Best vendors for DKIM and SPF management

Executive summary: This guide addresses the now-mandatory requirements for SPF and DKIM email authentication following enforcement actions by Google, Yahoo, and Microsoft in 2024-2025. It explains how these protocols work together with DMARC to protect domains from spoofing and ensure email deliverability, while highlighting common pitfalls like the SPF 10 DNS lookup limit and inadequate DKIM key rotation.

The guide positions Red Sift OnDMARC as a comprehensive solution that simplifies management through Dynamic SPF and integrated DKIM tracking, typically achieving full DMARC enforcement within 6-8 weeks.

Key takeaways:

• Email authentication is no longer optional: Google, Yahoo, and Microsoft now reject or quarantine emails from bulk senders that don't authenticate with SPF, DKIM, and DMARC. Non-compliance directly impacts deliverability and revenue.
• The SPF 10 lookup limit catches most organisations off guard: Using just 3-5 third-party email services can exceed this limit, causing random authentication failures. Dynamic SPF solutions eliminate this problem without the risks of manual flattening.
• DKIM keys need active management: 2048-bit keys are now the minimum standard, and M3AAWG recommends rotation every six months. Many organisations still run outdated 1024-bit keys from years ago, creating security vulnerabilities.
• Alignment is the missing piece: SPF and DKIM can both pass yet DMARC still fails if neither aligns with your visible "From" domain. This is why DKIM alignment matters most for bulk senders, as it survives forwarding better than SPF.

Getting SPF and DKIM right is no longer optional. With Google, Yahoo, and Microsoft now enforcing strict email authentication requirements for bulk senders, organizations that don't properly manage these protocols face deliverability failures, security vulnerabilities, and potential brand damage.

An estimated 3.4 billion phishing emails are sent every day [1]. Email remains the attack surface of choice for cybercriminals, with 94% of malware delivered through email attachments [2]. This is exactly why major inbox providers have drawn a line in the sand.

Since February 2024, Google and Yahoo have required bulk senders (those sending 5,000+ emails per day) to authenticate their emails with both SPF and DKIM, with at least one aligned for DMARC compliance [3]. Microsoft followed suit in May 2025, rejecting non-compliant emails outright [4]. These aren't suggestions. They're requirements.

This guide covers:

• How SPF and DKIM work together to authenticate your email
• The common pitfalls that break SPF and DKIM (and how to fix them)
• What to look for in an email authentication vendor
• Why DMARC ties everything together
• How Red Sift OnDMARC simplifies the entire process

Sender Policy Framework (SPF) is your domain's guest list for email sending. It's a DNS record that tells receiving servers which IP addresses are authorized to send email using your domain name [5].

When an email arrives, the receiving server checks the SPF record of the domain in the return-path address. If the sending IP matches one on the list, SPF passes. If not, it fails.

SPF has a critical limitation that trips up most organizations: the 10 DNS lookup limit [6]. Every include, a, mx, ptr, and redirect mechanism in your SPF record counts against this limit. When you exceed it, receiving servers return a "permerror" and your emails start failing authentication randomly.

Here's how quickly this adds up:

• Google Workspace: 4 DNS lookups
• Microsoft 365: 2-3 DNS lookups
• Marketing automation platforms: 3-7 DNS lookups each
• CRM email sending: 2-4 DNS lookups

Most mid-sized organizations use at least 3-5 tools sending email on their behalf. Add them all together, and you're well past 10 lookups before you know it.

• SPF flattening converts hostnames to IP addresses, which don't count against the lookup limit. The problem? Email service providers frequently update their IP addresses. When they do, your flattened record becomes outdated and authentication fails [7].
• SPF macros offer a more sophisticated solution by dynamically resolving lookups at query time. However, some legacy receiving infrastructure doesn't fully support macros, leading to inconsistent results [8].
• Subdomain delegation creates separate SPF records for different sending services by moving them to subdomains. This works, but it means your "From" address shows the subdomain rather than your primary domain.
• Dynamic SPF solutions like Red Sift's Dynamic SPF consolidate all authorized senders through a single include that resolves at query time. No manual DNS updates, no macro compatibility issues, and no subdomain complexity.

Following M3AAWG's email authentication recommendations [9]:

• Publish SPF records for all sending domains, including parked domains
• Use ~all (softfail) rather than -all (hardfail) to allow DMARC evaluation
• Audit SPF records quarterly to remove unused include mechanisms
• Keep track of all third-party services sending on your behalf
• Test changes in monitoring mode before enforcement

DomainKeys Identified Mail (DKIM) adds a cryptographic signature to your outgoing emails [10]. This signature proves two things: the email actually came from your domain, and the content hasn't been tampered with in transit.

When you send an email, your mail server creates a unique signature using a private key. This signature is added to the email header. The receiving server retrieves your public key from DNS and uses it to verify the signature matches.

Key strength matters. 1024-bit keys were the standard for years, but they're no longer considered secure. 2048-bit RSA keys are now the minimum recommended length [11]. Some organizations are already moving to 4096-bit keys for additional security.

Key rotation is essential. DKIM keys should be rotated at least every six months according to M3AAWG guidelines [12]. High-risk senders like financial institutions should rotate monthly. Yet many organizations set up DKIM once and never touch it again. Security researchers have found organizations still using 1024-bit keys from 2015 [13].

Selector naming conventions help track which key is active. Using descriptive selectors like "jan2026" makes it easier to audit key rotation and identify which services are signing with which keys [14].

• Use 2048-bit keys as the minimum (migrate from 1024-bit immediately)
• Rotate keys at least every six months
• Maintain two active keys during rotation to prevent authentication gaps
• Sign all outbound emails, including transactional messages
• Align the DKIM signing domain with your "From" domain for DMARC
• Use distinct selectors for different sending services
• Document your key rotation schedule and selector naming conventions

SPF and DKIM are essential protocols, but they weren't designed to work together. Enter DMARC (Domain-based Message Authentication, Reporting, and Conformance).

DMARC requires that at least one of SPF or DKIM must pass AND align with the domain in the "From" header [15]. This is the critical distinction. You can have SPF and DKIM passing separately, but if neither aligns with your visible "From" domain, DMARC fails.

SPF alignment means the domain in the return-path (envelope sender) matches the domain in the "From" header. Many third-party services use their own return-path domain for bounce handling, breaking SPF alignment.

DKIM alignment means the domain in the DKIM signature (d= value) matches the "From" domain. DKIM alignment tends to be more reliable because it survives email forwarding, which often breaks SPF.

This is why Google, Yahoo, and Microsoft specifically require DKIM for bulk senders. SPF alone isn't enough to meet the new authentication standards.

DMARC policies progress through three levels:

• p=none: Monitor only. Receive reports but don't affect email delivery.
• p=quarantine: Send failing emails to spam/junk folders.
• p=reject: Block failing emails entirely.

Moving from monitoring to enforcement typically takes 4-8 weeks [16]. Organizations need this time to identify all legitimate senders, configure their SPF and DKIM properly, and resolve alignment issues before turning on enforcement.

Your vendor should solve the 10 DNS lookup limit without creating new problems. Solutions that rely on manual flattening break when IP addresses change. Solutions using macros may not work with all receiving infrastructure.

Red Sift OnDMARC's Dynamic SPF uses a single dynamic include that authenticates all approved senders at query time. No manual DNS updates, no macro compatibility concerns, and no random authentication failures.

Look for vendors that:

• Support 2048-bit keys (and ideally 4096-bit)
• Automate key rotation on a defined schedule
• Maintain multiple active keys during transitions
• Track selector usage across all sending services
• Alert you to weak or expiring keys

SPF and DKIM exist to serve DMARC enforcement. Your vendor should provide:

• Aggregate reports showing authentication pass/fail rates
• Forensic reports with granular failure details
• Clear visibility into which services are (and aren't) authenticating properly
• Actionable guidance on how to fix issues

Managing SPF, DKIM, and DMARC records requires frequent DNS changes. Vendors that let you manage all records from within their platform eliminate the need for separate DNS access and reduce configuration errors.

OnDMARC allows organizations to configure SPF, DKIM, DMARC, BIMI, and MTA-STS records from a single interface. One DNS change gets you started. Everything else happens in the platform.

Email authentication isn't just a technical checkbox. It directly impacts your organization's bottom line and security posture.

When SPF or DKIM fail, your emails may not reach their intended recipients. Marketing campaigns fall flat. Sales outreach goes unanswered. Customer communications end up in spam folders. The financial impact compounds quickly.

Consider the math: if your organization sends 50,000 emails per month and improper authentication causes a 10% deliverability drop, that's 5,000 emails not reaching inboxes. For sales or marketing teams, this translates directly to lost opportunities and revenue.

Wise, the international money transfer company, saw their email deliverability rate climb to 99% after implementing OnDMARC [20]. That improvement came from properly configuring SPF and DKIM across all their sending services.

Phishing attacks that spoof your domain damage more than your reputation. They erode customer trust, expose your organization to liability, and can facilitate business email compromise (BEC) attacks worth millions.

The FBI's Internet Crime Complaint Center recorded 21,442 BEC complaints in 2024, totaling $2.77 billion in losses [21]. Many of these attacks begin with domain spoofing that proper email authentication would prevent.

When your domain is protected with SPF, DKIM, and DMARC at enforcement, attackers can't send emails that appear to come from your organization. Their spoofed messages get rejected before they ever reach your customers, partners, or employees.

Government agencies and regulatory bodies increasingly mandate email authentication. NIST recommends DMARC implementation as part of federal cybersecurity guidelines. The UK's National Cyber Security Centre (NCSC) similarly advocates for DMARC adoption. The European Commission has published guidance on email authentication for member organizations.

For regulated industries like healthcare and finance, proper email authentication isn't optional. It's part of demonstrating due diligence in protecting sensitive communications.

OnDMARC takes a comprehensive approach to email authentication, handling SPF, DKIM, and DMARC as an integrated system rather than separate protocols.

• SPF management: Dynamic SPF eliminates the 10 lookup limit through a single dynamic include. All authorized senders authenticate through one mechanism that updates automatically. No macros means better compatibility with legacy receiving infrastructure [17].
• DKIM management: OnDMARC tracks DKIM keys across all sending services, alerts on weak or missing signatures, and provides guidance on proper key configuration. The platform integrates with major email service providers for streamlined DKIM setup.
• DMARC enforcement: Organizations using OnDMARC reach full DMARC enforcement (p=reject or p=quarantine) in an average of 6-8 weeks [18]. The platform continuously analyzes DMARC reports and surfaces prescriptive fixes.
• Beyond email authentication: OnDMARC includes DNS Guardian to monitor for subdomain takeovers and SubdoMailing attacks, plus integrated BIMI support with VMC provisioning for verified brand logos in inboxes.

Email service providers like SendGrid, and Amazon SES handle DKIM signing for the email they deliver. They don't manage your SPF records or provide DMARC reporting. You still need a way to manage authentication across all your sending services.

SPF flattening services like AutoSPF and SafeSPF solve the lookup limit but require you to outsource your SPF to a third-party's infrastructure. Service interruptions affect your email delivery directly.

DMARC-only platforms provide reporting but may not address the underlying SPF and DKIM configuration issues. You get visibility without the tools to fix problems.

Free tools from MxToolbox, URIports, and others help validate configurations but don't provide ongoing management, automation, or enforcement support.

Start by identifying every service that sends email using your domain. This includes:

• Corporate email (Microsoft 365, Google Workspace)
• Marketing automation platforms
• CRM systems with email capabilities
• Transactional email services
• HR and recruiting platforms
• Customer support systems
• Finance and accounting software

Audit your current SPF record for unused includes and DNS lookup count. Check whether DKIM is configured for each sending service.

