Email authentication in 2025

Key findings on email authentication practices

Email authentication basics

Authentication is one of the more technical aspects of email deliverability. It involves DNS records that receiving mail servers are required to reference before messages get delivered.

As a quick review, these are the DNS TXT records connected to email authentication and the basics of what they do:

Bulk senders need to use SPF, DKIM, and DMARC if they want to achieve inbox placement with major mailbox providers. However, every sender can benefit from using all three of these methods – and BIMI is like the icing on the cake.

SPF and DKIM usage

The SPF and DKIM protocols are essential to email authentication. While low-volume senders may be able to reach the email inbox with just one of the two, using both is highly encouraged. Bulk senders must use SPF and DKIM to comply with Gmail and Yahoo’s 2024 requirements.

Nearly two-thirds of all senders (66.2%) say they do use both SPF and DKIM for email authentication. 25.7% of respondents were unsure about how their organizations used DKIM and SPF. Less than 9% said they were only using one or the other.

When we filter these results based on send volumes, more than 75% of respondents sending over 50,000 emails per month are confident they use both protocols. The highest degree of uncertainty around SPF and DKIM came from the low-volume senders with fewer than 50,000 emails per month.

For those who are unsure about SPF and DKIM authentication, it’s likely they are using at least one of them. Most email service providers (ESPs) require that these protocols are configured before any emails are sent. In some cases, an ESP may use its own SPF and DKIM records on behalf of smaller senders on shared IPs.

DKIM key rotation

The DKIM protocol involves a pair of keys, one public and one private, which are used to authenticate a sending domain. The private key contains the encrypted digital signature and is sent along with email messages. The public key lives on the DNS and is matched with the private key to verify the message’s authenticity.

DKIM keys need to be changed periodically. This is a practice known as DKIM key rotation. It's necessary because these keys can be compromised, which opens the door for bad actors to do some real damage.

DKIM key rotation is a lot like changing your personal account passwords to keep them secure. Unfortunately, senders don’t seem to be in the habit of rotating DKIM keys.

47.7% of senders who use DKIM admit they’ll only rotate keys after a security issue. By then, it may be too late. Another 40% of the senders in our survey say they are unsure about DKIM key rotation practices.

Only a combined 12% of senders say they have an approximate timeframe for rotating DKIM keys. The other 88% could be putting their customers and subscribers as well as their brand’s reputation at risk.

If someone steals your DKIM keys, they don’t even need to use spoofing. They are literally able to sign emails as if they were sent from your domain.

DMARC adoption

It’s fair to say the most important aspect of Google and Yahoo’s new rules for bulk senders is the DMARC requirement. DMARC offers a way to harness the power of both SPF and DKIM for strong email authentication.

Our survey results show an uptick in DMARC adoption compared to the results we published in State of email deliverability 2023. In 2024, 53.8% of senders told us they were using DMARC. That represents an 11% increase from the 42.6% who’d implemented DMARC in 2023.

As you might expect, due to the Google DMARC requirement, the increase appears even stronger among bulk senders. While around 56% of the highest volume senders had set up DMARC in 2023, approximately 70% or more of them had done so in 2024.

DMARC policies

When setting up DMARC, senders must choose a specific policy that informs receiving mail servers how to handle messages that fail SPF or DKIM. Here’s how each of the three policies work:

The Yahoo and Google DMARC requirement only dictated that senders use a policy of p=none. That’s because, at this point, the mailbox providers are trying to get senders to take the first step towards enforcement.

The p=none policy was the most common policy senders used in 2023, and it remained that way in our latest survey. 31.8% of senders who use DMARC have their policy set to None, 19.3% are using Quarantine, and 17.7% have a policy set to Reject.

In 2023, around 23% of senders had DMARC policies set to None. But the most noticeable change was a decrease in senders who are uncertain about what policy is used. While 31.3% of senders in this year’s survey are unsure of their DMARC policy, that dropped from more than 40% in 2023.

