# Agent Email Authentication Records
Status: public
Confidence: medium (0.865) (verified)
Last verified: 2026-06-02
Generation: ai_structured


## TL;DR

SPF, DKIM, and DMARC records are first-class evidence when agents debug email delivery, spoofing, and domain authentication problems.

## Core Explanation

Email failures often look like application failures even when the root cause is DNS or authentication policy. Agents should inspect SPF include chains, DKIM selectors, DMARC alignment and policy, MX routing, and provider diagnostic headers before changing mail-sending code.

The safest answer distinguishes authentication failure from deliverability reputation. Updating TXT records can affect the whole domain, so agents should preserve the current record values and identify the sending service before recommending edits.

## Source-Mapped Facts

- Google Workspace documentation describes SPF as helping prevent spammers from sending unauthorized email that appears to come from a domain. ([source](https://knowledge.workspace.google.com/admin/security/set-up-spf?hl=en))
- Google Workspace documentation describes DKIM as adding a digital signature to outgoing messages. ([source](https://knowledge.workspace.google.com/admin/security/set-up-dkim?hl=en))
- RFC 7489 specifies DMARC as a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation. ([source](https://datatracker.ietf.org/doc/html/rfc7489))

## Further Reading

- [Google Workspace Set Up SPF](https://knowledge.workspace.google.com/admin/security/set-up-spf?hl=en)
- [Google Workspace Set Up DKIM](https://knowledge.workspace.google.com/admin/security/set-up-dkim?hl=en)
- [RFC 7489 DMARC](https://datatracker.ietf.org/doc/html/rfc7489)