent it is treated as suspect by default, and cold email, which is a first contact from a stranger, is treated as more suspect than most. Email authentication is that proof. Get it right and receivers can trust your mail before reading a word of it. Get it wrong and no amount of good writing will save your placement.
The three that matter most
Three standards do the core work, and they build on each other.
SPF publishes, in your DNS, the list of mail servers allowed to send on your domain's behalf. When a message arrives claiming to be from you, the receiver checks whether it came from one of those approved servers.
DKIM goes further. Your sending server signs each message with a private key, and publishes the matching public key in DNS. The receiver verifies the signature, which proves two things at once: the message genuinely came from your domain, and nothing in it was changed in transit.
DMARC ties the two together and adds policy. It tells receiving servers what to do when a message fails SPF or DKIM, whether to let it through, send it to spam, or reject it outright, and it sends you reports on who is sending mail in your name, including impersonators.
ARC and BIMI, briefly
Two newer standards sit on top. ARC solves a specific problem: when your mail is forwarded through a mailing list or a security gateway, that hop can break SPF and DKIM. ARC records the original authentication result so the final receiver can still trust it. BIMI is the reward layer. Once your DMARC policy is set to enforce, BIMI lets your verified brand logo appear next to your messages in supporting inboxes. Neither replaces the core three; both assume they are already working.
Why cold email lives or dies here
For established newsletter senders, authentication is one factor among many. For cold email it is often the whole game in the first days of a new domain. Before you have sending history, before engagement data exists, authentication is the strongest signal a receiver has that you are legitimate. A missing SPF record, a DKIM signature that will not validate, or no DMARC policy at all is the most common reason a fresh sending domain struggles before volume or content ever enter the picture.
Where RepMail fits
RepMail's domain verification generates the exact SPF, DKIM, and return-path records for your domain and confirms each one is live before it lets you send, so the most common authentication mistakes never make it to a campaign. Because delivery runs natively on AWS SES rather than through a wrapper around a personal Gmail or Outlook account, DKIM signing and alignment are handled at the infrastructure level instead of depending on a fragile mailbox connection. Authentication stops being a checklist you hope you completed and becomes a verified precondition of sending.
Resources in this guide
| Standard | What it proves | Where it lives |
|---|---|---|
| SPF | Which servers are allowed to send as your domain | TXT record on your domain |
| DKIM | That the message is unaltered and really from you | Public key as a TXT/CNAME record |
| DMARC | What receivers should do when SPF or DKIM fails | TXT record at _dmarc.yourdomain.com |
| ARC | Authentication results survive forwarding | Added by intermediate servers, not you |
| BIMI | Displays your verified logo in the inbox | TXT record at default._bimi.yourdomain.com |
Common mistakes to avoid
- Publishing two SPF records on one domain. Only one is valid; a second silently breaks SPF entirely.
- Turning on a strict DMARC policy before SPF and DKIM reliably pass, which blocks your own legitimate mail.
- Assuming BIMI or ARC can compensate for missing SPF or DKIM. They cannot; they depend on them.
Frequently asked questions
Do I need all of SPF, DKIM, and DMARC for cold email?
Yes. Since 2024, Google and Yahoo require SPF, DKIM, and DMARC for anyone sending in volume, and cold email is exactly the case receivers scrutinize hardest. Missing any one gives a receiving server a documented reason to distrust you.
What are ARC and BIMI, and do I need them?
ARC keeps authentication results intact when mail is forwarded through mailing lists or gateways. BIMI shows your brand logo next to authenticated mail. Neither is required for deliverability, and both only work once SPF, DKIM, and an enforced DMARC policy are already in place.
Where do all these records live?
In your domain's DNS. SPF and DMARC are TXT records, DKIM is a public key published as a TXT or CNAME record, and BIMI is a TXT record pointing at your logo. Your sending platform generates the values; you publish them.
Continue learning
Start with SPF
SPF is the first record to publish and the simplest of the three to understand.