This result suggests the new sender requirements not only encouraged DMARC adoption, but it also increased awareness around the standard and its specific policies.

DMARC requirements today and tomorrow

There’s a problem with using the p=none DMARC policy. It doesn’t exactly do much to improve your authentication. Messages that fail DKIM or SPF may still be delivered to email inboxes. Technically, you aren’t enforcing DMARC until you implement a policy of p=quarantine or p=reject.

The p=none policy is meant to be used to test DMARC during setup. Eventually, senders are supposed to change the policy. So, is that what senders in our survey plan to do?

Results show a combined 25.5% of senders using p=none plan to update the policy within the next year. However, 61% will only do so if they are required and 13% don’t plan to update because they meet the current DMARC requirements.

Senders who plan to wait until DMARC enforcement is required may not be waiting long. Representatives from Gmail and Yahoo told us they’ll eventually call for a stronger policy. Senders who’ve taken steps to enforce DMARC are ahead of the game – and they’re doing the right thing.

“The end goal is ideally a policy of p=reject. That's what DMARC is for. Ensuring that your domain cannot be spoofed and protecting our mutual customers from abuse.”

Marcel Becker

Sr. Director of Product Management at Yahoo

BIMI implementation

If you need another reason to choose a stronger DMARC policy, maybe BIMI will do the trick. This specification lets senders display a verified logo next to their emails. To be eligible for a BIMI logo, however, you need to be enforcing DMARC with a policy of Reject or Quarantine.

Gmail, Apple Mail, and Yahoo Maill all support BIMI, but Outlook currently does not. Here’s how a BIMI logo might look in the inbox:

So, how popular is BIMI? The website BIMI Radar tracks more than 72-million domains for what it calls “BIMI-readiness." As of this writing, the site indicates only 3.8% of those domains would be eligible for a BIMI logo. That means the vast majority aren’t using DMARC or don’t have a strong enough policy.

Our latest survey asked email senders if they’d already implemented BIMI. Results show 5.7% of respondents use BIMI while another 11.4% are working to implement the specification. Still, nearly 60% of senders are not using BIMI.

BIMI does not directly impact deliverability or do anything to authenticate your emails. Nonetheless, it gets associated with authentication because only senders who’ve put in the effort around DMARC can display a verified inbox logo. As you can imagine, this has advantages for many brands.

Why do senders pursue a BIMI logo?

We wanted to find out what prompted the senders who are using BIMI to pursue an inbox logo. What did they expect to gain from it? Here’s what those senders say was the primary driver of BIMI implementation:

An inbox logo certainly provides some extra branding via your emails. While BIMI itself does not do anything to enhance email security, it’s proof that a sender has taken other steps to do so. Recipients may be more likely to open and engage with emails displaying an inbox logo because it appears more trustworthy.

7.4% of respondents told us they pursued BIMI to boost email engagement. And that could very well be true. A 2021 study on inbox logos suggests they positively impact engagement metrics such as open rates.

Why email authentication is worth the effort

Setting up email authentication can get complex, but all the work pays off. It’s a win for everyone involved... except spammers and scammers.

How email authentication benefits senders:

• Keeps your brand from being spoofed.

• Protects customers from security threats.

• Supports a good sender reputation.

• Leads to better inbox placement.

How email authentication helps mailbox providers:

• Helps identify legitimate senders vs malicious messages.

• Supports the integrity of their product.

• Keeps people using email for brand communications.

• Offers guidance on filtering authentication failures.

How email authentication supports recipients:

• Stops phishing emails, spam, and malware from reaching their inboxes.

• Creates trust for brands they want to hear from.

• Improves the inbox experience by reducing unwanted emails

Our survey results show the email community is making progress with authentication and inbox security, but there’s still room for improvement.

Deliverability Services: Get expert guidance

With Sinch Mailgun’s Deliverability Services, you’ll get your own Technical Account Manager (TAM) to help you navigate the complexities of achieving inbox placement. Contact us to learn more.