Chapter 2
Email authentication in 2025
Email authentication is a powerful defense in the fight to save email from the bad guys. Do our survey results indicate enough senders use SPF, DKIM, and DMARC to keep inboxes safe from scammers?
Share to
State of email deliverability 2025
The year of Yahoogle
Email authentication in 2025
Key findings on email authentication practices
Email authentication basics
SPF and DKIM usage
DMARC adoption
BIMI implementation
Why email authentication is worth the effort
Understanding inbox placement
Email list building and hygiene
Email sender reputation
How to improve email deliverability
About this survey
PUBLISHED ON
While generative artificial intelligence (gen AI) offers plenty of promise for the future, it’s also making it hard to tell what’s real and what’s not – especially in the wrong hands. While email senders use AI to improve efficiency and brainstorm marketing ideas, scammers and spammers found their own nefarious uses for it.
Phishing has been a major concern for years. Now, with generative AI tools, bad actors can quickly create deceptive emails to look as if they came from any brand. They can also use large language models (LLMs) to personalize scams for more convincing social engineering.
Email authentication protocols help mailbox providers identify you as a legitimate sender. It proves you are who you say you are, that your messages can be trusted, and they should be delivered to the inbox. But are enough senders using email authentication?
Table of contents
DKIM key rotation
DMARC policies
DMARC requirements today and tomorrow
Why do senders pursue a BIMI logo?
Deliverability Services: Get expert guidance
Key findings on email authentication practices
%
of senders know they are using both SPF and DKIM for email authentication.
+%
increase in senders who know they are using DMARC compared to our 2023 survey.
%
of those sending 100k+ emails per month know they are using DMARC for email authentication (20% are unsure).
%
of senders who use DMARC know they are enforcing it with a policy of Reject or Quarantine.
Email authentication basics
Authentication is one of the more technical aspects of email deliverability. It involves DNS records that receiving mail servers are required to reference before messages get delivered.
As a quick review, these are the DNS TXT records connected to email authentication and the basics of what they do:
Sender Policy Framework: SPF specifies which IP addresses are authorized to send emails on behalf of a domain. It helps verify that a valid source sent the email. DomainKeys Identified Mail: DKIM uses a cryptographic digital signature, which allows receiving mail servers to verify the email came from the domain it claims to be from. Domain-based Message Authentication, Reporting and Conformance: DMARC builds on SPF and DKIM by providing a way for domain owners to specify how receiving mail servers should handle authentication failures. Brand Indicators for Message Identification: BIMI builds on DMARC and allows brands to display a verified logo next to emails in the recipient’s inbox when DMARC is enforced.
Bulk senders need to use SPF, DKIM, and DMARC if they want to achieve inbox placement with major mailbox providers. However, every sender can benefit from using all three of these methods – and BIMI is like the icing on the cake.
SPF and DKIM usage
The SPF and DKIM protocols are essential to email authentication. While low-volume senders may be able to reach the email inbox with just one of the two, using both is highly encouraged. Bulk senders must use SPF and DKIM to comply with Gmail and Yahoo’s 2024 requirements.
Nearly two-thirds of all senders (66.2%) say they do use both SPF and DKIM for email authentication. 25.7% of respondents were unsure about how their organizations used DKIM and SPF. Less than 9% said they were only using one or the other.
Does your organization use SPF and/or DKIM for email authentication?
When we filter these results based on send volumes, more than 75% of respondents sending over 50,000 emails per month are confident they use both protocols. The highest degree of uncertainty around SPF and DKIM came from the low-volume senders with fewer than 50,000 emails per month.
For those who are unsure about SPF and DKIM authentication, it’s likely they are using at least one of them. Most email service providers (ESPs) require that these protocols are configured before any emails are sent. In some cases, an ESP may use its own SPF and DKIM records on behalf of smaller senders on shared IPs.
DKIM key rotation
The DKIM protocol involves a pair of keys, one public and one private, which are used to authenticate a sending domain. The private key contains the encrypted digital signature and is sent along with email messages. The public key lives on the DNS and is matched with the private key to verify the message’s authenticity.
