You have written the perfect email. The subject line is brilliant, the offer is unbeatable, and the design is stylish enough to make a graphic designer cry with joy. And then the worst thing possible happens, the email lands in the spam folder. No one sees it. No one opens it. It just dies there in the digital no-man’s land called the spam filter. The reason? You haven’t fixed your technical authentication. It sounds boring, and it is a little bit, but it is the difference between reaching the inbox or disappearing forever. And from 2024 it is no longer optional.
Table of content
Without authentication this happens with your emails
Think of email authentication as a passport control system at an airport. The email is the traveler and each authentication protocol is a security check that verifies the sender is really who they claim to be. Without the right papers you won’t get through, plain and simple.
Since 2024, Gmail, Yahoo and Microsoft have made it mandatory for bulk senders to have these protocols in place. If you lack them, you risk three things, all equally unpleasant:
- Your emails are sorted directly into spam without the recipient ever seeing them
- Your domain can be permanently blacklisted and become virtually impossible to recover
- Fraudsters can send emails in your brand’s name to your customers without you noticing
It involves four layers that build on each other: SPF, DKIM, DMARC and finally BIMI which is the reward when everything else is in place.
Fact box: Around 40 percent of all email senders are either unsure about or lack correct SPF and DKIM configuration. It’s roughly like driving a car without a driver’s license and hoping no one notices. Sooner or later someone will notice.
SPF your digital guest list no one can fake
SPF stands for Sender Policy Framework and is the oldest of the four protocols. It works like a guest list published in your domain’s DNS settings, a list that tells the recipient’s email server which IP addresses and servers are actually allowed to send emails on your behalf.
When someone receives an email from your domain their server performs a quick DNS lookup and compares the sender’s IP address against your whitelist. If the IP address is on the list the email is given the green light. If it is not flagged the email as suspicious or blocks it completely. Without SPF anyone can send emails pretending to be you.
Common mistakes when setting up SPF
- Having multiple SPF records on the same domain (this is not allowed only one applies and the rest are ignored)
- Forgetting to add third party services like Mailchimp HubSpot or similar
- Using too many includes causing you to exceed the DNS lookup limit of ten
What a correct SPF record looks like depends on the service you send through. Here are three common examples.
If you send through Mailchimp:
v=spf1 include:servers.mcsv.net ~all
If you send through SendGrid:
v=spf1 include:sendgrid.net ~all
If you send from your own dedicated server with a specific IP address:
v=spf1 ip4:192.0.2.1 ~all
You always have a single SPF record per domain listing all your approved senders. If you use multiple services combine them in the same record but be careful not to exceed ten DNS lookups otherwise delivery issues will start.
DKIM the seal that proves no one has tampered with the email
While SPF checks who is sending, DKIM checks if the email’s content is intact. DKIM stands for DomainKeys Identified Mail and acts as a cryptographic seal on your message. Without DKIM, an email can be tampered with on its way from your server to the recipient’s inbox without either of you noticing.
When an email is sent, your mail server generates a unique digital signature based on the email’s content. The signature is encrypted with a private key that only you have. The public key is then published in your DNS. When the recipient’s server receives the email, it compares the signature to the public key in your DNS. If they do not match, the email is flagged immediately.
| What DKIM protects against | How |
|---|---|
| Content manipulation during transport | Cryptographic signature on the entire email |
| Domain forgery | Verification against public key in DNS |
| Phishing attacks in your brand’s name | Invalid signature is flagged immediately |
The smart thing about DKIM is that it not only protects the recipient but also builds up your domain’s reputation with email providers over time. The more consistently you authenticate, the more trusted your domain becomes.
DMARC lifeguard who decides what happens when something goes wrong
SPF and DKIM are good individually but they have one problem: they do not tell the receiving server what to do when an email fails authentication. Without DMARC, a forged email from your domain can still get through even though the warning signs are there. It is DMARC that closes that door.
DMARC lets you as a domain owner decide three things
- What should happen to emails that fail authentication (do nothing, quarantine, or reject completely)
- That SPF and DKIM must align with the sending domain
- That you receive reports about all authentication attempts from around the world
DMARC has three policy levels that should be implemented gradually:
| Policy | What it does | When to use it |
|---|---|---|
| p=none | Monitoring only, no actions | At the start when mapping the traffic |
| p=quarantine | Failed email goes to spam | When you are confident in your configuration |
| p=reject | Email is completely blocked | When everything is in place and stable |
The professional tip is to always start with p=none and collect reports for at least two weeks before tightening the policy. Otherwise, you risk blocking legitimate emails from third-party services you have accidentally forgotten in your SPF.
Fact box: In 2024, 53.8 percent of all email senders used DMARC, an increase of 11 percent from the previous year. That sounds good but it still means that almost half of all domains are unprotected and open to abuse right now.
BIMI reward when everything else is in place
Now comes the fun part. When SPF, DKIM, and DMARC are in place and you run a DMARC policy of at least quarantine or reject, the door to BIMI opens. BIMI stands for Brand Indicators for Message Identification and it is what makes your brand logo appear in the inbox next to your email.
