Email Authentication Failed? Here's How to Fix It (And Why It's Happening)
Since Gmail and Yahoo rolled out mandatory authentication in February 2024, and Microsoft joined in May 2025, thousands of businesses have seen their emails bouncing. This guide shows you exactly how to fix SPF, DKIM, and DMARC authentication issues.
The Quick Fix (TL;DR)
If your emails are bouncing with "authentication failed" errors, you need to set up three DNS records: SPF, DKIM, and DMARC. Here's the fastest way to check if you have a problem:
Go to MXToolbox DMARC Check and enter your domain
Look for red X marks - those are your problems
If you see errors, keep reading to understand what each record means
Why Are My Emails Failing?
In 2024-2025, Gmail, Yahoo, and Microsoft all started requiring email authentication. If you send more than 5,000 emails a day, your emails will be rejected unless you have SPF, DKIM, and DMARC set up correctly.
Think of it like airport security: without proper ID (authentication), you're not getting through.
The 3 Things You Need (With Full Breakdowns)
1. SPF - Who Can Send Email for You
SPF is like a guest list. It tells email providers "these services are allowed to send email from my domain."
Example SPF record:
v=spf1 include:spf.klaviyo.com include:shops.shopify.com ~allLet's break down every part:
| Part | What It Means |
|---|---|
v=spf1 |
Version declaration. This tells email servers "this is an SPF record, version 1." Always required, always first. |
include:spf.klaviyo.com |
This authorizes Klaviyo to send emails on your behalf. The include: mechanism tells servers to check Klaviyo's SPF record and trust those IPs. |
include:shops.shopify.com |
This authorizes Shopify to send emails (like order confirmations) from your domain. |
~all |
Soft fail - if an email comes from an IP not in this list, mark it as suspicious but don't reject it outright. The ~ means soft fail. Use -all (hard fail) for stricter enforcement. |
Common SPF include values:
include:spf.klaviyo.com- Klaviyoinclude:_spf.attentivemobile.com- Attentiveinclude:shops.shopify.com- Shopifyinclude:sendgrid.net- SendGridinclude:_spf.google.com- Google Workspaceinclude:spf.protection.outlook.com- Microsoft 365
Critical rule: You can only have ONE SPF record per domain. If you have multiple services, combine them all into one record. Having two SPF records will cause ALL authentication to fail.
2. DKIM - Digital Signature
DKIM adds a cryptographic signature to your emails, proving they haven't been tampered with in transit. Think of it as a wax seal on a letter - if the seal is broken, you know someone messed with it.
Example DKIM record (what you add to DNS):
Host: k1._domainkey.yourdomain.com
Type: CNAME
Value: dkim.klaviyomail.comBreaking it down:
| Part | What It Means |
|---|---|
k1 |
The selector - a unique identifier for this DKIM key. Different services use different selectors (k1, k2, s1, google, etc.). This lets you have multiple DKIM keys for different services. |
_domainkey |
Required subdomain that tells email servers "this is a DKIM record." Always the same. |
yourdomain.com |
Your actual domain name. |
CNAME |
Record type. CNAME points to another domain. Some services use TXT records instead with the actual public key. |
dkim.klaviyomail.com |
Klaviyo's DKIM server that holds the public key. Email servers look here to verify the signature. |
How DKIM verification works:
- Klaviyo signs your email with a private key (stored securely on their servers)
- They add a DKIM-Signature header to the email
- Receiving server looks up your DKIM record using the selector (k1._domainkey.yourdomain.com)
- Server uses the public key to verify the signature matches
- If it matches, the email passes DKIM ✓
Unlike SPF, you CAN have multiple DKIM records - one for each sending service. Each uses a different selector.
3. DMARC - What to Do When Things Fail
DMARC tells email providers what to do if SPF or DKIM fails. It also sends you reports about who's trying to send email as you (including potential spammers spoofing your domain).
