What are SPF, DKIM, and DMARC?

SPF, DKIM, and DMARC are three DNS-based email authentication standards that prove your emails are legitimate. SPF lists which servers can send email from your domain. DKIM adds a cryptographic signature to verify messages weren't altered. DMARC tells receiving servers what to do when SPF or DKIM fail, and sends you reports.

Why are my emails going to spam?

The most common reason is missing or misconfigured email authentication. If your domain doesn't have SPF, DKIM, and DMARC records set up correctly, inbox providers like Gmail and Outlook treat your emails as unverified — and unverified emails get filtered to spam or rejected entirely.

How long does it take to set up SPF, DKIM, and DMARC?

The DNS records themselves take about 30 minutes to configure. But DMARC should be rolled out gradually — start in monitor mode (p=none) for 2-4 weeks, then move to quarantine, then reject. The full process takes about a month to do safely.

What happens if I skip DMARC and only set up SPF and DKIM?

Without DMARC, there's no policy telling inbox providers what to do when authentication fails. Anyone can still spoof your domain. You also miss out on reporting — DMARC sends you data about who's sending email as your domain, which is critical for catching unauthorized senders.

How to fix email deliverability with SPF, DKIM, and DMARC

You're sending emails and they're not getting responses. Your outreach is landing in spam. Your transactional emails — password resets, order confirmations, meeting invites — are disappearing into the void. You check your copy, tweak your subject lines, adjust your send times. Nothing helps.

The problem probably isn't your content. It's your domain authentication.

Inbox providers like Gmail and Outlook use three DNS-based standards to decide whether your emails are legitimate: SPF, DKIM, and DMARC. If these aren't set up correctly — or at all — your emails look unverified. And unverified emails get filtered, quarantined, or rejected.

Here's exactly how to set up all three.

SPF: tell inbox providers who's allowed to send as you

SPF (Sender Policy Framework) is a DNS TXT record on your domain that lists which servers are authorized to send email on your behalf.

Think of it as a guest list. When Gmail receives an email from your domain, it checks SPF to see if the sending server is on the list. If it's not, the email looks suspicious.

How to set it up

1. Inventory every service that sends email from your domain. This includes your mail provider (Google Workspace, Microsoft 365), marketing tools (Mailchimp, Customer.io), transactional senders (SendGrid, Postmark), your helpdesk, your CRM — anything that sends email as @yourdomain.com.

2. Get the SPF include: value from each service. Every email provider publishes theirs. For example: _spf.google.com for Google Workspace, sendgrid.net for SendGrid.

3. Publish a single TXT record at the root of your domain. Combine all your includes into one record:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

End with ~all (softfail) while you're testing, then move to -all (hardfail) once you've confirmed everything works.

Common mistakes

Multiple SPF records. You can only have one SPF record per domain. Publishing two breaks SPF entirely — receiving servers won't know which one to use. Combine everything into a single record.
Hitting the 10-lookup limit. Each include: counts as a DNS lookup, and they can nest. SPF has a hard cap of 10 lookups. Tools like dmarcian or Mailhardener will flag if you're over the limit.
Forgetting that SPF breaks on forwarding. When someone forwards your email, the sending server changes but SPF still points to your original servers. This is part of why DKIM and DMARC exist — they cover the gaps SPF can't.

DKIM: prove your emails weren't tampered with

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The receiving server fetches your public key from DNS and uses it to verify the message wasn't altered in transit and really came from an authorized sender.

If SPF is the guest list, DKIM is the wax seal.

How to set it up

1. Generate a DKIM key in each sending service. Go to the DKIM section of each service's admin panel. Use 2048-bit keys if offered — they're more secure than 1024-bit.

2. Publish the DNS records they give you. Each service will provide one or more CNAME or TXT records with a selector — something like s1._domainkey.yourdomain.com. Selectors let you have multiple keys (one per service) coexisting on the same domain.

3. Verify and enable. Go back to the service's admin panel and click "verify" or "enable." It checks DNS for your published key and activates signing.

4. Repeat for every sending service. Each one gets its own selector and its own key. Having multiple DKIM records is normal.

