They are the three email-authentication standards that prove your mail is legitimate. SPF lists who may send for your domain, DKIM cryptographically signs each message, and DMARC tells receivers what to do on failure and reports back to you. Since 2025, Gmail and Microsoft require all three, aligned — without them, bulk and cold mail is now rejected.
SPF (Sender Policy Framework) is a DNS record naming the servers allowed to send for your domain; receivers check the sending server against it. DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to each message using a private key, which receivers verify against a public key in your DNS — proving the message was not altered and came from an authorized signer. DMARC (Domain-based Message Authentication, Reporting and Conformance) ties the two together: it tells receivers what to do when SPF or DKIM fails (none, quarantine, or reject) and sends you aggregate reports so you can see who is sending as your domain. The critical word is alignment: it is not enough that SPF and DKIM pass — the domains they authenticate must match your visible From domain. Many cold-email failures are alignment failures, not missing records. Since the 2025 Gmail and Microsoft changes, all three passing and aligned is a hard requirement for bulk sending; missing or misaligned authentication is now a leading cause of outright rejection. Humerly's pre-send audit checks all three plus alignment and flags exactly what to fix.