What’s Gmail’s position on authentication (SPF, DKIM, DMARC)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
If you send email to anyone with a Gmail address, you're sending to Gmail. And Gmail has made its position on authentication about as clear as it gets: SPF, DKIM, and DMARC are not optional.
Here's what each one actually does. SPF tells Gmail which IP addresses are allowed to send email on behalf of your domain. DKIM adds a cryptographic signature to your messages so Gmail can verify the content hasn't been tampered with in transit. DMARC ties both of them together and tells Gmail what to do when something fails.
As of February 2024, Gmail requires all senders hitting 5,000 or more messages per day to have all three in place. DMARC needs to be published at a minimum of p=none (monitoring mode). That's the floor, not the goal. (If you're under 5,000 daily messages, Gmail still strongly recommends authentication. It's just not formally enforced at that volume yet.)
Without proper authentication, Gmail can reject your mail outright, route it to spam, or slap a warning label on it before it ever reaches the inbox. Even if your content is good, missing authentication is a fast track to getting filtered. Gmail treats it as a basic trust signal, and without it you look like someone trying to hide.
If you're not sure your setup is correct, our free SPF checker and DKIM lookup can tell you what Gmail actually sees when it looks up your domain. For DMARC, the DMARC generator walks you through building a valid record from scratch.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.