Starter DMARC record:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.comFull breakdown:
| Part | What It Means |
|---|---|
v=DMARC1 |
Version declaration. Tells servers this is a DMARC record. Always required, always first. |
p=none |
Policy - what to do with failing emails. none = monitor only (just send reports, don't block). This is the minimum required by Gmail/Yahoo/Microsoft. |
rua=mailto:dmarc@yourdomain.com |
Aggregate reports - where to send daily summary reports. You'll get XML files showing all email activity from your domain. |
Advanced DMARC example:
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensic@yourdomain.com; fo=1; adkim=r; aspf=r| Part | What It Means |
|---|---|
p=quarantine |
Send failing emails to spam folder. Other options: none (monitor), reject (block entirely). |
pct=25 |
Apply the policy to only 25% of failing emails. Great for gradual rollout - start at 10%, increase to 100% over time. |
ruf=mailto:... |
Forensic reports - detailed reports for each failure. More granular than aggregate reports. |
fo=1 |
Failure options - generate a report if ANY check fails (SPF or DKIM). Default only reports when both fail. |
adkim=r |
DKIM alignment - r = relaxed (subdomains OK), s = strict (exact match required). |
aspf=r |
SPF alignment - r = relaxed (subdomains OK), s = strict (exact match required). |
DMARC progression path:
- Week 1-2: Start with
p=none- just monitor, collect reports - Week 3-4: Move to
p=quarantine; pct=10- spam 10% of failures - Week 5-6: Increase to
p=quarantine; pct=50 - Week 7+: Move to
p=rejectwhen confident
How to Check Your Setup (Free)
Use these free tools to see what's working and what's broken:
MXToolbox DMARC Check - Quick overview of all three records
dmarcian Domain Checker - Detailed analysis with recommendations
Mail-Tester - Send a test email, get a deliverability score
Google Postmaster Tools - Monitor your domain reputation with Gmail
Common Errors and What They Mean
"No SPF record found"
Translation: You haven't set up the guest list yet. Email providers don't know who's allowed to send for you.
Fix: Add an SPF TXT record to your DNS with all your sending services.
"550 5.7.515 Access denied"
Translation: Microsoft (Outlook/Hotmail) is rejecting your email because authentication failed.
Fix: Check that SPF, DKIM, and DMARC are all set up and passing. Microsoft started enforcing this in May 2025.
"Too many DNS lookups"
Translation: Your SPF record includes too many services. SPF has a limit of 10 DNS lookups.
Fix: Use SPF flattening (converting includes to IP addresses) or move some services to subdomains with their own SPF records.
"DMARC alignment failed"
Translation: The domain in your "From" address doesn't match the domain authenticated by SPF or DKIM.
Fix: Set up a custom sending domain in your email platform so the authenticated domain matches your From address.
"Multiple SPF records found"
Translation: You have more than one SPF record. This is invalid and causes ALL authentication to fail.
Fix: Combine all your SPF includes into ONE record and delete the extras.
Platform Quick Guides
If you use Klaviyo + Shopify:
v=spf1 include:shops.shopify.com include:spf.klaviyo.com ~allThen set up DKIM in Klaviyo: Settings → Email → Domains → Add your domain and follow the DNS instructions.
If you use Attentive + Klaviyo:
v=spf1 include:_spf.attentivemobile.com include:spf.klaviyo.com ~allSet up DKIM separately for each platform - they'll each give you different DNS records to add.
If you use Google Workspace:
v=spf1 include:_spf.google.com ~allDKIM: Admin console → Apps → Google Workspace → Gmail → Authenticate email → Generate DKIM key.
The Bigger Picture: Email Authentication Is Just the Foundation
Getting SPF, DKIM, and DMARC right is essential - but it's just the first step in email deliverability. Authentication gets your emails past the bouncer, but it doesn't guarantee they'll land in the inbox or drive revenue.
True email success comes from a complete retention marketing strategy: the right sending infrastructure, smart segmentation, compelling content, and continuous optimization. Authentication is the foundation that makes everything else possible.
If you're looking to go beyond just "not bouncing" to actually driving measurable revenue from your email and SMS programs, check out our full range of CRM and retention services.
Get a Free Authentication Audit
Not sure if your setup is right? We'll check your SPF, DKIM, and DMARC configuration for free and tell you exactly what needs fixing.
Frequently Asked Questions
Do I need all three (SPF, DKIM, DMARC)?
YES, if you send more than 5,000 emails per day to Gmail, Yahoo, OR Microsoft addresses. As of December 2025, Gmail, Yahoo, and Microsoft all require SPF AND DKIM AND DMARC for bulk senders.
What happens if I don't fix this?
As of December 2025, your emails will be permanently rejected by Gmail, rejected or sent to spam by Yahoo, and rejected with error 550 5.7.515 by Microsoft. This isn't a soft warning anymore - it's hard enforcement.
What's the 5,000 emails per day threshold?
It's 5,000 to a SINGLE provider (Gmail OR Yahoo OR Microsoft), not total. It's from one DOMAIN (not individual email addresses). Once you hit 5,000 in a single day, you're PERMANENTLY classified as a bulk sender.
Can I set DMARC to p=reject immediately?
No! Start with p=none for 2-4 weeks, monitor reports, ensure legitimate emails pass, then move to p=quarantine, then finally p=reject.
How long does DNS propagation take?
Typically 15 minutes to 24 hours. Most changes propagate within 1-2 hours.
Will this improve my email deliverability?
Authentication won't magically fix all deliverability issues, but it's now a minimum requirement. Without it, you won't get delivered at all. With it, you're eligible for inbox placement based on engagement, content, and reputation.
Retention marketing expert who has built 400+ CRM programs generating over $200M in client revenue. Specializes in email deliverability, authentication, and e-commerce marketing automation.