It may sound like a small detail but the numbers speak for themselves. BIMI logos are reported to give up to 38 to 39 percent higher open rates. That is not a small improvement, it is the difference between a mediocre campaign and one that actually delivers.
BIMI is currently supported by Gmail, Yahoo Mail and Apple Mail. Microsoft Outlook does not yet fully support it but the direction is clear.
To implement BIMI you need:
- DMARC at enforcement level (p=quarantine or p=reject)
- An SVG logo file in square format with a solid background max 32 kb
- The logo published via HTTPS
- A BIMI TXT record in your DNS
- For Gmail and Apple, a VMC (Verified Mark Certificate) is also required to confirm that the logo is a registered trademark
A BIMI record in DNS looks like this:
v=bimi1; l=https://dittforetag.se/logo.svg; a=https://dittforetag.se/vmc.pem
Only 5.7 percent of all domains use BIMI today even though adoption increased by 28 percent last year. It is still a clear competitive advantage to implement it now before everyone else catches up.
How to check that everything is actually in place
It is not enough to assume it is configured. It must be verified. There are several free tools that allow you to check exactly what your domain communicates to the outside world.
MXToolbox is the most used. You go to mxtoolbox.com, paste your domain and choose what you want to check: SPF Lookup, DKIM Lookup or DMARC Lookup. The tool immediately returns if the record exists, if it is correctly formatted and if there are any errors to fix. Google Admin Toolbox at toolbox.googleapps.com is another option that does the same directly within Google’s own infrastructure.
To quickly check that a specific email has passed all three checks, you can also open a received email in Gmail, click on the three dots at the top right and then select “Show original.” There you can directly see if SPF, DKIM and DMARC have been approved or not. This is the fastest way to confirm that the configuration actually works in practice and not only on paper.
How to use Google Postmaster Tools to monitor your domain
Google Postmaster Tools is a free tool from Google that provides you with real-time data on how Gmail perceives your email. It is the closest you get to an X-ray of your domain’s health and a tool far too few email marketers use proactively.
Here is how to get started
- Go to postmaster.google.com and log in with a Google account
- Click the plus icon at the bottom right and enter the domain you want to monitor
- Google gives you a TXT record that you add to your DNS with your domain provider to verify ownership
- Once the domain is verified, data will start to populate; expect a couple of days before you see anything meaningful
Once you are inside the tool, you will find several dashboards worth knowing about:
| Dashboard | What it shows |
|---|---|
| Domain Reputation | How Google rates your domain from High to Bad |
| Authentication | The percentage of your emails that pass SPF, DKIM and DMARC |
| Spam Rate | The share of Gmail users who mark your emails as spam |
| Delivery Errors | Any errors preventing delivery and exactly what the error is |
| Compliance Status | Whether you meet Google’s requirements for bulk senders from 2024 |
The most important to keep track of is the Spam Rate dashboard. Google requires it to be kept below 0.3 percent. If you exceed that threshold, your emails will start landing in spam extensively and it can take a long time to recover. The Authentication dashboard shows the percentage of your emails that actually pass the authentication checks. Well-configured domains typically score 95 percent or higher for DKIM and DMARC.
An important thing to know is that the SPF score in Google Postmaster Tools sometimes shows zero percent even though everything technically works. This is because Google measures SPF alignment, that is, whether the Return-Path domain matches the From domain, and not just if SPF passes. Many third-party services like Mailchimp and HubSpot send through their own Return-Path domains which causes SPF alignment to fail in the reporting. There is nothing to worry about as long as DKIM and DMARC show green.
Use Postmaster Tools proactively and not only when something has gone wrong. Many marketers open the tool only after delivery problems have already occurred and then the damage is often already done.
Correct order to implement everything before it is too late
There is a logical sequence to follow:
- Start by auditing your current configuration with MXToolbox or Google Admin Toolbox
- Set up SPF and make sure all services sending email on your behalf are included
- Enable DKIM signing through your email provider or DNS settings
- Wait at least 48 hours before proceeding to DMARC so that the DNS changes have time to propagate
- Publish a DMARC record with p=none and start collecting reports
- Analyze the reports and address any issues before moving on
- Connect Google Postmaster Tools and begin continuously monitoring your domain health
- Sharpen DMARC to quarantine and then reject as you gain full control
- Implement BIMI once DMARC is at enforcement level
Expect the entire process to take between six and eight weeks if done properly. It is not a project for an afternoon but every week you wait is a week where your emails risk never reaching their destination.
The technical foundation that determines if your email marketing survives 2026
Email marketing is on paper one of the most profitable channels available. But it requires that the emails actually get delivered. SPF, DKIM, DMARC, and BIMI are the foundation everything else rests on. Without them, it doesn’t matter how good the subject line is or how finely segmented the list is. The email never arrives.
It’s a bit like preparing a five-course dinner and then serving it in the trash bin. Technology is not the glamorous part of email marketing but it is what decides if the rest of the work has any effect at all. And in the worst case, if you don’t fix it, it’s not just your campaigns that suffer. It’s your entire brand’s credibility online.
