The State of Email Authentication Technologies

Why SPF, DKIM, and DMARC matter more than ever in 2025

Email authentication is no longer a niche concern. Today, it plays a critical role in ensuring the successful delivery of emails. Major mailbox providers such as Google, Microsoft, and Yahoo aim to verify that incoming messages truly originate from the sender they claim. To achieve this, several technical methods are available: SPF, DKIM, and DMARC.

SPF (Sender Policy Framework) allows a domain owner to define in the DNS which IP addresses are authorized to send email on behalf of their domain. DKIM (DomainKeys Identified Mail) adds a digital signature to each email, which the recipient can verify using a public key published in the domain’s DNS. Only the domain owner or an authorized provider can place this key in the DNS, ensuring that only trusted sources can send authenticated messages using the domain.

DMARC (Domain-based Message Authentication, Reporting & Conformance) ties these mechanisms together. It checks whether either SPF or DKIM passes and ensures that the technical sender domain aligns with the visible “From” address. Additionally, DMARC enables reporting, providing domain owners with insights into which messages were properly authenticated and where problems occurred.

Current landscape: Few domains, limited protection

How widespread are these technologies today? A recent study by sys4 AG analyzed domains in the .de zone. The result: only 13.8% of these domains have a valid DMARC record. Of these, only about 10% use a protective policy such as “quarantine” or “reject.” The vast majority remain vulnerable.

However, this number doesn’t tell the whole story. When looking at email volume, a significantly higher proportion of traffic is authenticated. This is because a large share of email is sent through a relatively small number of well-managed domains. Most of these belong to professional email service providers that have correctly implemented SPF, DKIM, and DMARC. For them, authentication has become standard. Google, Yahoo, and Microsoft require it for senders who send more than 5,000 emails per day.

The real challenge: Small, low-volume domains

The real challenge lies with the many domains that send emails only occasionally or in low volumes. These domains often lack proper authentication. Reasons include lack of awareness, limited resources, or simply the absence of a clear benefit. Many of these domains are hosted by low-cost providers that are neither financially equipped nor technically staffed to educate customers or offer comprehensive authentication support.

This results in a fundamental dilemma. Without real incentives or external pressure, there’s little motivation to change. Providers cannot simply block unauthenticated email across the board without impacting legitimate senders. As a result, the security gap remains.

What comes next?

Germany’s Federal Office for Information Security (BSI) has declared 2025 the “Year of Email Security.” Its goal is to encourage wider adoption of SPF, DKIM, and DMARC through education, cooperation, and industry-wide initiatives. Whether this effort alone will bring about meaningful change remains uncertain.

Real progress is likely only if concrete incentives or regulatory pressure are introduced. Possible approaches include improved deliverability for authenticated messages, financial support for hosting providers, or stricter filtering policies from major mailbox providers. As of now, Google, Yahoo, and Microsoft require only a DMARC record with a “none” policy. This does not provide any real security benefit.

As a result, many organizations set up DMARC but do not analyze the reports and don’t understand how to make use of the data. Genuine change will likely occur only once authentication becomes mandatory – either through market forces or regulatory requirements. A realistic timeframe for this shift could be within the next two to three years. Until then, progress is expected to remain slow.

What can organizations do today?

The key question is: how can domain owners or IT decision-makers take action now?

The first step is to determine whether SPF, DKIM, and DMARC are already implemented. There are free online tools that help with this. One of the most accessible options is the service aboutmy.email. You simply send a test email to the provided address, and you receive a structured report showing which authentication mechanisms are in place and which are missing.

Next, it’s important to contact your technical point of contact – whether that’s your hosting provider or your internal IT department. Ask them to check or implement SPF, DKIM, and a DMARC record. A simple way to start is by setting up a DMARC policy of “none.” This allows reporting without blocking any unauthenticated messages and gives you visibility into who is sending mail on behalf of your domain and whether it’s properly authenticated.

It’s important that someone takes responsibility for reviewing these DMARC reports – ideally once per week. This is the only way to identify weaknesses and resolve them sustainably. If this process cannot be handled in-house, it’s advisable to engage a specialized service provider. That way, even without deep technical knowledge, organizations can implement and maintain effective email authentication.

Florian has been working in the email deliverability space for the past 15 years. He is responsible for Mapp’s global deliverability services and is an active member of various related associations, including the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), the Certified Senders Alliance (CSA), the German Direct Marketing Association (DDV), The Competence Group (TCG), and Signal Spam, to name a few. With a background in computer science, Florian is currently focusing on evangelizing one of his favorite topics: data security and authentication.