Back to main menu

Chapter 2

Email authentication in 2025

Email authentication is a powerful defense in the fight to save email from the bad guys. Do our survey results indicate enough senders use SPF, DKIM, and DMARC to keep inboxes safe from scammers?

Key and padlock icons with checkmarks for authenticated emails

Share to

PUBLISHED ON

While generative artificial intelligence (gen AI) offers plenty of promise for the future, it’s also making it hard to tell what’s real and what’s not – especially in the wrong hands. While email senders use AI to improve efficiency and brainstorm marketing ideas, scammers and spammers found their own nefarious uses for it.

Phishing has been a major concern for years. Now, with generative AI tools, bad actors can quickly create deceptive emails to look as if they came from any brand. They can also use large language models (LLMs) to personalize scams for more convincing social engineering.

Email authentication protocols help mailbox providers identify you as a legitimate sender. It proves you are who you say you are, that your messages can be trusted, and they should be delivered to the inbox. But are enough senders using email authentication?

Key findings on email authentication practices

%

of senders know they are using both SPF and DKIM for email authentication.

+%

increase in senders who know they are using DMARC compared to our 2023 survey.

%

of those sending 100k+ emails per month know they are using DMARC for email authentication (20% are unsure).

%

of senders who use DMARC know they are enforcing it with a policy of Reject or Quarantine.

Email authentication basics

Authentication is one of the more technical aspects of email deliverability. It involves DNS records that receiving mail servers are required to reference before messages get delivered.

As a quick review, these are the DNS TXT records connected to email authentication and the basics of what they do:

Sender Policy Framework: SPF specifies which IP addresses are authorized to send emails on behalf of a domain. It helps verify that a valid source sent the email. DomainKeys Identified Mail: DKIM uses a cryptographic digital signature, which allows receiving mail servers to verify the email came from the domain it claims to be from. Domain-based Message Authentication, Reporting and Conformance: DMARC builds on SPF and DKIM by providing a way for domain owners to specify how receiving mail servers should handle authentication failures. Brand Indicators for Message Identification: BIMI builds on DMARC and allows brands to display a verified logo next to emails in the recipient’s inbox when DMARC is enforced.

Bulk senders need to use SPF, DKIM, and DMARC if they want to achieve inbox placement with major mailbox providers. However, every sender can benefit from using all three of these methods – and BIMI is like the icing on the cake.

SPF and DKIM usage

The SPF and DKIM protocols are essential to email authentication. While low-volume senders may be able to reach the email inbox with just one of the two, using both is highly encouraged. Bulk senders must use SPF and DKIM to comply with Gmail and Yahoo’s 2024 requirements.

Nearly two-thirds of all senders (66.2%) say they do use both SPF and DKIM for email authentication. 25.7% of respondents were unsure about how their organizations used DKIM and SPF. Less than 9% said they were only using one or the other.

Does your organization use SPF and/or DKIM for email authentication?

Unsure (25.7%)
Only using DKIM (3.3%)
Only using SPF (4.8%)
Using SPF and DKIM (66.2%)

When we filter these results based on send volumes, more than 75% of respondents sending over 50,000 emails per month are confident they use both protocols. The highest degree of uncertainty around SPF and DKIM came from the low-volume senders with fewer than 50,000 emails per month.

For those who are unsure about SPF and DKIM authentication, it’s likely they are using at least one of them. Most email service providers (ESPs) require that these protocols are configured before any emails are sent. In some cases, an ESP may use its own SPF and DKIM records on behalf of smaller senders on shared IPs.

DKIM key rotation

The DKIM protocol involves a pair of keys, one public and one private, which are used to authenticate a sending domain. The private key contains the encrypted digital signature and is sent along with email messages. The public key lives on the DNS and is matched with the private key to verify the message’s authenticity.

DKIM keys need to be changed periodically. This is a practice known as DKIM key rotation. It's necessary because these keys can be compromised, which opens the door for bad actors to do some real damage.

DKIM key rotation is a lot like changing your personal account passwords to keep them secure. Unfortunately, senders don’t seem to be in the habit of rotating DKIM keys.

47.7% of senders who use DKIM admit they’ll only rotate keys after a security issue. By then, it may be too late. Another 40% of the senders in our survey say they are unsure about DKIM key rotation practices.

Approximately how often do you rotate DKIM keys?

