Email authentication isn't just about implementing SPF, DKIM, and DMARCβit's about implementing them correctly, maintaining them over time, and building robust processes that scale with your organization. These seven best practices represent the collective wisdom from years of email security deployments across thousands of organizations.
Whether you're just starting your email authentication journey or optimizing an existing deployment, these practices will help you achieve maximum email deliverability and security.
Best Practice #1: Start with SPF + DKIM + DMARC at p=none
The Foundation
Before enforcing anything, establish your baseline with full authentication and monitoring.
π Implementation Checklist:
- SPF Record: List all sending IPs and includes (stay under 10 lookups)
- DKIM Signing: Enable 2048-bit signing on all email systems
- DMARC at p=none: Start monitoring without enforcement
- RUA Reporting: Configure aggregate report delivery
π‘ Why This Works
Starting at p=none gives you 4-6 weeks to identify all legitimate sending sources, fix authentication issues, and establish baseline metrics before enforcing policies that could block email.
β οΈ Common Mistake
Jumping straight to p=quarantine or p=reject without monitoring period. This causes legitimate email to be blocked because you haven't identified all sending sources yet.
Best Practice #2: Audit ALL Email Sending Sources
Most organizations dramatically underestimate how many systems send email on their behalf. A thorough audit prevents surprises during enforcement.
Common Email Sources (Often Forgotten)
π’ Business Systems
- β’ Office 365 / Google Workspace
- β’ On-premise mail servers
- β’ VPN/firewall alerts
- β’ Network monitoring tools
- β’ Backup system notifications
π§ Marketing & CRM
- β’ Email marketing (Mailchimp, Constant Contact)
- β’ Transactional email (SendGrid, Mailgun)
- β’ CRM systems (Salesforce, HubSpot)
- β’ Survey tools (SurveyMonkey, Typeform)
- β’ Event platforms (Eventbrite)
π οΈ Applications
- β’ Web application emails
- β’ E-commerce notifications
- β’ Help desk systems (Zendesk)
- β’ HR systems (Workday, BambooHR)
- β’ Accounting software (QuickBooks)
Audit Process:
- Interview stakeholders: Marketing, IT, Sales, HR, Finance
- Review DMARC reports: Identify IPs and services sending email
- Check DNS records: Look for existing SPF includes
- Search email: Look for system-generated emails in your inbox
- Document findings: Create inventory with business owner for each service
Best Practice #3: Progress to Enforcement Slowly
Rushing DMARC enforcement is the #1 cause of legitimate email being blocked. Use gradual progression with the pct= tag.
Recommended Progression Timeline
Weeks 1-6: Monitoring
v=DMARC1; p=none; rua=mailto:dmarc@example.com
Collect reports, identify sources, fix authentication issues. Wait at least 4 weeks.
Weeks 7-10: Gradual Quarantine
p=quarantine; pct=10 β 25 β 50 β 100
Increase percentage every 1-2 weeks. Monitor for complaints or issues.
Weeks 11-14: Full Quarantine Monitoring
p=quarantine; pct=100
Run at 100% quarantine for 2-4 weeks. Verify no business impact.
Weeks 15-18: Gradual Reject
p=reject; pct=10 β 25 β 50 β 100
Final enforcement phase. Monitor closely for any legitimate blocking.
Week 19+: Full Protection
p=reject
Ongoing monitoring and maintenance. Maximum security achieved.
π¨ Never Skip Stages
Organizations that jump from p=none directly to p=reject often experience significant business disruption. The gradual approach catches issues before they become critical.
Best Practice #4: Enable DKIM Everywhere
DKIM is your safety net when SPF fails. Always enable DKIM signing on every service that sends email.
