Email Deliverability: Authentication & Inbox Guide
Improve email deliverability with proper authentication. DKIM, SPF, DMARC setup, inbox placement strategies, and sender reputation management.
Email delivered globally reaches inbox
Max complaint rate (Google guideline)
New domain warmup period
Max unsubscribe processing time
Key Takeaways
Email deliverability has become significantly more complex since 2024. Google and Yahoo's mandatory authentication requirements created a clear divide between senders who operate professional email infrastructure and those who do not. Getting authentication right is now a prerequisite for any commercial email program — not a nice-to-have.
This guide covers the full authentication stack — SPF, DKIM, and DMARC — with exact DNS record formats, plus the ongoing operational practices that determine whether authenticated emails land in the inbox or the spam folder.
Email Authentication Protocols
The three authentication protocols work in sequence. SPF verifies the sending server is authorized. DKIM verifies the email was not tampered with in transit. DMARC enforces what happens when these checks fail and provides visibility through reporting.
| Protocol | DNS Record Type | What It Verifies | Google/Yahoo Required? |
|---|---|---|---|
| SPF | TXT record on root domain | Sending server IP is authorized | Yes (mandatory since Feb 2024) |
| DKIM | TXT record at selector._domainkey | Email content was not modified | Yes (mandatory since Feb 2024) |
| DMARC | TXT record at _dmarc.domain | SPF/DKIM alignment + enforcement policy | Yes (p=none minimum required) |
| BIMI | TXT record at default._bimi | Brand logo display in inbox (Gmail, Yahoo) | No (but requires p=quarantine or p=reject DMARC) |
| MTA-STS | TXT + HTTPS policy file | TLS encryption required for email delivery | No (recommended for high-security domains) |
SPF Record Setup
SPF works by publishing a DNS TXT record that lists the mail servers authorized to send email on behalf of your domain. When a receiving server gets an email from your domain, it checks if the sending server's IP address is in your SPF record.
SPF Record Syntax
// Basic SPF record — add your ESP's include statement
v=spf1 include:_spf.google.com include:sendgrid.net include:amazonses.com ~all // Common ESP SPF includes: // SendGrid: include:sendgrid.net // Mailchimp: include:servers.mcsv.net // HubSpot: include:_spf.hubspot.com // Klaviyo: include:_spf.klaviyo.com // Postmark: include:spf.mtasv.net // Resend: include:_spf.resend.com // Qualifier meanings: // ~all = SoftFail (deliver but mark as suspicious) — use for initial setup // -all = HardFail (reject) — use after confirming all senders are listed
- Maximum 10 DNS lookups (includes nested includes)
- Cannot exceed 512 bytes for UDP DNS responses
- Does not survive email forwarding (DKIM does)
- Only validates the envelope sender (MAIL FROM), not From header
- Flattening required for complex multi-sender setups
- Audit all services that send email from your domain
- Include only services you actively use (reduce DNS lookup count)
- Use SPF flattening tools if you exceed 10 lookups
- Set ~all initially, move to -all after DMARC monitoring
- Have only ONE SPF record per domain (multiple records cause failures)
DKIM Configuration
DKIM uses public-key cryptography. Your ESP generates a private/public key pair. The private key signs each outgoing email; the public key is published in your DNS. Receiving servers verify the signature using the public key — if it matches, the email is authenticated.
// DKIM DNS record format (TXT record)
// Record name: [selector]._domainkey.[yourdomain.com] // Example: s1._domainkey.digitalapplied.com v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ... // Key parameters: // v=DKIM1 : Version (always DKIM1) // k=rsa : Key type (RSA 2048-bit minimum; 4096-bit recommended) // p= : Base64-encoded public key (provided by your ESP) // s=email : Service type (optional, limits to email use) // If sending from multiple ESPs, create one DKIM record per sender: // sendgrid._domainkey.yourdomain.com (SendGrid) // k1._domainkey.yourdomain.com (Klaviyo) // pm._domainkey.yourdomain.com (Postmark)
DMARC Policy
DMARC is where authentication enforcement happens. The policy determines what receiving servers do with emails that fail SPF or DKIM checks, and where reports about authentication results are sent. Implement DMARC in phases over 60-90 days to avoid blocking legitimate email from sources you haven't yet configured.