Every 3 months (3.1%)
Every 6 months (3.4%)
Every 12 months (5.5%)
Only after a security issue (47.7%)
Unsure (40.3%)

Only a combined 12% of senders say they have an approximate timeframe for rotating DKIM keys. The other 88% could be putting their customers and subscribers as well as their brand’s reputation at risk.

If someone steals your DKIM keys, they don’t even need to use spoofing. They are literally able to sign emails as if they were sent from your domain.

It’s considered best practice to rotate DKIM keys every 6 to 12 months at minimum. If your DKIM keys are leaked or a bad actor manages to decipher them, change keys as soon as possible. Visit the Sinch Mailgun help center to learn how to update or rotate your DKIM keys.

Email security feature

Get automatic DKIM key rotation

Here’s one less thing to worry about. Sinch Mailgun users enjoy extra security and peace of mind with a new feature that automates DKIM key rotation. If you use Mailgun Send, you can choose to have 2048-bit DKIM keys updated every 120 days. Manually rotate your keys whenever it’s needed.

DMARC adoption

It’s fair to say the most important aspect of Google and Yahoo’s new rules for bulk senders is the DMARC requirement. DMARC offers a way to harness the power of both SPF and DKIM for strong email authentication.

Our survey results show an uptick in DMARC adoption compared to the results we published in State of email deliverability 2023. In 2024, 53.8% of senders told us they were using DMARC. That represents an 11% increase from the 42.6% who’d implemented DMARC in 2023.

Senders using DMARC for email authentication: 2023 vs 2024

2023
2024

As you might expect, due to the Google DMARC requirement, the increase appears even stronger among bulk senders. While around 56% of the highest volume senders had set up DMARC in 2023, approximately 70% or more of them had done so in 2024.

Senders using DMARC in 2024: Monthly volume comparison

Yes
Unsure
No

DMARC policies

When setting up DMARC, senders must choose a specific policy that informs receiving mail servers how to handle messages that fail SPF or DKIM. Here’s how each of the three policies work:

  1. Badge Check

    None (p=none): This DMARC policy tells receiving mails servers not to do anything if a message fails authentication.

  2. Badge Check

    Quarantine (p=quarantine): This DMARC policy tells receiving mails servers that authentication failures should be filtered into spam.

  3. Badge Check

    Reject (p=reject): This DMARC policy is the strongest. It tells receiving mails servers that authentication failures should not be delivered at all.

The Yahoo and Google DMARC requirement only dictated that senders use a policy of p=none. That’s because, at this point, the mailbox providers are trying to get senders to take the first step towards enforcement.

The p=none policy was the most common policy senders used in 2023, and it remained that way in our latest survey. 31.8% of senders who use DMARC have their policy set to None, 19.3% are using Quarantine, and 17.7% have a policy set to Reject.

What is your current DMARC policy?

p=none (31.8%)
p=quarantine (19.3%)
p=reject (17.6%)
Unsure (31.3%)

In 2023, around 23% of senders had DMARC policies set to None. But the most noticeable change was a decrease in senders who are uncertain about what policy is used. While 31.3% of senders in this year’s survey are unsure of their DMARC policy, that dropped from more than 40% in 2023.

DMARC policy implementation: 2023 vs 2024

2023
2024

This result suggests the new sender requirements not only encouraged DMARC adoption, but it also increased awareness around the standard and its specific policies.

DMARC requirements today and tomorrow

There’s a problem with using the p=none DMARC policy. It doesn’t exactly do much to improve your authentication. Messages that fail DKIM or SPF may still be delivered to email inboxes. Technically, you aren’t enforcing DMARC until you implement a policy of p=quarantine or p=reject.

The p=none policy is meant to be used to test DMARC during setup. Eventually, senders are supposed to change the policy. So, is that what senders in our survey plan to do?

Results show a combined 25.5% of senders using p=none plan to update the policy within the next year. However, 61% will only do so if they are required and 13% don’t plan to update because they meet the current DMARC requirements.

Will sender using p=none implement a stricter DMARC policy in the next year?

Yes. We’ll enforce a stricter policy soon (10.1%)
Yes. We are in a testing phase (15.4%)
Only if stricter polices are required (61.2%)
No. We meet requirements with p=none (13.3%)

Senders who plan to wait until DMARC enforcement is required may not be waiting long. Representatives from Gmail and Yahoo told us they’ll eventually call for a stronger policy. Senders who’ve taken steps to enforce DMARC are ahead of the game – and they’re doing the right thing.