π‘ Why DKIM is Critical
DMARC passes if either SPF or DKIM passes (and aligns). Having both provides redundancy:
- SPF breaks: Email forwarding, mailing lists, some third-party services
- DKIM survives: Forwarding, content modification (to a degree), route changes
- Result: DMARC still passes even when SPF fails
DKIM Configuration Checklist
- Key Length: 2048-bit minimum (never 1024-bit)
- Sign From: Header: Required for DMARC alignment
- Sign Key Headers: From, To, Subject, Date, Message-ID
- Domain Alignment: d= domain matches From: domain
- Key Rotation: Plan for annual rotation
- Test Signing: Verify with mail-tester.com after setup
Best Practice #5: Review DMARC Reports Weekly
DMARC reports are useless if nobody reads them. Establish a regular review cadence to catch issues early.
Weekly Review Process (30 minutes)
1. Check Overall Pass Rate
Target: 98%+ passing
- If pass rate drops suddenly β investigate immediately
- Gradual decline β authentication misconfiguration or new service
2. Identify New Sending Sources
Look for IPs you don't recognize with significant volume
- Reverse DNS lookup to identify
- Contact business owner to verify legitimacy
- Add to SPF or configure DKIM if legitimate
3. Review Authentication Failures
Categorize failures by type
- Both fail: Likely spoofing (good - policy working)
- SPF fail, DKIM pass: Forwarding or alignment issue (acceptable if DMARC passes)
- SPF pass, DKIM fail: DKIM configuration issue (fix this)
4. Monitor for Anomalies
Watch for unusual patterns
- Sudden volume spikes from unknown IPs
- High failure rates from specific regions
- Legitimate service suddenly failing authentication
Best Practice #6: Test Before Major Changes
Email authentication breaks easily during infrastructure changes. Always test authentication after modifications.
Testing Triggers
β οΈ Test Email Authentication After:
- Mail server upgrades or migrations
- DNS provider changes
- Adding new email sending service
- Changing email marketing platform
- Office 365/Google Workspace configuration changes
- SPF record modifications
- DKIM key rotation
- Domain transfers
Quick Testing Process
- Send test email to
mail-tester.com - Verify SPF, DKIM, and DMARC all show green (pass)
- Check alignment (SPF aligned AND/OR DKIM aligned)
- Send test to Gmail, check headers for Authentication-Results
- Wait 24 hours, review DMARC reports for issues
Best Practice #7: Document Everything
Six months from now, you won't remember why you made specific configuration decisions. Documentation prevents future confusion and helps new team members.
Essential Documentation
π Email Source Inventory
For each sending source, document:
- β’ Service name and purpose
- β’ Business owner/department
- β’ Sending IPs or SPF include
- β’ DKIM selector and configuration
- β’ Last tested date
π§ Configuration Details
Maintain records of:
- β’ Current SPF record
- β’ DKIM selector(s) and key rotation dates
- β’ DMARC policy progression timeline
- β’ DNS hosting provider
- β’ DMARC report destination(s)
π Historical Metrics
Track over time:
- β’ DMARC pass rate trends
- β’ Authentication failure volume
- β’ New source discovery dates
- β’ Policy change dates and reasons
- β’ Issues encountered and resolutions
π¨ Incident Response
Document procedures for:
- β’ Legitimate email being blocked
- β’ Authentication suddenly failing
- β’ Suspicious sending activity detected
- β’ DKIM key compromise
- β’ Emergency policy rollback
Putting It All Together
These seven best practices form a complete email authentication strategy:
- Foundation: SPF + DKIM + DMARC p=none
- Discovery: Complete audit of all email sources
- Progression: Gradual enforcement with monitoring
- Redundancy: DKIM on all services as backup to SPF
- Vigilance: Weekly DMARC report reviews
- Testing: Verify authentication after every change
- Knowledge: Document everything for future reference
Following these practices ensures you achieve maximum email deliverability and security without business disruption. The investment in doing email authentication right pays dividends in reduced phishing risk, improved email reputation, and confidence that your domain is protected.
Implement Best Practices Automatically
DMARC Busta automates report analysis, guides you through safe progression, and ensures you follow email authentication best practices.
Start Free Trial