10 Email Authentication Mistakes That Kill Deliverability
Common email authentication mistakes that damage deliverability. Learn how to avoid SPF, DKIM, and DMARC configuration errors that send your emails to spam.
Email authentication is straightforward in concept — SPF, DKIM, and DMARC tell receiving servers your emails are legitimate. But the implementation is where things go wrong. Small misconfigurations cause silent failures that erode deliverability over weeks or months.
Here are the 10 most common authentication mistakes and how to avoid them.
1. Multiple SPF Records
A domain can have only one SPF TXT record. Adding a second one (instead of merging) causes unpredictable failures — some servers pick one record, some pick the other, and some return a permanent error.
How it happens: Someone adds a new email service and creates a new SPF record instead of updating the existing one.
Fix: Merge all includes into a single record:
v=spf1 include:_spf.google.com include:sendgrid.net include:spf.brevo.com ~all
Check your domain — our checker flags multiple SPF records.
2. Exceeding the 10-Lookup Limit
SPF allows a maximum of 10 DNS lookups. Each include:, a:, mx:, and redirect= mechanism counts — and nested includes add up fast. Exceeding the limit causes SPF to return permerror, which most servers treat as a fail.
How it happens: You add service after service without tracking lookup counts.
Fix: Remove unused includes, use ip4: for static senders, or split email across subdomains.
3. Missing DKIM After ESP Changes
When you switch ESPs or when your ESP rotates DKIM keys, the old DKIM DNS record becomes invalid. New emails are signed with a key that receivers can't verify because the DNS record points to the old key.
How it happens: ESP rotates keys but you don't update DNS. Or you migrate ESPs but keep old DKIM records.
Fix: After any ESP change, verify DKIM by sending a test email and checking headers. Update DNS records to match your current ESP's requirements.
4. DMARC Without Alignment
Having a DMARC record doesn't help if neither SPF nor DKIM aligns with your From domain. DMARC requires alignment — the domain authenticated by SPF or DKIM must match the domain in the From header.
How it happens: Your ESP uses its own envelope sender domain (breaking SPF alignment) and you haven't set up DKIM for your domain (so DKIM alignment also fails).
Fix: Ensure at least one of SPF or DKIM aligns. DKIM alignment is usually more reliable because it's explicit — configure DKIM signing for your exact From domain.
Check your authentication
Run a free deliverability check to verify SPF, DKIM, and DMARC are all passing and properly aligned.
5. Setting DMARC to p=reject Too Early
Moving to p=reject before confirming all legitimate senders pass authentication means you're rejecting your own email. Sales emails, support tool notifications, CRM messages — anything not properly authenticated gets blocked.
How it happens: You want strong protection and skip the monitoring phase.
Fix: Start at p=none to collect DMARC reports. Verify every sending source passes authentication. Move to p=quarantine with pct=10 and increase gradually. Only move to p=reject when you're confident all legitimate email is authenticated.
6. Forgetting Third-Party Senders
Your marketing platform might be authenticated, but what about your CRM? Support ticketing system? Accounting software that sends invoices? Event platform that sends confirmations?
How it happens: Someone on a different team starts using a new tool that sends email from your domain. Nobody tells IT to update SPF.
Fix: Audit all email senders periodically. Check DMARC aggregate reports for unknown sources. Maintain a list of every service authorized to send email from your domain.
7. Using the Wrong SPF Mechanism
Using ~all (softfail) when you mean -all (hardfail) — or vice versa — affects how unauthenticated email is treated.
| Mechanism | Meaning | When to Use |
|---|---|---|
| ~all | Softfail — accept but mark suspicious | While setting up and testing. Safer default |
| -all | Hardfail — reject unauthorized email | When you're confident all senders are listed |
| ?all | Neutral — no opinion | Almost never — provides no protection |
| +all | Pass everything — anyone can send as you | Never — this disables SPF entirely |
Fix: Use ~all while you're still adding senders. Move to -all once your SPF record is complete and stable.
8. Not Monitoring After Setup
Authentication is not set-and-forget. DNS records change during migrations. ESPs update their infrastructure. Team members add new sending services. Any of these can break authentication silently.
How it happens: You set up SPF, DKIM, and DMARC, confirm they work, and never check again.
Fix: Check authentication regularly — at minimum monthly, ideally with automated monitoring that alerts you when records change or checks fail.
9. DKIM Key Too Short
DKIM keys shorter than 1,024 bits are considered weak. Google recommends 2,048-bit keys. Some older ESP configurations still use 512-bit or 768-bit keys.
How it happens: Your DKIM setup is from years ago when shorter keys were acceptable.
Fix: Check your DKIM key length — our free checker shows this. If it's under 2,048 bits, generate a new key pair through your ESP and update the DNS record.
10. DNS Record Formatting Errors
DNS TXT records have specific formatting requirements. Common errors:
- Extra spaces in SPF records that break parsing
- Missing quotes around TXT record values (depends on DNS provider)
- Truncated DKIM keys where the full value wasn't pasted
- Line breaks in DKIM records where the provider doesn't support them
- Wrong record type — adding SPF as a CNAME instead of TXT
Fix: After any DNS change, verify the record resolves correctly using a DNS lookup tool and then test with a real email send.
How to Verify Your Authentication
Run these checks regularly:
- Automated check — Use our free deliverability checker to verify SPF, DKIM, and DMARC in one scan
- Send a test email — Send to a Gmail account and check "Show original" for pass/fail results
- Review DMARC reports — If you have
ruaconfigured, check reports for authentication failures from any source - Test after changes — Every time you change DNS, switch ESPs, or add a new sending service, re-verify everything