“The end goal is ideally a policy of p=reject. That's what DMARC is for. Ensuring that your domain cannot be spoofed and protecting our mutual customers from abuse.”

Marcel Becker
115F513A-17CF-463E-999E-489BC063244D

Marcel Becker

Sr. Director of Product Management at Yahoo

BIMI implementation

If you need another reason to choose a stronger DMARC policy, maybe BIMI will do the trick. This specification lets senders display a verified logo next to their emails. To be eligible for a BIMI logo, however, you need to be enforcing DMARC with a policy of Reject or Quarantine.

Gmail, Apple Mail, and Yahoo Maill all support BIMI, but Outlook currently does not. Here’s how a BIMI logo might look in the inbox:

Preview of an inbox before and after BIMI

So, how popular is BIMI? The website BIMI Radar tracks more than 72-million domains for what it calls “BIMI-readiness." As of this writing, the site indicates only 3.8% of those domains would be eligible for a BIMI logo. That means the vast majority aren’t using DMARC or don’t have a strong enough policy.

Our latest survey asked email senders if they’d already implemented BIMI. Results show 5.7% of respondents use BIMI while another 11.4% are working to implement the specification. Still, nearly 60% of senders are not using BIMI.

Have you set up BIMI for a verified inbox logo?

Yes (5.7%)
Working on it (11.4%)
No (58.4%)
Unsure (24.5%)

BIMI does not directly impact deliverability or do anything to authenticate your emails. Nonetheless, it gets associated with authentication because only senders who’ve put in the effort around DMARC can display a verified inbox logo. As you can imagine, this has advantages for many brands.

Why do senders pursue a BIMI logo?

We wanted to find out what prompted the senders who are using BIMI to pursue an inbox logo. What did they expect to gain from it? Here’s what those senders say was the primary driver of BIMI implementation:

.%

Customer/subscriber trust

.%

Protecting brand reputation

.%

Building brand awareness

.%

Email security

An inbox logo certainly provides some extra branding via your emails. While BIMI itself does not do anything to enhance email security, it’s proof that a sender has taken other steps to do so. Recipients may be more likely to open and engage with emails displaying an inbox logo because it appears more trustworthy.

7.4% of respondents told us they pursued BIMI to boost email engagement. And that could very well be true. A 2021 study on inbox logos suggests they positively impact engagement metrics such as open rates.

Download

Email authentication guide

Get technical advice on configuring your SPF, DKIM, and DMARC records from the team at Sinch Mailgun. Download this free, ungated guide to help you comply with sender requirements and make the email inbox a safer place.

Why email authentication is worth the effort

Setting up email authentication can get complex, but all the work pays off. It’s a win for everyone involved... except spammers and scammers.

How email authentication benefits senders:

  • Keeps your brand from being spoofed.

  • Protects customers from security threats.

  • Supports a good sender reputation.

  • Leads to better inbox placement.

How email authentication helps mailbox providers:

  • Helps identify legitimate senders vs malicious messages.

  • Supports the integrity of their product.

  • Keeps people using email for brand communications.

  • Offers guidance on filtering authentication failures.

How email authentication supports recipients:

  • Stops phishing emails, spam, and malware from reaching their inboxes.

  • Creates trust for brands they want to hear from.

  • Improves the inbox experience by reducing unwanted emails

Our survey results show the email community is making progress with authentication and inbox security, but there’s still room for improvement.

Deliverability Services: Get expert guidance

With Sinch Mailgun’s Deliverability Services, you’ll get your own Technical Account Manager (TAM) to help you navigate the complexities of achieving inbox placement. Contact us to learn more.

Let's talk Mailgun!

Explore chapters

Illustration of an email with deliverability advice from Sinch Mailgun

Research report

State of email deliverability 2025

Learn More

Yahoo and Google logos in browser windows

Chapter 1:

The year of Yahoogle

Learn More

Email inbox illustration with icon indicating no spam

Chapter 3:

Understanding inbox placement

Learn More

Illustration of email contact database with address verifications

Chapter 4:

Email list building and hygiene

Learn More

Graphics indicating sender reputation scores and email program health

Chapter 5:

Email sender reputation

Learn More

Charts and graphs showing improved email deliverability metrics

Chapter 6:

How to improve email deliverability

Learn More

Illustration of an email with deliverability advice from Sinch Mailgun

Chapter 7:

About this survey

Learn More