Create a sending service inventory document that tracks:

• Service name and vendor
• Email volume and type (marketing, transactional, internal)
• Current SPF include mechanism
• DKIM selector and key length
• Alignment status (aligned with your From domain or not)

This inventory becomes your source of truth for authentication configuration.

Add or update DKIM keys for each sending service. Prioritize 2048-bit keys and document your selector naming convention.

For DKIM configuration with major platforms:

• Microsoft 365: Use CNAME records pointing to Microsoft's DKIM infrastructure. Microsoft supports automatic key rotation between two selectors.
• Google Workspace: Generate keys through the Admin console and publish TXT records in DNS. Consider custom selectors for easier management.
• Marketing platforms: Most require you to add CNAME or TXT records. Verify each platform supports DKIM alignment with your From domain.

Optimize your SPF record or implement Dynamic SPF to stay under the lookup limit while authorizing all legitimate senders.

Publish a DMARC record at p=none to start receiving aggregate reports without affecting email delivery. Set the rua tag to an email address you control (or your DMARC vendor's reporting address) to receive aggregate reports.

Review DMARC reports to identify:

• Legitimate senders that aren't authenticating properly
• Alignment failures (SPF/DKIM passing but not aligned)
• Unknown or unauthorized sending sources
• Volume patterns that indicate potential spoofing

Fix authentication issues for each service. This may require working with third-party vendors to configure custom DKIM signing or adjust return-path domains.

Common issues you'll encounter:

• Third-party services using their own domain for DKIM signing instead of yours
• Marketing platforms with return-path domains that break SPF alignment
• Legacy systems that don't support DKIM at all
• Shadow IT services sending email without IT team knowledge

Move from p=none to p=quarantine to test enforcement without blocking all failing emails. Monitor spam folder delivery rates.

Start with a low percentage using the pct tag (e.g., pct=10) to apply the policy to only a portion of failing emails. Gradually increase as you gain confidence.

Once you're confident all legitimate email is authenticating properly, move to p=reject for full protection.

After reaching enforcement, continue monitoring. New sending services, configuration changes, and third-party platform updates can break authentication. Ongoing vigilance prevents deliverability issues from surprising you.

• Symptoms: SPF passes for some recipients but fails for others. DMARC reports show inconsistent SPF results.
• Likely cause: You've exceeded the 10 DNS lookup limit. Receiving servers that evaluate your full SPF record before hitting the limit see a pass. Servers that hit the limit first return permerror.
• Solution: Audit your SPF record for unnecessary includes. Remove mechanisms for services you no longer use. Implement Dynamic SPF or subdomain delegation to stay under the limit.

• Symptoms: After migrating email platforms (e.g., from one marketing automation tool to another), DKIM starts failing.
• Likely cause: The old DKIM keys are still in DNS but the new platform uses different selectors. Or the new platform isn't configured to sign with your domain at all.
• Solution: Generate new DKIM keys for the new platform. Publish them in DNS using the platform's specified selector. Verify the platform is signing with your domain's d= value, not theirs. Remove old keys after confirming the new configuration works.

• Symptoms: DMARC reports show SPF and DKIM both passing, but DMARC still fails.
• Likely cause: Neither SPF nor DKIM is aligned with your From domain. The service is authenticating, but not in a way that helps DMARC.
• Solution: Check the return-path domain (for SPF alignment) and the d= value in DKIM signatures (for DKIM alignment). Work with the sending service to configure custom domains that match your From address.

• Symptoms: DKIM verification fails with "invalid signature" errors. The key is published correctly in DNS.
• Likely cause: The email content was modified in transit. Mailing lists that add footers, email security gateways that rewrite URLs, or forwarding services can break DKIM signatures.
• Solution: This is often outside your control. Ensure you have SPF alignment as a fallback. Consider implementing ARC (Authenticated Received Chain) if you're the organization modifying emails in transit.

SPF and DKIM management has shifted from a nice-to-have to a requirement. Google, Yahoo, and Microsoft now enforce strict authentication standards, and non-compliant emails face rejection rather than mere deliverability penalties.

The challenges are real: SPF's 10 lookup limit creates constant maintenance overhead, DKIM key rotation requires careful coordination, and aligning everything for DMARC adds another layer of complexity.

But the solution doesn't have to be complicated. Platforms like Red Sift OnDMARC consolidate SPF, DKIM, and DMARC management into a single interface, automate the tedious parts, and provide clear guidance on reaching full enforcement.

The organizations that get this right protect their domains from spoofing, improve their email deliverability, and stay ahead of increasingly strict inbox provider requirements. Those that don't will find their emails landing in spam folders, or not landing at all.

[1] SalesHive. "DKIM, DMARC, SPF: Best Practices for Email Security and Deliverability in 2025." https://saleshive.com/blog/dkim-dmarc-spf-best-practices-email-security-deliverability/ 

[2] Verizon. "2024 Data Breach Investigations Report." https://www.verizon.com/business/resources/reports/dbir/ 

[3] Yahoo. "Sender Best Practices." https://senders.yahooinc.com/best-practices/ 

[4] Microsoft. "Strengthening Email Ecosystem: Outlook's New Requirements for High-Volume Senders." https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/strengthening-email-ecosystem-outlook's-new-requirements-for-high‐volume-senders/4399730 

[5] IETF. "RFC 7208: Sender Policy Framework." https://datatracker.ietf.org/doc/html/rfc7208 

[6] Mailhardener. "The SPF Lookup Limit Explained." https://www.mailhardener.com/blog/spf-lookup-limit-explained 

[7] URIports. "SPF Macros: Overcoming the 10 DNS Lookup Limit." https://www.uriports.com/blog/spf-macros-max-10-dns-lookups/ 

[8] Mailhardener. "Do Not Flatten Your SPF Record." https://www.mailhardener.com/blog/do-not-flatten-spf 

[9] M3AAWG. "Email Authentication Recommended Best Practices." https://www.m3aawg.org/sites/default/files/m3aawg-email-authentication-recommended-best-practices-09-2020.pdf 

[10] IETF. "RFC 6376: DomainKeys Identified Mail Signatures." https://datatracker.ietf.org/doc/html/rfc6376 

[11] Twilio SendGrid. "2048 Bit DKIM Keys: Length and Best Practices." https://www.twilio.com/en-us/blog/insights/2048-bit-dkim-keys 

[12] M3AAWG. "DKIM Key Rotation Best Common Practices." https://www.m3aawg.org/DKIMKeyRotation 

[13] Suped. "How Often Should You Rotate Your DKIM Keys and What Key Length is Best." https://www.suped.com/knowledge/email-authentication/dmarc/how-often-should-you-rotate-your-dkim-keys-and-what-key-length-is-best 

[14] Mailgun. "How Can I Rotate My DKIM Key?" https://help.mailgun.com/hc/en-us/articles/16956951504539-How-can-I-rotate-my-DKIM-key 

[15] IETF. "RFC 7489: Domain-based Message Authentication, Reporting, and Conformance." https://datatracker.ietf.org/doc/html/rfc7489 

[16] Red Sift. "OnDMARC." https://redsift.com/pulse-platform/ondmarc 

[17] Red Sift. "SPF, DKIM & DMARC: Essential Email Protocols Explained." https://redsift.com/guides/email-protocol-configuration-guide/all-you-need-to-know-about-spf-dkim-and-dmarc 

[18] Cisco. "Cisco Secure Email + Red Sift Domain Protection." https://docs.ces.cisco.com/docs/red-sift-cisco-secure-email 

[19] URIports. "SPF, DKIM, and DMARC Best Practices." https://www.uriports.com/blog/spf-dkim-dmarc-best-practices/ 

[20] Red Sift. "OnDMARC Customer Success." https://redsift.com/customers/customer-success 

[21] Bright Defense. "200+ Phishing Statistics for 2026." https://www.brightdefense.com/resources/phishing-statistics/