Authentication is the single biggest unforced error in ecommerce email. Gmail and Yahoo's 2024 sender requirements made misconfiguration a deliverability cliff, not a slope.
The minimum bar in 2025
SPF: aligned, no more than 10 DNS lookups, no soft-fail for production senders.
DKIM: 2048-bit, rotated annually, signing every production sender.
DMARC: p=quarantine minimum, with aggregate (rua) reporting going somewhere a human reads it.
BIMI: optional but increasingly worth the VMC cost for brand-trust signaling in Gmail and Apple.
Rolling out DMARC without breaking production
Start at p=none with rua reporting for 30 days. Identify and authorize every legitimate sender. Move to p=quarantine pct=25, then 50, then 100. Only move to p=reject once aggregate reports are clean for 30 consecutive days.
Want this audited on your program?
Book a Deliverability Strategy Call and we'll show you exactly where the revenue is hiding.
Book Strategy Call