DKIM keys need to be changed periodically. This is a practice known as DKIM key rotation. It's necessary because these keys can be compromised, which opens the door for bad actors to do some real damage.
DKIM key rotation is a lot like changing your personal account passwords to keep them secure. Unfortunately, senders don’t seem to be in the habit of rotating DKIM keys.
47.7% of senders who use DKIM admit they’ll only rotate keys after a security issue. By then, it may be too late. Another 40% of the senders in our survey say they are unsure about DKIM key rotation practices.
Approximately how often do you rotate DKIM keys?
Only a combined 12% of senders say they have an approximate timeframe for rotating DKIM keys. The other 88% could be putting their customers and subscribers as well as their brand’s reputation at risk.
If someone steals your DKIM keys, they don’t even need to use spoofing. They are literally able to sign emails as if they were sent from your domain.
It’s considered best practice to rotate DKIM keys every 6 to 12 months at minimum. If your DKIM keys are leaked or a bad actor manages to decipher them, change keys as soon as possible. Visit the Sinch Mailgun help center to learn how to update or rotate your DKIM keys.
Email security feature
Get automatic DKIM key rotation
Here’s one less thing to worry about. Sinch Mailgun users enjoy extra security and peace of mind with a new feature that automates DKIM key rotation. If you use Mailgun Send, you can choose to have 2048-bit DKIM keys updated every 120 days. Manually rotate your keys whenever it’s needed.
DMARC adoption
It’s fair to say the most important aspect of Google and Yahoo’s new rules for bulk senders is the DMARC requirement. DMARC offers a way to harness the power of both SPF and DKIM for strong email authentication.
Our survey results show an uptick in DMARC adoption compared to the results we published in State of email deliverability 2023. In 2024, 53.8% of senders told us they were using DMARC. That represents an 11% increase from the 42.6% who’d implemented DMARC in 2023.
Senders using DMARC for email authentication: 2023 vs 2024
As you might expect, due to the Google DMARC requirement, the increase appears even stronger among bulk senders. While around 56% of the highest volume senders had set up DMARC in 2023, approximately 70% or more of them had done so in 2024.
Senders using DMARC in 2024: Monthly volume comparison
DMARC policies
When setting up DMARC, senders must choose a specific policy that informs receiving mail servers how to handle messages that fail SPF or DKIM. Here’s how each of the three policies work:
None (
p=none
): This DMARC policy tells receiving mails servers not to do anything if a message fails authentication.Quarantine (
p=quarantine
): This DMARC policy tells receiving mails servers that authentication failures should be filtered into spam.Reject (
p=reject
): This DMARC policy is the strongest. It tells receiving mails servers that authentication failures should not be delivered at all.
The Yahoo and Google DMARC requirement only dictated that senders use a policy of p=none. That’s because, at this point, the mailbox providers are trying to get senders to take the first step towards enforcement.
The p=none policy was the most common policy senders used in 2023, and it remained that way in our latest survey. 31.8% of senders who use DMARC have their policy set to None, 19.3% are using Quarantine, and 17.7% have a policy set to Reject.
What is your current DMARC policy?
In 2023, around 23% of senders had DMARC policies set to None. But the most noticeable change was a decrease in senders who are uncertain about what policy is used. While 31.3% of senders in this year’s survey are unsure of their DMARC policy, that dropped from more than 40% in 2023.
DMARC policy implementation: 2023 vs 2024
This result suggests the new sender requirements not only encouraged DMARC adoption, but it also increased awareness around the standard and its specific policies.
DMARC requirements today and tomorrow
There’s a problem with using the p=none DMARC policy. It doesn’t exactly do much to improve your authentication. Messages that fail DKIM or SPF may still be delivered to email inboxes. Technically, you aren’t enforcing DMARC until you implement a policy of p=quarantine or p=reject.
The p=none policy is meant to be used to test DMARC during setup. Eventually, senders are supposed to change the policy. So, is that what senders in our survey plan to do?
