Frequently Asked Questions

What is email authentication?

Email authentication is a set of DNS-based protocols - SPF, DKIM, and DMARC - that help receiving mail systems verify whether a message was sent by an authorized sender. These protocols work together to reduce spoofing and impersonation by checking who is allowed to send, whether the message was signed, and what the domain owner wants receivers to do with failures.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS policy that builds on SPF and DKIM. It tells receiving servers how to handle unauthenticated messages that claim to come from your domain and provides reporting so domain owners can see who is sending mail on their behalf.

What is SPF?

SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are authorized to send email for your domain. It helps receivers verify the sending infrastructure, but it only checks the envelope sender rather than the From address people see in the inbox.

What is DKIM?

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing messages. Receivers use the public key in DNS to verify that the message was signed by an authorized domain and was not altered in transit.

What is the difference between SPF, DKIM, and DMARC?

SPF says which systems may send. DKIM proves a message was signed and not modified. DMARC connects those checks to the visible From domain and defines what should happen when authentication fails. Most organizations need all three working together to reach strong protection.

Do I need all three protocols?

Yes. SPF alone does not protect the visible From address. DKIM alone does not tell receivers what to do with failures. DMARC depends on SPF and DKIM results to enforce a policy. Modern sender requirements from large mailbox providers also expect all three in practice.

What is email spoofing?

Email spoofing is when someone sends a message that appears to come from your domain without authorization. Attackers use spoofing for phishing, brand impersonation, and business email compromise. Proper SPF, DKIM, and DMARC deployment makes that abuse much harder.

What is a DMARC policy?

A DMARC policy tells receivers what to do when a message fails authentication and alignment checks. `p=none` is monitoring only, `p=quarantine` asks receivers to treat failures as suspicious, and `p=reject` asks receivers to block them entirely.

Is DMARC required?

For many senders, yes in practice. Google and Yahoo require DMARC for bulk senders, and Microsoft has followed with stricter requirements for high-volume Outlook.com traffic. DMARC is also a common expectation in federal and security-focused environments because it materially reduces spoofed email risk.

What are Google's email authentication requirements?

Google requires senders to authenticate email and expects bulk senders to use SPF, DKIM, and DMARC with alignment. Bulk senders also need one-click unsubscribe support for marketing email, TLS in transit, and low spam complaint rates.

What are Yahoo's email requirements?

Yahoo's requirements broadly mirror Google's for bulk senders: SPF or DKIM for all senders, and SPF, DKIM, and DMARC with alignment for higher-volume sending. Commercial senders are also expected to support one-click unsubscribe and maintain low complaint rates.

What does Microsoft require?

Microsoft expects high-volume senders to Outlook consumer inboxes to use SPF, DKIM, and DMARC with alignment. Messages that do not meet the requirement can be filtered more aggressively, and the guidance continues to push senders toward stronger enforcement.

What is a compliance score?

Inbox Insignia uses a 0-100 protection score to summarize SPF, DKIM, DMARC, and monitoring coverage. The score is meant to explain posture and the highest-priority fixes first rather than act as a generic vanity metric.

What regulations require email authentication?

Requirements vary by sector, but public guidance and directives increasingly treat authenticated email as part of a defensible baseline. Examples include CISA BOD 18-01 for federal agencies and broader sector-specific security programs that expect anti-phishing controls and documented technical safeguards.

What happens if I don't have DMARC?

Without DMARC, mailbox providers have less guidance about how to handle spoofed mail claiming to be from your domain. That makes impersonation easier, reduces visibility into who is sending on your behalf, and can increase the chance of deliverability issues for legitimate email.

What is Inbox Insignia?

Inbox Insignia is an email-authentication monitoring platform that helps teams deploy, monitor, and maintain SPF, DKIM, and DMARC. It runs scheduled scans, tracks a 0-100 protection score, surfaces drift, preserves evidence, and helps teams work through remediation in an ongoing workflow. Starter and Growth include a 14-day free trial.

How does Inbox Insignia work?

Inbox Insignia scans your domain's DNS posture on a recurring schedule, shows what changed, explains what is reducing protection, and keeps an evidence trail that teams can review over time. Higher plans add faster drift detection, richer alerting, and more operational workflow support.

Is there a free trial?

Yes. Starter and Growth include a 14-day free trial with no credit card required. During the trial you can add domains, run scans, review scores, and explore the workflow before converting to a paid plan.

What's included in paid plans?

Starter ($39/mo) includes 3 domains with weekly posture checks, compliance scoring, basic DMARC insights, and email alerts. Growth ($129/mo) includes 25 domains with daily posture checks, hourly drift detection, full DMARC aggregate ingestion, Slack/webhook alerts, and RBAC. Agency ($399/mo) includes 100 domains with daily posture checks, 15-minute drift detection, white-label, full API access, multi-tenant management, audit-ready exports, and priority support. Agency Plus, Enterprise, and Enterprise Plus stay visible on the pricing page and upgrade surfaces with sales-assisted checkout for 250, 500, and 1,000 monitored domains. Deferred enterprise-only capabilities are not sold until they ship. Starter and Growth include a 14-day free trial.

How do I get started?

Create an account, add a domain, verify ownership with DNS, and run your first scan. From there you can review the protection score, active issues, recent changes, and recommended next steps.

What is drift detection?

Drift detection watches for changes to your email-authentication posture between broader scheduled reviews. It helps teams spot weakened policies, changed records, or unexpected sender shifts before those problems linger unnoticed.

What alert channels are supported?

Email alerts are available across plans. Growth and above add Slack and webhook delivery so teams can route issues into their own workflows. The exact availability still follows the canonical pricing contract.

Do you offer an API?

Yes. API access is included on Agency and above and is available as an add-on for Growth. The API is intended for teams that want to integrate domains, scans, and posture data into their own operational tooling.

How do I check my DMARC record?

Use the free DMARC checker to inspect the DNS record, confirm syntax, and review policy guidance without creating an account.

Try our free DMARC checker->

How do I check my SPF record?

Use the free SPF checker to validate your record, inspect mechanisms, and look for syntax or lookup-limit problems.

Try our free SPF checker->

What is the SPF 10 DNS lookup limit?

The SPF specification limits evaluation to 10 DNS lookups. Includes, redirects, MX, A, and similar mechanisms count toward that total. If a record exceeds the limit, receivers can treat SPF as a permanent error.

What is DMARC alignment?

DMARC alignment checks whether the domain validated by SPF or DKIM matches the visible From domain. At least one aligned pass is needed for DMARC to pass. Most organizations use relaxed alignment unless a stricter policy is required.

What are DMARC aggregate reports (rua)?

DMARC aggregate reports are XML summaries sent by receivers to the address in the `rua` tag. They help domain owners understand which IPs are sending mail, how much volume they send, and whether SPF, DKIM, and DMARC checks pass or fail.

How often are scans run?

Starter uses weekly posture checks. Growth and above use daily posture checks, and higher plans add faster drift detection between those broader reviews. Manual rescans are also available from the authenticated workflow.

Can I monitor subdomains?

Yes. Subdomains can be monitored directly, and DMARC inheritance also matters when a parent domain governs subdomain behavior. Tracking them separately is often useful for ownership, remediation, and client or business-unit visibility.