10 Email Authentication Mistakes That Kill Deliverability

Common email authentication mistakes that damage deliverability. Learn how to avoid SPF, DKIM, and DMARC configuration errors that send your emails to spam.

Email Authentication

Email authentication is straightforward in concept — SPF, DKIM, and DMARC tell receiving servers your emails are legitimate. But the implementation is where things go wrong. Small misconfigurations cause silent failures that erode deliverability over weeks or months.

Here are the 10 most common authentication mistakes and how to avoid them.

1. Multiple SPF Records

A domain can have only one SPF TXT record. Adding a second one (instead of merging) causes unpredictable failures — some servers pick one record, some pick the other, and some return a permanent error.

How it happens: Someone adds a new email service and creates a new SPF record instead of updating the existing one.

Fix: Merge all includes into a single record:

v=spf1 include:_spf.google.com include:sendgrid.net include:spf.brevo.com ~all

Check your domain — our checker flags multiple SPF records.

2. Exceeding the 10-Lookup Limit

SPF allows a maximum of 10 DNS lookups. Each include:, a:, mx:, and redirect= mechanism counts — and nested includes add up fast. Exceeding the limit causes SPF to return permerror, which most servers treat as a fail.

How it happens: You add service after service without tracking lookup counts.

Fix: Remove unused includes, use ip4: for static senders, or split email across subdomains.

3. Missing DKIM After ESP Changes

When you switch ESPs or when your ESP rotates DKIM keys, the old DKIM DNS record becomes invalid. New emails are signed with a key that receivers can't verify because the DNS record points to the old key.

How it happens: ESP rotates keys but you don't update DNS. Or you migrate ESPs but keep old DKIM records.

Fix: After any ESP change, verify DKIM by sending a test email and checking headers. Update DNS records to match your current ESP's requirements.

4. DMARC Without Alignment

Having a DMARC record doesn't help if neither SPF nor DKIM aligns with your From domain. DMARC requires alignment — the domain authenticated by SPF or DKIM must match the domain in the From header.

How it happens: Your ESP uses its own envelope sender domain (breaking SPF alignment) and you haven't set up DKIM for your domain (so DKIM alignment also fails).

Fix: Ensure at least one of SPF or DKIM aligns. DKIM alignment is usually more reliable because it's explicit — configure DKIM signing for your exact From domain.

Check your authentication

Run a free deliverability check to verify SPF, DKIM, and DMARC are all passing and properly aligned.

5. Setting DMARC to p=reject Too Early

Moving to p=reject before confirming all legitimate senders pass authentication means you're rejecting your own email. Sales emails, support tool notifications, CRM messages — anything not properly authenticated gets blocked.

How it happens: You want strong protection and skip the monitoring phase.

Fix: Start at p=none to collect DMARC reports. Verify every sending source passes authentication. Move to p=quarantine with pct=10 and increase gradually. Only move to p=reject when you're confident all legitimate email is authenticated.

6. Forgetting Third-Party Senders

Your marketing platform might be authenticated, but what about your CRM? Support ticketing system? Accounting software that sends invoices? Event platform that sends confirmations?

How it happens: Someone on a different team starts using a new tool that sends email from your domain. Nobody tells IT to update SPF.

Fix: Audit all email senders periodically. Check DMARC aggregate reports for unknown sources. Maintain a list of every service authorized to send email from your domain.

7. Using the Wrong SPF Mechanism

Using ~all (softfail) when you mean -all (hardfail) — or vice versa — affects how unauthenticated email is treated.

MechanismMeaningWhen to Use
~allSoftfail — accept but mark suspiciousWhile setting up and testing. Safer default
-allHardfail — reject unauthorized emailWhen you're confident all senders are listed
?allNeutral — no opinionAlmost never — provides no protection
+allPass everything — anyone can send as youNever — this disables SPF entirely

Fix: Use ~all while you're still adding senders. Move to -all once your SPF record is complete and stable.

8. Not Monitoring After Setup

Authentication is not set-and-forget. DNS records change during migrations. ESPs update their infrastructure. Team members add new sending services. Any of these can break authentication silently.

How it happens: You set up SPF, DKIM, and DMARC, confirm they work, and never check again.

Fix: Check authentication regularly — at minimum monthly, ideally with automated monitoring that alerts you when records change or checks fail.

9. DKIM Key Too Short

DKIM keys shorter than 1,024 bits are considered weak. Google recommends 2,048-bit keys. Some older ESP configurations still use 512-bit or 768-bit keys.

How it happens: Your DKIM setup is from years ago when shorter keys were acceptable.

Fix: Check your DKIM key length — our free checker shows this. If it's under 2,048 bits, generate a new key pair through your ESP and update the DNS record.

10. DNS Record Formatting Errors

DNS TXT records have specific formatting requirements. Common errors:

  • Extra spaces in SPF records that break parsing
  • Missing quotes around TXT record values (depends on DNS provider)
  • Truncated DKIM keys where the full value wasn't pasted
  • Line breaks in DKIM records where the provider doesn't support them
  • Wrong record type — adding SPF as a CNAME instead of TXT

Fix: After any DNS change, verify the record resolves correctly using a DNS lookup tool and then test with a real email send.

How to Verify Your Authentication

Run these checks regularly:

  1. Automated check — Use our free deliverability checker to verify SPF, DKIM, and DMARC in one scan
  2. Send a test email — Send to a Gmail account and check "Show original" for pass/fail results
  3. Review DMARC reports — If you have rua configured, check reports for authentication failures from any source
  4. Test after changes — Every time you change DNS, switch ESPs, or add a new sending service, re-verify everything