// DMARC DNS record: _dmarc.yourdomain.com (TXT)
// Phase 1 — Monitor (weeks 1-4) v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensics@yourdomain.com; fo=1 // Phase 2 — Quarantine (weeks 5-8) v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@yourdomain.com // Phase 2b — Increase quarantine (weeks 9-10) v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@yourdomain.com // Phase 3 — Reject (week 11+) v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; sp=reject // Tag reference: // p= : Policy for organizational domain (none/quarantine/reject) // sp= : Policy for subdomains (if different from p=) // pct= : Percentage of failing messages to apply policy to (1-100) // rua= : Aggregate report destination (comma-separated URIs) // ruf= : Forensic report destination // fo=1 : Generate forensic report on any failure
Monitor
No enforcement. All emails delivered regardless of authentication result. Reports generated. Use to discover all email-sending services before enforcing.
Quarantine
Failing emails sent to spam folder. Start with pct=25 (25% of failing messages), gradually increase to pct=100 to catch any legitimate sources missed.
Reject
Failing emails blocked at the receiving server. Maximum protection. Google/Yahoo's preferred policy. Only implement after confirming all legitimate senders pass.
Sender Reputation
Authentication proves you are who you claim to be. Sender reputation determines whether mailbox providers trust you enough to deliver to the inbox. Reputation is built over time through consistent sending behavior and lost rapidly through bad practices.
| Reputation Factor | Positive Signal | Negative Signal |
|---|---|---|
| Spam complaint rate | <0.05% complaint rate | >0.10% triggers filtering; >0.30% severe penalties |
| Open rate | >20% average open rate | <10% indicates unwanted email |
| Bounce rate | <2% hard bounce rate | >5% signals poor list hygiene |
| Sending consistency | Regular cadence, consistent volume | Sudden volume spikes (10x normal) |
| Spam trap hits | Zero trap hits | Even one hit can blacklist an IP |
| Engagement recency | Sending primarily to recent openers | Sending to inactive 1-2 year old lists |
Inbox Placement Strategies
Inbox placement rate (the percentage of sent emails that land in the inbox rather than spam or promotions) is the ultimate email performance metric. For our email marketing clients, we target 90%+ inbox placement rates across Gmail, Outlook, and Yahoo.
- Remove hard bounces immediately (zero tolerance policy)
- Suppress soft bounces after 3 consecutive failures
- Implement sunset policy: suppress no-openers at 90 days
- Run re-engagement campaign before suppressing at 60 days
- Never purchase email lists — spam traps and complaints guaranteed
- Use double opt-in for highest list quality
- Plain-text version must accompany every HTML email
- Image-to-text ratio: no more than 40% images
- Keep HTML email under 102KB (Gmail clips larger emails)
- Avoid spam trigger words: free, guarantee, winner, urgent
- Use a consistent From name subscribers recognize
- Test across email clients before sending (Litmus or Email on Acid)
- Send at consistent times and intervals
- Segment by engagement level before sending
- A/B test subject lines on 20% of list before full send
- Suppress unsubscribers within 48 hours (required by law)
- Use dedicated IPs for high-volume sending (>500K/month)
- Separate transactional and marketing email streams
- Use a reputable ESP with IP pools (SendGrid, Postmark, Resend)
- Enable dedicated sending domain (not shared subdomain)
- Configure bounce handling: automatic suppression via API
- Enable feedback loops (FBL) with major ISPs
- Monitor blacklist status weekly (MxToolbox Blacklist Check)
- Use a subdomain for marketing email (news.yourdomain.com)
Our CRM and automation service includes email deliverability audits and infrastructure setup — from authentication configuration through list hygiene and ongoing reputation monitoring. See also our email and CRM integration guide.
Monitoring Tools
Active monitoring is the difference between catching deliverability issues in hours versus discovering them weeks later when revenue is impacted. Build a monitoring stack that covers authentication status, reputation metrics, and inbox placement rates.
| Tool | What It Monitors | Cost |
|---|---|---|
| Google Postmaster Tools | Domain reputation, spam rate, DMARC, feedback loop (Gmail only) | Free |
| MxToolbox | DNS records, blacklist status, email headers | Free (basic) / $129+/mo (monitoring) |
| Glock Apps | Inbox/spam placement across 90+ email clients | $29–$199/mo |
| Dmarcian / EasyDMARC | DMARC aggregate report parsing and visualization | $14–$150/mo |
| Validity (formerly Return Path) | Enterprise sender score, inbox placement, B2B deliverability | $1,000+/mo (enterprise) |
| 250ok (Validity) | Seed list inbox placement, engagement data | $500+/mo |
Fix your email deliverability
Our team audits your full email infrastructure — authentication, list health, sender reputation, and inbox placement — and implements fixes that restore and maintain deliverability.
Frequently Asked Questions
Related Guides
Continue exploring email marketing and automation strategy.