Live Direct Marketing logo
Inbox Placement Test
Authentication8 min read

SPF vs DKIM vs DMARC at 9 providers: who cares most about what?

Generic authentication advice masks a real per-provider variance. The same identical message can pass at Gmail and land in Spam at Mail.ru, or hit Inbox at Yahoo while getting greylisted at GMX. Here is what each of the nine major mailbox providers actually weighs in 2026.

Email authentication is sold as a single recipe — set SPF, DKIM and DMARC and you are done. In practice each provider weighs the three signals differently, and a sender optimised for Gmail can still hit Spam at Mail.ru or get throttled at T-Online. The differences come down to how each filter handles forwarding, alignment, and DMARC policy.

TL;DR

DKIM is universal. SPF matters most where forwarding is rare (GMX, T-Online, Mail.ru). DMARC p=reject is a measurable inbox-rate lift everywhere, biggest at Mail.ru and iCloud. Skipping DKIM hurts at every provider; skipping SPF hurts unevenly.

Gmail and Google Workspace

  • Weighting: Domain reputation > DKIM alignment > DMARC policy > SPF. Gmail explicitly de-emphasised SPF after 2024 because forwarding breaks it.
  • Bulk Sender Requirements (post-2024): for senders >5K/day to Gmail recipients, DMARC is mandatory and one-click List-Unsubscribe is required. Non-compliance measurably degrades placement.
  • Watch: Postmaster Tools, theAuthentication-Results header forarc=pass and dkim=pass.

Outlook / Microsoft 365 / Hotmail

  • Weighting: SPF is still meaningful — Microsoft accepts ARC less consistently than Google, so SPF brokenness shows up more often.
  • SmartScreen quirk: heavy weight on subject patterns and HTML structure. Auth alone does not save bad content from Junk.
  • Useful tools: SNDS (IP) and JMRP (complaint feedback). No equivalent of Postmaster Tools' domain dashboard.

Yahoo and AOL (Verizon Media / Yahoo Mail)

  • Weighting: Domain reputation, complaint rate, and DKIM alignment. Yahoo joined the Gmail bulk-sender rules almost identically — DMARC and one-click unsubscribe are required at scale.
  • BIMI renders in Yahoo and AOL when DMARC enforcement is live and a VMC certificate is published.

iCloud Mail / Apple Mail

  • Weighting: opaque. Apple publishes nothing. Observationally: DMARC enforcement materially lifts inbox rate; SPF-only with mismatched From is reliably Junk.
  • MPP (Mail Privacy Protection) still pre-fetches images, so open-rate signals are useless for tuning to Apple. Inbox placement seed-tests are the only loop that works.

GMX and T-Online (United Internet, DACH)

  • Weighting: SPF is a near-hard gate. Failed SPF often results in greylisting or 4xx temp-fail rather than soft Spam.
  • CSA whitelist: the Certified Senders Alliance is meaningful here — listed senders bypass several content checks. Useful for high-volume DACH-targeting senders.
  • Language signals: German content with foreign DKIM domain is treated more strictly than at Gmail.

Mail.ru

  • Weighting: DKIM alignment is a hard gate. SPF-only senders are deprioritised for Inbox even when SPF itself passes.
  • DMARC p=reject with passing alignment is the single biggest inbox-rate lift available at Mail.ru, larger than any single content fix.
  • Postmaster.mail.ru: exposes complaints, authentication stats and reputation per domain.

Yandex Pochta

  • Weighting: ARC-pass is meaningful — Yandex accepts arc-validated forwards more readily than Microsoft. DKIM alignment stays the most important signal.
  • Postmaster.yandex.ru: equivalent dashboard; shows reputation by domain and IP, plus a useful FBL.

A practical per-provider recipe

  • Publish SPF with a hard -all (or strict~all) and keep it under 10 lookups.
  • DKIM-sign every message with a key aligned to the From-domain. Rotate keys yearly; 2048-bit minimum.
  • DMARC p=quarantine for the warm-up phase, thenp=reject with rua reporting on.
  • Add List-Unsubscribe andList-Unsubscribe-Post: List-Unsubscribe=One-Click on every marketing send.
  • Verify per-provider with a real seed test — auth that passes at your mailbox does not always pass at Mail.ru, T-Online or iCloud.

The simplest way to find the per-provider gap: send one email through our free inbox placement test. The same message hits seed mailboxes at all nine providers, and the report showsAuthentication-Results from each so you can spot the one provider where your DKIM domain is not aligning.

Do I still need SPF if I have DKIM and DMARC?

Yes. SPF is required for DMARC alignment via the SPF path, and several providers (GMX, T-Online, parts of Outlook) still penalise its absence even when DKIM passes.

Which DMARC policy should I publish?

Start at p=none with rua reporting to verify alignment, move to p=quarantine pct=25 once clean, then to p=reject. Skipping p=quarantine and going straight to p=reject is risky if any subdomain still sends unsigned mail.

Why does my Gmail inbox rate look fine but Mail.ru does not?

Most often: SPF-only or unaligned DKIM. Gmail is forgiving, Mail.ru is not. Re-check the d= domain in your DKIM signature against your From-domain.
Related reading
Found this useful? Share it
LinkedInX (Twitter)RedditHacker News
AB
About the author
Artem Berezin
B2B Deliverability Specialist

B2B deliverability specialist with 5+ years of hands-on outreach experience. Built campaigns reaching 90,000+ inboxes across 20+ countries — and fixed the deliverability problems that came with that scale.

LinkedInlive-direct-marketing.online

Check your deliverability across 20+ providers

Gmail, Outlook, Yahoo, Mail.ru, Yandex, GMX, ProtonMail and more. Real inbox screenshots, SPF/DKIM/DMARC, spam engine verdicts. Free, no signup.

Run Free Test →

Unlimited tests · 20+ seed mailboxes · Live results · No account required