Authentication explained (SPF, DKIM, DMARC)

Email authentication is how mailbox providers verify that a message really came from who it claims to come from. There are three pieces — SPF, DKIM, and DMARC — and MailMonk sets them up correctly for your sending domain.

The three checks

• SPF (Sender Policy Framework) confirms the message was sent from a server authorized to send for your domain.
• DKIM (DomainKeys Identified Mail) adds a cryptographic signature proving the message wasn’t tampered with and is genuinely from your domain.
• DMARC tells providers what to do if SPF/DKIM fail, and lets you monitor who’s sending as your domain.

When all three pass and align to your domain, you’ve cleared the technical bar every major provider checks. MailMonk also includes a one-click List-Unsubscribe header, which meets Google and Yahoo’s bulk-sender requirements.

Authentication is necessary, not sufficient

Passing SPF/DKIM/DMARC gets you eligible for the inbox — it doesn’t guarantee it. Placement still depends on domain reputation, list quality, and content. That’s why a correctly-authenticated new domain can still land in Promotions while it warms up. See Why new sending domains warm up.

How to read Gmail’s “Show original”

You can verify authentication yourself on any email you received:

1. Open the email in Gmail.
2. Click the ⋮ (three dots) at the top-right of the message.
3. Choose Show original.
4. Look at the summary at the top — you want to see:
   • SPF: PASS
   • DKIM: PASS (signed by your domain)
   • DMARC: PASS

If you see three PASS lines, authentication is working correctly and any Promotions/Spam placement is a reputation/content matter, not an auth problem.