MailOdds

Email Authentication Guide: SPF, DKIM, DMARC Setup

Protect your domain from spoofing, improve deliverability, and meet the latest sender requirements. A complete walkthrough of every authentication layer.

Contents

Why Authentication MattersSPF (RFC 7208)DKIM (RFC 6376)DMARC (RFC 7489)MTA-STS and DANESetup with MailOddsFAQ

Why Email Authentication Matters

Email authentication is the foundation of deliverability. Without it, mailbox providers have no way to verify that a message claiming to be from your domain was actually sent by you. Unauthenticated email is indistinguishable from phishing, and providers like Gmail, Outlook, and Yahoo treat it accordingly: straight to spam, or rejected outright.

According to Google and Yahoo's 2024 bulk sender requirements, all senders must authenticate with SPF, DKIM, and DMARC starting February 2024. Senders who deliver more than 5,000 messages per day must also publish a DMARC policy (at minimum p=none), provide one-click unsubscribe headers, and keep spam complaint rates below 0.3%. Non-compliant senders face throttling and outright rejection.

Authentication works alongside list hygiene to maximize inbox placement. Even perfectly authenticated emails will damage your sender reputation if you send to invalid or disengaged addresses. The MailOdds Email Validation API catches invalid, disposable, and risky addresses before they enter your pipeline, while authentication protocols prove your identity to receiving servers.

If you are sending transactional or marketing email through the MailOdds Email Sending API, authentication is handled automatically when you verify your sending domain. This guide explains each protocol in depth so you understand what is happening behind the scenes and can troubleshoot when things go wrong.

Three protocols, one goal

SPF authorizes which servers can send for your domain. DKIM cryptographically signs each message. DMARC ties them together and tells receivers what to do when checks fail. All three are required for modern email deliverability.

SPF: Sender Policy Framework

RFC 7208

SPF lets domain owners publish a DNS TXT record listing the IP addresses and third-party services authorized to send email on their behalf. When a receiving server gets a message, it checks the sending IP against the SPF record of the domain in the envelope MAIL FROM address. If the IP is not authorized, the check fails.

SPF Record Syntax

An SPF record is a TXT record at your domain root. Here is an example that authorizes MailOdds and Google Workspace:

DNS TXT Record
v=spf1 include:spf.mailodds.net include:_spf.google.com ~all

Key Mechanisms

  • include: delegates to another domain's SPF
  • ip4: / ip6: authorizes specific IPs
  • ~all soft-fail (recommended default)
  • -all hard-fail (strict, use with caution)

The 10-Lookup Limit

RFC 7208 limits SPF evaluation to 10 DNS lookups. Each include:, a:, mx:, and redirect= mechanism counts as one lookup, and nested includes count recursively.

Exceeding this limit causes a permerror, which many receivers treat as a fail. SPF flattening (resolving includes to IP addresses) can help, but requires maintenance when provider IPs change.

Common SPF mistakes

  • Using +all which authorizes the entire internet to send as your domain
  • Publishing multiple SPF records (only one is allowed per domain; extras cause failures)
  • Exceeding 10 DNS lookups by chaining too many include: mechanisms
  • Forgetting to add a new provider's include when switching email services

DKIM: DomainKeys Identified Mail

RFC 6376

DKIM adds a cryptographic signature to every outgoing email. The sending server signs message headers and body using a private key. The receiving server retrieves the corresponding public key from DNS and verifies the signature. If the signature checks out, the receiver knows the message was not altered in transit and that it genuinely originated from the claimed domain.

How DKIM Signing Works

1

Sender signs

The sending MTA hashes selected headers and the message body, then encrypts the hash with the domain's private key. The result is added as a DKIM-Signature header.

2

Receiver fetches public key

The receiving server reads the s= (selector) and d= (domain) from the signature, then queries selector._domainkey.example.com for the public key.

3

Signature verified

The receiver decrypts the signature with the public key, recomputes the hash, and compares them. A match proves the message is authentic and unmodified.

RSA vs Ed25519: Dual Signing

MailOdds uses dual DKIM signing: Ed25519 as the primary algorithm for modern receivers that support it, with RSA 2048-bit as a fallback for older systems. Ed25519 signatures are smaller, faster to verify, and cryptographically stronger than equivalent RSA keys. However, some older mail servers do not yet support Ed25519 (defined in RFC 8463), so the RSA fallback ensures universal compatibility.

Ed25519 (Primary)

  • 32-byte keys (fits in a single DNS TXT record)
  • Faster signing and verification
  • No practical brute-force attack vector
  • Supported by Gmail, Outlook, Fastmail, Proton

RSA 2048 (Fallback)

  • Universal support across all mail servers
  • Larger key requires split DNS TXT records
  • 2048-bit minimum recommended (1024-bit is deprecated)
  • Required for compatibility with legacy systems

DNS Record Format

DKIM public keys are published at selector._domainkey.example.com. The selector is a label chosen by the sender that allows multiple keys per domain (useful for key rotation and multi-provider setups).

DNS TXT Record
;; DKIM public key record
mo2024._domainkey.example.com IN TXT
  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhki..."

Key rotation best practice

Rotate DKIM keys quarterly. Publish the new key alongside the old one, switch signing to the new selector, then remove the old key after 48 hours (to let in-flight messages clear). MailOdds handles rotation automatically when you use managed DKIM via CNAME delegation.

DMARC: Domain-based Message Authentication

RFC 7489

DMARC builds on SPF and DKIM by adding a policy layer and a reporting mechanism. It tells receiving servers what to do when neither SPF nor DKIM passes with alignment, and it provides aggregate and forensic reports so domain owners can monitor authentication failures across all sending sources.

