Deliverability & Sender Reputation
Knowledge base2 min read

The Complete Guide to Email Authentication

How SPF, DKIM, DMARC, and the newer ARC and BIMI standards prove your mail is really yours, and why cold email fails without them.

RT
RepMail Team

Product & Engineering · July 17, 2026 · 2 min read

SPF, DKIM, and DMARC are three checks a receiving server runs before it trusts your mail. Pass all three and you reach the inbox.

Anyone can type any address into the From field of an email. Nothing in the mail protocol stops it. Receiving servers know this, so a message that arrives without proof of who sent it is treated as suspect by default, and cold email, which is a first contact from a stranger, is treated as more suspect than most. Email authentication is that proof. Get it right and receivers can trust your mail before reading a word of it. Get it wrong and no amount of good writing will save your placement.

The three that matter most

Three standards do the core work, and they build on each other.

SPF publishes, in your DNS, the list of mail servers allowed to send on your domain's behalf. When a message arrives claiming to be from you, the receiver checks whether it came from one of those approved servers.

DKIM goes further. Your sending server signs each message with a private key, and publishes the matching public key in DNS. The receiver verifies the signature, which proves two things at once: the message genuinely came from your domain, and nothing in it was changed in transit.

DMARC ties the two together and adds policy. It tells receiving servers what to do when a message fails SPF or DKIM, whether to let it through, send it to spam, or reject it outright, and it sends you reports on who is sending mail in your name, including impersonators.

ARC and BIMI, briefly

Two newer standards sit on top. ARC solves a specific problem: when your mail is forwarded through a mailing list or a security gateway, that hop can break SPF and DKIM. ARC records the original authentication result so the final receiver can still trust it. BIMI is the reward layer. Once your DMARC policy is set to enforce, BIMI lets your verified brand logo appear next to your messages in supporting inboxes. Neither replaces the core three; both assume they are already working.

Why cold email lives or dies here

For established newsletter senders, authentication is one factor among many. For cold email it is often the whole game in the first days of a new domain. Before you have sending history, before engagement data exists, authentication is the strongest signal a receiver has that you are legitimate. A missing SPF record, a DKIM signature that will not validate, or no DMARC policy at all is the most common reason a fresh sending domain struggles before volume or content ever enter the picture.

Where RepMail fits

RepMail's domain verification generates the exact SPF, DKIM, and return-path records for your domain and confirms each one is live before it lets you send, so the most common authentication mistakes never make it to a campaign. Because delivery runs natively on AWS SES rather than through a wrapper around a personal Gmail or Outlook account, DKIM signing and alignment are handled at the infrastructure level instead of depending on a fragile mailbox connection. Authentication stops being a checklist you hope you completed and becomes a verified precondition of sending.

Resources in this guide

The email authentication stack at a glance
Reference
StandardWhat it provesWhere it lives
SPFWhich servers are allowed to send as your domainTXT record on your domain
DKIMThat the message is unaltered and really from youPublic key as a TXT/CNAME record
DMARCWhat receivers should do when SPF or DKIM failsTXT record at _dmarc.yourdomain.com
ARCAuthentication results survive forwardingAdded by intermediate servers, not you
BIMIDisplays your verified logo in the inboxTXT record at default._bimi.yourdomain.com

Common mistakes to avoid

  • Publishing two SPF records on one domain. Only one is valid; a second silently breaks SPF entirely.
  • Turning on a strict DMARC policy before SPF and DKIM reliably pass, which blocks your own legitimate mail.
  • Assuming BIMI or ARC can compensate for missing SPF or DKIM. They cannot; they depend on them.
authentication
spf
dkim
dmarc
sender-reputation

Frequently asked questions

Do I need all of SPF, DKIM, and DMARC for cold email?

Yes. Since 2024, Google and Yahoo require SPF, DKIM, and DMARC for anyone sending in volume, and cold email is exactly the case receivers scrutinize hardest. Missing any one gives a receiving server a documented reason to distrust you.

What are ARC and BIMI, and do I need them?

ARC keeps authentication results intact when mail is forwarded through mailing lists or gateways. BIMI shows your brand logo next to authenticated mail. Neither is required for deliverability, and both only work once SPF, DKIM, and an enforced DMARC policy are already in place.

Where do all these records live?

In your domain's DNS. SPF and DMARC are TXT records, DKIM is a public key published as a TXT or CNAME record, and BIMI is a TXT record pointing at your logo. Your sending platform generates the values; you publish them.

Continue learning

Start with SPF

SPF is the first record to publish and the simplest of the three to understand.

More on this topic