What’s Gmail’s position on authentication (SPF, DKIM, DMARC)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

If you send email to anyone with a Gmail address, you're sending to Gmail. And Gmail has made its position on authentication about as clear as it gets: SPF, DKIM, and DMARC are not optional.

Here's what each one actually does. SPF tells Gmail which IP addresses are allowed to send email on behalf of your domain. DKIM adds a cryptographic signature to your messages so Gmail can verify the content hasn't been tampered with in transit. DMARC ties both of them together and tells Gmail what to do when something fails.

As of February 2024, Gmail requires all senders hitting 5,000 or more messages per day to have all three in place. DMARC needs to be published at a minimum of p=none (monitoring mode). That's the floor, not the goal. (If you're under 5,000 daily messages, Gmail still strongly recommends authentication. It's just not formally enforced at that volume yet.)

Without proper authentication, Gmail can reject your mail outright, route it to spam, or slap a warning label on it before it ever reaches the inbox. Even if your content is good, missing authentication is a fast track to getting filtered. Gmail treats it as a basic trust signal, and without it you look like someone trying to hide.

If you're not sure your setup is correct, our free SPF checker and DKIM lookup can tell you what Gmail actually sees when it looks up your domain. For DMARC, the DMARC generator walks you through building a valid record from scratch.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check my Gmail authentication gaps

My sending domain is your domain and I send roughly number emails per day. Based on Gmail's 2024 authentication requirements, can you help me figure out: (1) whether my SPF record covers all my sending sources, (2) whether my DKIM is properly signed and aligned, (3) what DMARC policy I currently have and whether it meets Gmail's minimum, and (4) what my biggest authentication gap is right now?

Edit the yellow boxes, then send to the AI of your choice.