Common mistakes

Truncated keys. Some DNS providers split long TXT records in unexpected ways. If verification fails, check that the key wasn't cut off.
Never rotating keys. Rotate DKIM keys periodically — annually is reasonable. Most providers handle this automatically, but check.
Only setting up DKIM for your main email provider. Every service that sends email as your domain needs its own DKIM key. If your marketing tool sends without DKIM, those emails will fail authentication.

DMARC: set the rules and get visibility

DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together. It tells receiving servers what to do when authentication fails, and — critically — it sends you reports about every email sent from your domain, whether you sent it or not.

DMARC only passes when at least one of SPF or DKIM passes and the authenticated domain aligns with the visible "From" address. This alignment check is what makes DMARC powerful — without it, someone could pass SPF or DKIM on their own domain while spoofing yours in the "From" field.

How to set it up

1. Set up reporting first. Raw DMARC reports are XML and nearly unreadable. Use a reporting service — Postmark's free DMARC monitoring, dmarcian, Valimail, or EasyDMARC — to make them human-readable.

2. Publish a TXT record at _dmarc.yourdomain.com in monitor mode:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; fo=1; adkim=r; aspf=r

p=none means you're just watching — no emails get blocked. This is critical. Going straight to enforcement without monitoring will silently kill legitimate mail.

3. Watch reports for 2-4 weeks. You're looking for legitimate senders that are failing alignment. Common culprits: a marketing tool sending as your domain without DKIM set up, or SPF missing an include: for a service you forgot about.

4. Fix every legitimate failure. Add the missing SPF includes. Enable DKIM for services that don't have it. This is the most important step — you're cleaning up before you start enforcing.

5. Gradually move to enforcement. Once reports look clean:

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com

Increase pct gradually (25 → 50 → 100), then change p=quarantine to p=reject. This way you're never blocking more than a small percentage of email at any step.

Key DMARC parameters

Parameter	What it does
`p=`	Policy: `none` (monitor), `quarantine` (spam folder), or `reject` (block)
`rua=`	Where to send aggregate reports
`ruf=`	Where to send forensic reports (not all receivers send these)
`adkim=`	DKIM alignment: `r` for relaxed (subdomains pass) or `s` for strict
`aspf=`	SPF alignment: `r` for relaxed or `s` for strict
`pct=`	Percentage of failing mail the policy applies to — useful for gradual rollout
`sp=`	Subdomain policy — defaults to your main `p=` if omitted

Common mistakes

Going straight to p=reject. This is the number one mistake. Without a monitoring period, you'll block legitimate emails from services you forgot to authenticate. Always start at p=none.
Ignoring alignment failures. SPF and DKIM can both pass while DMARC still fails because the authenticated domain doesn't match the "From" domain. Reports will show this — read them.
Forgetting subdomains. For subdomains you don't send email from, publish v=DMARC1; p=reject; on them explicitly. Otherwise, attackers can spoof anything.yourdomain.com.

After setup: verify everything

Once your records are published, test them:

MXToolbox — Check your SPF, DKIM, and DMARC records for errors.
Mail-Tester — Send a test email and get a deliverability score out of 10.
Google Postmaster Tools — See your domain's reputation at Gmail, spam rates, and authentication results.
Microsoft SNDS — Same thing, but for Outlook.

Check these periodically, not just once. Domain reputation takes time to build, and a misconfigured new service can undo weeks of progress.

The bottom line

Email deliverability isn't a content problem — it's an infrastructure problem. SPF, DKIM, and DMARC are the foundation. Without them, you're asking inbox providers to trust you on faith. With them, your emails carry cryptographic proof that they're real.

The setup takes about 30 minutes for the DNS records, plus a month of gradual DMARC rollout. It's one of those things that pays dividends on every email you send from that point forward — outreach, transactional, internal, all of it.

If you're running outbound email campaigns, this isn't optional. Gmail and Microsoft have been tightening authentication requirements steadily since 2024. Domains without proper SPF, DKIM, and DMARC are increasingly landing in spam by default.

Set it up once. Check it quarterly. Move on to the problems that actually require your attention.

How to fix email deliverability with SPF, DKIM, and DMARC

SPF: tell inbox providers who's allowed to send as you

How to set it up

Common mistakes

DKIM: prove your emails weren't tampered with

How to set it up

Common mistakes

DMARC: set the rules and get visibility

How to set it up

Key DMARC parameters

Common mistakes

After setup: verify everything

The bottom line

Multiply yourself with Sliq