Policy Progression

DMARC policies should be deployed gradually. According to Valimail's 2024 Email Authentication Report, only 30% of domains have reached DMARC enforcement (quarantine or reject), leaving 70% vulnerable to spoofing. MailOdds recommends the following progression:

p=none (Monitor)

No enforcement. Receivers deliver the email normally but send DMARC reports to your rua address. Start here for at least 2 weeks to identify all legitimate sending sources.

p=quarantine (Spam Folder)

Failing messages are delivered to the spam folder instead of the inbox. Use pct=10 to start, gradually increasing to 100% as you gain confidence. Move to this stage once your aggregate reports show clean results.

p=reject (Block)

Failing messages are rejected outright. This is the strongest anti-spoofing protection. Only move here when you are fully confident that all legitimate email from your domain passes SPF or DKIM with alignment.

DMARC Record Example

DNS TXT Record at _dmarc.example.com
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensics@example.com; pct=100; adkim=r; aspf=r

Alignment Modes

ModeTagBehavior
Relaxedadkim=r / aspf=rOrganizational domain match (sub.example.com aligns with example.com)
Strictadkim=s / aspf=sExact domain match required (sub.example.com does NOT align with example.com)

Reporting

Aggregate Reports (rua)

Daily XML reports summarizing authentication results for all messages from your domain. Essential for identifying unauthorized senders and misconfigured services. Delivered to the email address specified in the rua tag.

Forensic Reports (ruf)

Per-message failure reports with details about individual authentication failures. Useful for debugging, but not all receivers send them due to privacy concerns. Delivered to the ruf address.

Advanced: MTA-STS and DANE/TLSA

SPF, DKIM, and DMARC authenticate the identity of the sender. The next layer protects the transport channel itself, ensuring that messages are encrypted in transit and delivered to the correct server. These protocols guard against man-in-the-middle attacks and DNS spoofing.

MTA-STS (RFC 8461)

SMTP MTA Strict Transport Security

MTA-STS tells sending servers that your domain requires TLS for mail delivery. Without it, SMTP connections fall back to plaintext if TLS negotiation fails, which an attacker can force via a downgrade attack. MTA-STS publishes a policy file at https://mta-sts.example.com/.well-known/mta-sts.txt that specifies which MX hosts accept mail and the minimum TLS version.

mta-sts.txt policy file
version: STSv1
mode: enforce
mx: mail.example.com
max_age: 604800

DANE/TLSA (RFC 6698)

DNS-Based Authentication of Named Entities

DANE uses DNSSEC-signed TLSA records to pin TLS certificates for your mail server. Unlike MTA-STS (which relies on HTTPS trust), DANE relies on DNSSEC, removing the dependency on certificate authorities. DANE provides stronger security but requires DNSSEC on your domain, which not all providers support.

DNS TLSA Record
_25._tcp.mail.example.com IN TLSA 3 1 1 a]b2c3d4e5f6...

TLS-RPT (RFC 8460)

SMTP TLS Reporting

TLS-RPT provides reporting for MTA-STS and DANE failures. Sending servers that encounter TLS negotiation problems deliver JSON reports to the address specified in your _smtp._tls.example.com TXT record. This gives you visibility into delivery failures caused by certificate mismatches, expired certificates, or MTA-STS policy violations.

MailOdds supports MTA-STS and DANE/TLSA

All MailOdds sending infrastructure publishes MTA-STS policies and DANE TLSA records. Outbound connections enforce opportunistic DANE when the recipient domain supports DNSSEC. No additional configuration is needed on your end. See the deliverability platform for details.

Step-by-Step Setup with MailOdds

Follow these five steps to fully authenticate your sending domain. The entire process takes about 15 minutes, plus DNS propagation time.

1

Add your sending domain

Log in to the MailOdds dashboard and navigate to Sending Domains. Click Add Domain and enter your root domain (e.g., example.com). MailOdds generates the required SPF, DKIM, and return-path DNS records for you.

2

Add SPF include record to DNS

Add or update your SPF TXT record at your domain root to include MailOdds:

v=spf1 include:spf.mailodds.net ~all
3

Add DKIM CNAME record to DNS

Create the CNAME record shown in your dashboard. Using a CNAME (instead of pasting the public key directly) lets MailOdds handle key rotation automatically.

mo._domainkey.example.com CNAME dkim.mailodds.net
4

Configure DMARC TXT record

Add a DMARC record at _dmarc.example.com. Start with p=none to collect reports before enforcing:

v=DMARC1; p=none; rua=mailto:dmarc@example.com
5

Verify setup via domain health check

Return to the MailOdds dashboard and click Verify DNS. MailOdds checks all records in real time and reports any misconfigurations. You can also verify programmatically via the API:

Verify Domain via API

Check the authentication status of your sending domain programmatically.

cURL
curl -X POST https://api.mailodds.com/v1/sending-domains/verify \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '"domain": "example.com"'
Response (JSON)
{
  "domain": "example.com",
  "spf": { "status": "pass", "record": "v=spf1 include:spf.mailodds.net ~all" },
  "dkim": { "status": "pass", "selector": "mo", "algorithm": "ed25519-sha256" },
  "dmarc": { "status": "pass", "policy": "none" },
  "verified": true
}

Frequently Asked Questions

Authenticate your domain in minutes

MailOdds handles SPF, DKIM (Ed25519 + RSA), and return-path configuration automatically. Add your domain and start sending authenticated email today.

Start Free Explore the API