Results show a combined 25.5% of senders using p=none plan to update the policy within the next year. However, 61% will only do so if they are required and 13% don’t plan to update because they meet the current DMARC requirements.
Will sender using p=none implement a stricter DMARC policy in the next year?
Senders who plan to wait until DMARC enforcement is required may not be waiting long. Representatives from Gmail and Yahoo told us they’ll eventually call for a stronger policy. Senders who’ve taken steps to enforce DMARC are ahead of the game – and they’re doing the right thing.
“The end goal is ideally a policy of p=reject. That's what DMARC is for. Ensuring that your domain cannot be spoofed and protecting our mutual customers from abuse.”
Marcel Becker
Sr. Director of Product Management at Yahoo
BIMI implementation
If you need another reason to choose a stronger DMARC policy, maybe BIMI will do the trick. This specification lets senders display a verified logo next to their emails. To be eligible for a BIMI logo, however, you need to be enforcing DMARC with a policy of Reject or Quarantine.
Gmail, Apple Mail, and Yahoo Maill all support BIMI, but Outlook currently does not. Here’s how a BIMI logo might look in the inbox:
So, how popular is BIMI? The website BIMI Radar tracks more than 72-million domains for what it calls “BIMI-readiness." As of this writing, the site indicates only 3.8% of those domains would be eligible for a BIMI logo. That means the vast majority aren’t using DMARC or don’t have a strong enough policy.
Our latest survey asked email senders if they’d already implemented BIMI. Results show 5.7% of respondents use BIMI while another 11.4% are working to implement the specification. Still, nearly 60% of senders are not using BIMI.
Have you set up BIMI for a verified inbox logo?
BIMI does not directly impact deliverability or do anything to authenticate your emails. Nonetheless, it gets associated with authentication because only senders who’ve put in the effort around DMARC can display a verified inbox logo. As you can imagine, this has advantages for many brands.
Why do senders pursue a BIMI logo?
We wanted to find out what prompted the senders who are using BIMI to pursue an inbox logo. What did they expect to gain from it? Here’s what those senders say was the primary driver of BIMI implementation:
.%
Customer/subscriber trust
.%
Protecting brand reputation
.%
Building brand awareness
.%
Email security
An inbox logo certainly provides some extra branding via your emails. While BIMI itself does not do anything to enhance email security, it’s proof that a sender has taken other steps to do so. Recipients may be more likely to open and engage with emails displaying an inbox logo because it appears more trustworthy.
7.4% of respondents told us they pursued BIMI to boost email engagement. And that could very well be true. A 2021 study on inbox logos suggests they positively impact engagement metrics such as open rates.
Why email authentication is worth the effort
Setting up email authentication can get complex, but all the work pays off. It’s a win for everyone involved... except spammers and scammers.
How email authentication benefits senders:
Keeps your brand from being spoofed.
Protects customers from security threats.
Supports a good sender reputation.
Leads to better inbox placement.
How email authentication helps mailbox providers:
Helps identify legitimate senders vs malicious messages.
Supports the integrity of their product.
Keeps people using email for brand communications.
Offers guidance on filtering authentication failures.
How email authentication supports recipients:
Stops phishing emails, spam, and malware from reaching their inboxes.
Creates trust for brands they want to hear from.
Improves the inbox experience by reducing unwanted emails
Our survey results show the email community is making progress with authentication and inbox security, but there’s still room for improvement.
Deliverability Services: Get expert guidance
With Sinch Mailgun’s Deliverability Services, you’ll get your own Technical Account Manager (TAM) to help you navigate the complexities of achieving inbox placement. Contact us to learn more.
Let's talk Mailgun!
Previous Chapter
Chapter 1: The year of Yahoogle
Chapter 1
Explore chapters
Research report
State of email deliverability 2025
Learn More
Chapter 1:
The year of Yahoogle
Learn More
Chapter 3:
Understanding inbox placement
Learn More
Chapter 4:
Email list building and hygiene
Learn More
Chapter 5:
Email sender reputation
Learn More
Chapter 6:
How to improve email deliverability
Learn More
Chapter 7:
About this survey
Learn More