CAN-SPAM §5(a)(1) prohibits falsified routing information; proper SPF, DKIM, and DMARC configuration is how receiving servers verify that routing headers are accurate. Gmail and Yahoo's 2024 bulk sender requirements mandate SPF and DKIM authentication plus a DMARC policy for senders sending more than 5,000 emails per day — without it, bulk sends are rejected or spam-foldered at the domain level. CWE-290 (Authentication Bypass by Spoofing) applies: without DMARC, anyone can spoof your sending domain, sending phishing emails that appear to come from your business. NIST SP 800-53 SC-8 (Transmission Confidentiality and Integrity) covers the integrity dimension.
Info because authentication failures primarily cause deliverability problems and phishing exposure rather than direct legal violations — but without DMARC, domain spoofing is trivially easy and Gmail bulk sender rejection blocks all marketing email.
Configure SPF, DKIM, and DMARC DNS records for your sending domain. Follow your provider's domain authentication setup (SendGrid: Settings > Sender Authentication; Postmark: Sender Signatures; AWS SES: Verified Identities).
# DNS records for example.com:
# SPF — authorize your sending provider
example.com. TXT "v=spf1 include:sendgrid.net ~all"
# DKIM — your provider generates the key pair
s1._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=<public-key-from-provider>"
# DMARC — start with p=none to collect reports, then escalate
_dmarc.example.com. TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com"
# Escalate to p=quarantine, then p=reject once reports confirm alignment
Verify configuration with MXToolbox (mxtoolbox.com/SuperTool.aspx) after adding DNS records. Enroll in Gmail Postmaster Tools for ongoing DMARC and deliverability monitoring.
ID: email-sms-compliance.content-delivery.email-authentication
Severity: info
What to look for: Enumerate every relevant item. Email authentication (SPF, DKIM, DMARC) is not directly mandated by CAN-SPAM, but it is required by Gmail and Yahoo for bulk senders (>5,000 emails/day), strongly recommended by all major deliverability authorities, and required for proper sender identity verification that underpins anti-spoofing compliance. Look for setup documentation or references to authentication configuration: comments in deployment docs, email provider setup guides referenced in README, or environment variables that indicate DKIM key configuration (DKIM_PRIVATE_KEY, DKIM_DOMAIN_KEY). Look for v=spf1 references in deployment notes. Check whether the email service is configured for custom domain authentication or uses shared IP pools (which means authentication is done on the provider's domain, not yours).
Pass criteria: SPF, DKIM, and DMARC records are configured for the sending domain. The email service is set up with custom domain authentication (not shared IP pool sending on the provider's domain). DMARC policy is at least p=none with a reporting address (rua=).
Fail criteria: Sending on the email provider's shared domain (no custom domain authentication). No evidence of DKIM or SPF configuration. Domain has no DMARC record.
Skip (N/A) when: The application sends no email.
Detail on fail: Example: "Email sent via SendGrid but no Domain Authentication configured. SPF and DKIM are on SendGrid's domain, not yours. Gmail may mark these as suspicious." or "Custom domain in use but no documentation of DMARC policy. Without DMARC, spoofing your domain is trivial.".
Remediation: Configure authentication for your sending domain at the DNS level:
DNS records to add for example.com:
SPF (TXT record at example.com):
v=spf1 include:sendgrid.net ~all
(Replace sendgrid.net with your provider's SPF include)
DKIM (TXT record — your provider generates the key):
s1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=<your-public-key>"
(Follow your provider's setup guide: SendGrid > Settings > Sender Authentication)
DMARC (TXT record at _dmarc.example.com):
v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@example.com
Start with p=none to receive reports without affecting delivery:
v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com
Then escalate to p=quarantine and eventually p=reject as you verify alignment.
Use a tool like MXToolbox (mxtoolbox.com/SuperTool.aspx) or mail-tester.com to verify your authentication configuration after setting DNS records. Gmail Postmaster Tools provides ongoing DMARC and deliverability reports once configured.