DKIM, SPF, and DMARC are the three DNS-based authentication standards that prove your emails are legitimate — to Gmail, Outlook, Yahoo, and every other major mailbox provider. Migomail generates, validates, and monitors all three automatically from a single setup wizard.
Email authentication is not optional — Gmail, Outlook, and Yahoo require DKIM and SPF for inbox delivery, and Google mandates DMARC for bulk senders above 5,000 emails per day. Migomail's setup wizard configures all three and monitors them continuously.
DomainKeys Identified Mail (DKIM) adds a cryptographic signature to every email you send — a digital proof that the email was sent by your domain and was not modified in transit. Migomail generates a 2048-bit RSA key pair, provides the exact TXT record value to add to your DNS, and signs every outgoing email automatically. Keys can be rotated on a schedule to maintain security best practice.
Sender Policy Framework (SPF) is a DNS record that lists the mail servers authorised to send email from your domain. Migomail generates the exact SPF TXT record value — including Migomail's sending infrastructure — validates it after you add it to your DNS, and monitors it continuously for changes that would invalidate the record or push you over the 10-lookup DNS lookup limit.
DMARC (Domain-based Message Authentication, Reporting & Conformance) uses DKIM and SPF results to tell receiving mail servers what to do with emails that fail authentication — monitor only (p=none), quarantine to spam (p=quarantine), or reject outright (p=reject). Migomail's DMARC setup wizard walks you through choosing the right policy for your programme and generating the exact TXT record value.
After you add each DNS record, Migomail validates it automatically — checking that the record is correctly formatted, accessible from the public DNS, returning the expected value, and aligning with your sending domain. Ongoing monitoring checks all three records daily and alerts you immediately if any record changes, expires, or becomes invalid.
DMARC generates XML aggregate reports (RUA reports) from every major mailbox provider — daily reports showing which emails passed or failed authentication, from which IP addresses, and what action was taken under your DMARC policy. Migomail receives these reports on your behalf, processes them from raw XML into human-readable dashboards, and highlights any sources of authentication failure that need investigation.
DMARC requires that either DKIM or SPF is "aligned" — meaning the authenticated domain matches the From address domain. Migomail automatically configures DKIM signing to use your From address domain as the signing domain (d= parameter), ensuring DKIM alignment passes for every email you send. This is required for DMARC to generate a PASS result rather than a failure.
If you send from multiple sending domains (yourbrand.com, news.yourbrand.com, promotions.yourbrand.com, youranotherbrand.com), Migomail manages a separate authentication configuration for each domain — separate DKIM keys, separate SPF records, and a separate DMARC policy per root domain. Each domain's authentication is validated and monitored independently.
Brand Indicators for Message Identification (BIMI) is an emerging standard that displays your brand logo in the inbox sender avatar — in Gmail, Yahoo, Apple Mail, and Fastmail — when your DMARC policy is set to p=reject with 100% coverage. Migomail supports the BIMI TXT record configuration and VMC (Verified Mark Certificate) setup guidance needed to enable the logo display.
Email authentication is configured entirely through DNS TXT records on your sending domain. Migomail's wizard generates the exact record values — you copy them into your DNS provider (Cloudflare, GoDaddy, Namecheap, Route 53) and Migomail validates them automatically.
The p= value is your 2048-bit public key. Receiving servers use it to verify the DKIM signature in every email header — proving the email was signed by your domain's private key and was not modified in transit. Migomail generates the key pair and signs all emails automatically.
The include: values list the infrastructure authorised to send from your domain. -all means any server not on the list is rejected. Migomail monitors the DNS lookup count to stay within SPF's 10-lookup limit.
Tells receiving servers what to do when DKIM and SPF both fail: p=quarantine sends failing mail to spam. The rua= address receives daily XML reports of all authentication results from every major provider.
The receiving mail server runs three parallel authentication checks before deciding what to do with your email. Understanding these checks explains why all three records are required — they verify different things and DMARC coordinates the results.
DMARC is configured progressively. Most senders start at p=none to learn who is sending as their domain without affecting delivery, then escalate to p=quarantine and finally p=reject as confidence grows. Each level provides different protection.
Migomail's authentication setup wizard walks you through every step — from generating keys to validating DNS records. Most senders complete full authentication setup in under 30 minutes.
Each authentication protocol addresses a different attack vector and provides a different piece of the deliverability puzzle. DMARC is meaningless without DKIM and SPF. DKIM and SPF provide no policy enforcement without DMARC. All three together is the only complete solution.
Feedback from email managers, technical founders, and deliverability engineers who configured DKIM, SPF, and DMARC on Migomail.
We were sending from a domain with no DMARC record for 18 months. I knew we needed it but kept putting it off because it seemed complex. After Google announced their February 2024 requirement, I finally set up the Migomail wizard. From starting the wizard to all three records validated in DNS: 22 minutes. The wizard generates the exact record values — you do not need to understand the underlying cryptography or RFC specifications. Copy, paste, validate. That is it. Within 48 hours of completing setup, our Gmail Postmaster Tools domain reputation went from "Medium" to "High" — the single biggest reputation improvement we had seen in two years of sending.
The DMARC report processing feature changed how I manage our email programme's security. Before Migomail, I had DMARC set to p=none with a rua= address going to a mailbox I never checked — we were generating reports but never reading them. When I connected Migomail's DMARC dashboard and it processed six months of historical reports, I discovered that three different marketing platforms our business uses had been sending email on behalf of our domain without DKIM configured — they were using our domain in the From: header but sending from their own IPs, which were failing SPF. These were legitimate sends from our own tools that were failing authentication. Without the DMARC reports, I would never have found them. After adding each platform to our SPF record and configuring DKIM on each, our DMARC pass rate went from 78% to 99.7% and we escalated safely to p=reject within 6 weeks.
We are a fintech company and our customers receive OTP emails and transaction notifications from us. When one of our customer service managers received a phishing email that looked exactly like one of our own transaction notifications — same From address, same subject line, professional layout — it became an immediate executive priority. We escalated our DMARC from p=quarantine to p=reject using Migomail's wizard. The wizard walked us through the process — check your DMARC pass rate first, identify any failing legitimate senders, fix them, then increase pct from 10% to 25% to 50% to 100% over three weeks to catch any remaining issues. Since reaching p=reject, our security team has confirmed through DMARC reports that over 4,000 spoofed email attempts per month using our domain are being blocked. Our customers are no longer reachable via domain spoofing.
“Rackwave Technologies has significantly improved our marketing performance while providing reliable cloud services. We’ve been using their solutions for a while now, and the experience has been seamless, scalable, and results-driven.”
David Larry
Founder & CEO
Common questions about DKIM, SPF, and DMARC email authentication.
DKIM (DomainKeys Identified Mail) is a cryptographic email signing protocol. When you configure DKIM, Migomail signs every email you send with a private key — adding a DKIM-Signature header to the email. The receiving mail server retrieves your public key from your DNS and uses it to verify that the signature is valid, proving two things: the email was sent by a server with access to your DKIM private key, and the email was not modified in transit between sending and receiving. Without DKIM, receiving servers have no cryptographic proof that the email content is as sent.
SPF (Sender Policy Framework) validates the server that sent the email — it checks whether the IP address of the server that delivered the email is listed in your domain's SPF DNS record as an authorised sender. DKIM validates the content of the email. The two checks are complementary: DKIM says "this email was signed by domain X" (content proof); SPF says "this IP is authorised to send for domain X" (server proof). Both are needed because they protect against different attack vectors — DKIM can survive email forwarding (which changes the server but not the signature), while SPF provides a simpler server-level check.
DMARC (Domain-based Message Authentication Reporting and Conformance) is a policy layer that sits on top of DKIM and SPF. It does two things: (1) It requires that the authenticated domain (from DKIM's d= or SPF's MAIL FROM) is aligned with the From: address — preventing attacks where the authenticated domain differs from the displayed From address; (2) It tells receiving servers what to do when an email fails both DKIM and SPF: deliver normally (p=none), quarantine to spam (p=quarantine), or reject completely (p=reject). DMARC needs both DKIM and SPF because its pass/fail logic depends on at least one of them passing AND being aligned.
You can start with DKIM and SPF only — they improve deliverability independently. However, as of February 2024, Google requires DMARC (minimum p=none) for senders above 5,000 emails per day to Gmail. Yahoo also requires DMARC for bulk senders. Additionally, DKIM and SPF alone provide no policy enforcement against spoofing — without DMARC, a spoofed email can pass individual authentication checks and still reach subscribers. DMARC is what closes the enforcement gap. Most senders who configure DKIM and SPF find DMARC setup adds only 5 additional minutes.
Start at p=none. Run it for 30 days and review DMARC reports to understand which emails are failing authentication and which sources are sending on behalf of your domain. Fix any legitimate senders that are failing. Then escalate to p=quarantine with pct=25 (affects only 25% of failing emails) and increase gradually over 2–3 weeks. Once your DMARC pass rate is consistently above 99%, escalate to p=reject. This progressive approach ensures you never accidentally block legitimate email from a platform you forgot to authenticate.
DMARC alignment means the domain in the DKIM signature (d= parameter) or the SPF-authenticated domain must match the domain in the From: header — the address your subscribers see. This prevents a specific attack where a bad actor signs their email with a legitimate domain's DKIM signature (for a domain they control) but uses a completely different domain in the From: header. Without alignment, DKIM would "pass" while the displayed From address is fraudulent. Migomail configures DKIM signing to use your From address domain automatically, ensuring DKIM alignment is satisfied for every email you send.
Migomail validates all three records automatically when you add them and monitors them daily thereafter. You can also check the DMARC reports dashboard — once DMARC is configured with a rua= email address, every major mailbox provider (Gmail, Outlook, Yahoo) sends daily XML aggregate reports showing how many emails passed authentication, how many failed, and which IP addresses were sending on behalf of your domain. Migomail processes these XML reports and presents them as readable charts and tables, making it straightforward to identify any authentication problems without reading raw XML.
BIMI (Brand Indicators for Message Identification) is an emerging standard that displays your brand logo in the inbox sender avatar — in Gmail, Yahoo, Apple Mail, and Fastmail. For Gmail specifically, BIMI requires: DMARC p=reject with pct=100, a Verified Mark Certificate (VMC) issued by a Certificate Authority like DigiCert or Entrust, and a BIMI TXT record pointing to an SVG version of your logo hosted at a specific URL. Yahoo supports BIMI without a VMC requirement. Migomail provides BIMI TXT record configuration guidance and logo preview generation — the VMC is obtained from your certificate authority of choice.