I'm hoping to get some clarity on how email authentication protocols like SPF, DKIM, and DMARC affect message delivery to Gmail and Outlook as of 2026. Specifically, I have a few questions:
1. If a sender's domain doesn't have SPF or DKIM set up, will their emails go straight to the spam folder, or is there a chance they could land in the inbox?
2. With a DMARC policy set to 'p=none,' can spoof emails bypass a domain's SPF protections? I find it hard to believe that domains allow spoofed emails to be sent from addresses like [email protected] with this policy. Does reputation play the biggest role in this, or are there other protections at play?
3. How does DMARC monitoring get triggered? If someone controls both the sending and receiving servers, can they turn it off? I'm fairly new to the technical intricacies of this.
5 Answers
Without a proper SPF or DKIM setup, your emails reliably end up in spam or get rejected. 'p=none' is just a way of saying 'I’m not really enforcing policies,' which does leave the door open for spoofing. Incoming DMARC checks depend heavily on the receiving server. You can't disable them unless you control that server directly.
Two things I always make sure to set are SPF to hard fail and DKIM to reject. It prevents a lot of spoofing.
From my experience, there's a lot to consider, and the only real way to know if one domain can get emails from another is to test it. SPF, DKIM, and DMARC are clear-cut, but the spam filters will drive you up the wall when trying to determine why a specific email lands in junk.
1. Emails can be delivered, but they often land in spam or junk folders. Occasionally, they might reach the inbox if the sender’s reputation is stellar, though that's rare.
2. Yes, 'p=none' basically means just monitoring – spoofed emails can still go out, but they often get flagged as suspicious.
3. No, you don’t have control over DMARC checks. Providers look at the sender's reputation, authentication results, and user signals.
1. It really depends on the receiving server's spam filter settings. Some might mark emails lacking SPF, DKIM, or DMARC as spam, but there’s no technical blockade that stops delivery entirely.
2. DMARC and SPF serve different functions. DMARC relies on SPF and DKIM to set its actions. Even if a sender has a hard fail on their SPF, the receiving server will likely just raise the spam score instead of outright blocking the email. DKIM adds a digital signature validating the sender's domain, and DMARC directs actions based on SPF and DKIM results.
3. When an email arrives, the receiving server checks the sender's domain policy for SPF and DMARC. If both SPF and DKIM fail and DMARC is set to 'NONE', the message can still arrive but will usually land in spam. If DMARC is set to 'QUARANTINE' or 'REJECT', then it’s a different story – QUARANTINE goes to junk, and REJECT doesn’t deliver the mail at all.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures