Email Authentication Monitoring (SPF, DKIM, DMARC)
Last updated: 2026-04-14
Email authentication helps prevent spam and phishing by proving your emails are really from you. Our monitoring tool checks that your SPF, DKIM, and DMARC records are set up correctly.
What Are SPF, DKIM, and DMARC?
These are email security standards that work together:
| Standard | Purpose |
|---|---|
| SPF | Lists which servers can send email for your domain |
| DKIM | Adds a digital signature to prove emails aren’t altered |
| DMARC | Tells receivers what to do with failed SPF/DKIM checks |
Together, they protect your domain from being used to send spam.
Why Monitor Email Authentication?
| Problem | Impact |
|---|---|
| Missing records | Emails may be marked as spam |
| Incorrect configuration | Legitimate emails get rejected |
| Changes break things | DNS updates can cause issues |
| Security gaps | Attackers can spoof your domain |
Monitoring catches problems before they affect your email delivery.
Setting Up Email Auth Monitoring
- Go to Tools in the left menu
- Click Email Auth (or DKIM/SPF)
- Click Add Domain
- Enter your domain name
- Click Save
We’ll check your DNS records and verify configuration.
What We Check
SPF Check
- Is there an SPF record?
- Is it syntactically correct?
- Does it include all your mail servers?
- Are there any errors or warnings?
DKIM Check
- Is DKIM properly configured?
- Is the public key valid?
- Are the selectors correct?
DMARC Check
- Is there a DMARC policy?
- What’s the policy (none, quarantine, reject)?
- Is reporting configured?
Understanding Results
| Status | Meaning | Action |
|---|---|---|
| Pass | Records are correct | No action needed |
| Warning | Minor issues | Review and fix when possible |
| Fail | Serious problems | Fix immediately |
| Missing | No record found | Add the required record |
Retry Behaviour
DNS propagation and resolver hiccups can cause transient lookup failures that are not real problems with your configuration. To avoid false-positive alerts, email auth monitors use an automatic retry mechanism:
- When a check detects an issue (error or warning), the result is recorded but no alert is sent yet.
- The monitor is re-checked after 5 minutes (rather than the normal schedule).
- This retries up to 3 times in a row.
- Only if the issue is still present after all retries does an alert go out and the monitor return to its normal check interval.
If the issue clears on any retry, no alert is ever sent and the monitor resumes its normal schedule.
This means an alert for an email auth monitor represents a persistent, confirmed problem — not a one-off DNS hiccup.
For where those confirmed alerts are sent, see Notification Channels.
Common Issues and Fixes
No SPF Record
Add a TXT record to your DNS:
v=spf1 include:_spf.yourprovider.com ~all
Replace with your email provider’s SPF include.
SPF Too Long
If you have too many DNS lookups (max 10):
- Consolidate includes
- Use IP addresses directly
- Consider SPF flattening
No DMARC Record
Add a TXT record named _dmarc:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Start with p=none to monitor, then move to quarantine or reject.
DKIM Not Signing
- Check your email provider’s DKIM setup
- Verify the CNAME or TXT records are correct
- Make sure DKIM is enabled in your email settings
Best Practices
| Recommendation | Why |
|---|---|
Start with DMARC p=none | Monitor before enforcing |
| Enable DMARC reporting | See who’s sending as your domain |
| Review regularly | Email infrastructure changes |
| Test after DNS changes | Verify nothing broke |