Top email authentication tools for DMARC, SPF, DKIM and BIMI: A quick step-by-step guide

Phishing volume is rising, AI cuts attacker costs, and your brand is the target.

Boards want spoofing stopped, security wants fewer incidents, and marketing wants trusted logos in inboxes. 

Getting started with email authentication doesn’t need to be complicated. Use Red Sift’s free tools and step-by-step guide to get started today. 

Attackers iterate faster than email programs, and now AI only widens the gap. With most domains still on p=none, spoofing stays easy and incident response stays noisy. Red Sift’s latest dataset shows only 5.6% of 73.9M tracked domains at p=reject, and 11% stuck at report-only. That gap is the attack surface.

• A snapshot of your DMARC, SPF, DKIM, and BIMI posture
• A short, ordered to-do list to move toward p=reject
• A check on BIMI readiness (policy + assets), so you can unlock brand logos in supported inboxes

1. Investigate Enter your domain to see DMARC plus key controls (SPF, DKIM, BIMI). You’ll get what’s present, what’s missing, and the priority fixes. Use it on your primary domain and any sending subdomains.
2. SPF Checker Visualize includes, mechanisms, and DNS lookup counts (note Red Sift OnDMARC overcomes the traditional 10 look up limit). It flags risky patterns tied to SubdoMailing and poisoned includes so you can remove legacy services and keep lookups within limits.
3. BIMI Checker Confirms whether your public DMARC posture and BIMI record meet BIMI requirements. You’ll get guidance on policy, SVG, and certificate (VMC) needs for logo display in supporting inboxes (e.g., Apple Mail via supporting providers, Google, Yahoo, Fastmail, Zoho, web.de, and more).

• What to record: Current DMARC policy (none / quarantine / reject), alignment status, and any syntax or record errors.
• Action: List issues in order of impact, start with missing/invalid records and alignment failures.

What to record:

• DNS lookups: Keep total ≤ 10
• Poisoned or risky includes: Remove or replace
• Legacy vendors/services: Prune anything not sending
• Action: Collapse redundant mechanisms, migrate to safer includes, and clean dead entries.

• Policy requirement: Brand Indicators for Message Identification (BIMI) needs DMARC at p=quarantine or p=reject (enforcement recommended).
• Assets: Confirm SVG format and Verified Mark Certificate (VMC) or Common Mark Certificate (CMC) where required. Read our guide to BIMI to learn more.
• Action: Fix policy first, then resolve SVG/VMC gaps.

• Target state: Move from p=none → p=quarantine → p=reject once legitimate senders align.
• Action: Set milestones (e.g., align top 5 senders this week, cut lookups to ≤10, enable DKIM everywhere).
• Optional: Book a Red Sift demo to pressure-test your plan and automate the last mile, with free guidance from our team.

• DMARC: p=reject (or p=quarantine on the way there) with alignment across your real senders.
• SPF: ≤ 10 DNS lookups, no poisoned includes, no dead vendors. (Dynamic SPF in Red Sift OnDMARC helps stay under the limit automatically.)
• DKIM: Enabled for all active sources; signatures survive forwarding so alignment holds.
• BIMI: Valid record, correct SVG, and VMC/ CMC (when required) so your logo displays in supported inboxes.

• Endless “report-only”: p=none forever = permanent risk. Set dates to step up policy.
• SubdoMailing exposure: Unknown subdomain senders or risky includes. Remove or lock down.
• SPF lookup explosions: Vendor chains push you over 10. Use Dynamic SPF through Red Sift OnDMARC to overcome the limit.
• Missing DKIM: Some SaaS senders default to SPF only, enabling DKIM to keep alignment through forwarding.
• BIMI blocked by policy: BIMI won’t work without p=quarantine or p=reject. Fix your policy before your move to implement.

1. Inventory senders: Using Red Sift Investigate (root + sending subdomains).
2. Fix record errors: This includes DMARC/SPF, and missing DKIM before policy changes.
3. Keep SPF lookups to ≤10: Remove poisoned or legacy includes.
4. Enable DKIM: Everywhere; re-test alignment.
5. Step policy up: none → quarantine → reject (with dates).
6. Validate BIMI: confirm policy, SVG, and VMC/ CMC; retest.

• Run the 3 checks now: Investigate, SPF Checker, BIMI Checker.
• Turn results into milestones: Assign owners and dates for each fix.
• Want help? Book a demo with Red Sift to accelerate enforcement and keep SPF within limits automatically.

Every week without enforcement is another week of spoofable mail and noisy incidents. Run the checks, set the dates, and move to p=reject with confidence.