Email Deliverability Basics: SPF, DKIM, and DMARC Explained
What SPF, DKIM, and DMARC actually do, why they matter, and how to check if yours are set up correctly.
Your emails are landing in spam. Or worse — they're not arriving at all. The culprit is usually one of three acronyms: SPF, DKIM, or DMARC.
These aren't optional extras. They're the authentication layer that tells receiving mail servers "yes, this email actually came from who it claims to be from."
The Three Pillars of Email Authentication
SPF (Sender Policy Framework)
A DNS record that lists which servers are allowed to send email on behalf of your domain. When an email arrives claiming to be from you, the receiving server checks: "Is this IP address on the approved list?"
DKIM (DomainKeys Identified Mail)
A cryptographic signature attached to each email. Your sending server signs the message with a private key; the receiving server verifies it using a public key published in your DNS. If the signature matches, the email hasn't been tampered with.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
A policy that tells receiving servers what to do when SPF or DKIM fails. Quarantine? Reject? Do nothing? DMARC also sends you reports about who's sending email using your domain — legitimate or not.
Why This Matters
Without proper authentication:
Your emails hit spam. Gmail, Outlook, and other providers increasingly require authentication. No SPF/DKIM? Straight to junk.
Anyone can spoof your domain. Phishers send emails "from" your domain to your customers. Without DMARC enforcement, there's no protection.
You have no visibility. You don't know if emails are being rejected, or if someone else is sending as you.
Google and Yahoo requirements
As of 2024, Google and Yahoo require SPF, DKIM, and DMARC for bulk senders. Even if you send low volume, proper authentication improves deliverability.
How to Check Your Setup
You can check your records manually using DNS lookup tools, but here's what you're looking for:
SPF: A TXT record on your domain starting with v=spf1. It should include all your sending sources (your mail server, marketing tools, transactional email providers).
DKIM: A TXT record at a selector subdomain (like selector1._domainkey.yourdomain.com). The format is v=DKIM1; k=rsa; p=... followed by the public key.
DMARC: A TXT record at _dmarc.yourdomain.com. At minimum: v=DMARC1; p=none; — though p=quarantine or p=reject provides actual protection.
Common Mistakes
SPF with too many lookups. SPF allows a maximum of 10 DNS lookups. Include too many services and the whole record fails silently.
Missing DKIM for third-party senders. You set up DKIM for your main mail server but forgot Mailchimp, HubSpot, or your transactional email provider.
DMARC set to "none" forever. p=none is monitoring mode — it doesn't block anything. It's a starting point, not a destination.
No monitoring. You set it up once and never check again. Records get stale. New sending sources get added without DKIM. SPF breaks and nobody notices.
Monitor your email authentication
The Email Deliverability Suite watches your SPF, DKIM, and DMARC records and alerts you when something breaks.
Try It Now