HomeBlogs

Email Tips

SPF, DKIM, and DMARC Explained for Email Senders

SPF authorizes your servers, DKIM signs your messages, and DMARC sets the policy when they fail. See how all three work together and why senders need them.

Md. Yaikub Hossain Razon

Md. Yaikub Hossain Razon

July 20264 mins to read

SPF, DKIM, and DMARC are three email authentication protocols that prove an email genuinely comes from your domain. SPF authorizes which servers may send for you, DKIM cryptographically signs each message, and DMARC tells receiving servers what to do when SPF or DKIM fails and reports the results back to you.

Together they stop spoofing and lift deliverability. Each is a DNS TXT record. Each solves a different part of the same problem, which is why receivers such as Gmail and Yahoo now expect all three.

Protocol

What it checks

Where it lives

What it proves

SPF

The sending server's IP

DNS TXT on your domain

The email came from an authorized server

DKIM

The message contents

DNS TXT at a selector

The email was not altered in transit

DMARC

Alignment + policy

DNS TXT at _dmarc

What to do if SPF/DKIM fail, plus reporting

What is email authentication?

Email authentication is a set of DNS-based checks that let a receiving server verify a message really came from the domain in the From address. Without it, anyone can forge your domain and send email as you, because the email protocol itself does not confirm sender identity.

SPF, DKIM, and DMARC are the three standards that provide this verification. They are complementary, not redundant: SPF checks the sending source, DKIM checks message integrity, and DMARC ties both to the visible From domain and sets a policy. All three are published as DNS TXT records that any receiving server can look up.

What is SPF and how does it work?

SPF (Sender Policy Framework) is a DNS TXT record that lists every server authorized to send email for your domain. When a message arrives, the receiving server reads the SPF record and checks whether the sending IP address is on the authorized list. If it is, SPF passes; if not, SPF fails or soft-fails.

An SPF record looks like this:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

The include mechanisms authorize your providers, and ~all soft-fails everything else. SPF has one important limit defined in RFC 7208: a record may trigger no more than 10 DNS lookups, so consolidate includes to stay under the cap. SPF also breaks on forwarding, because the forwarding server's IP is not in your record. DKIM covers that gap.

What is DKIM and how does it work?

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send, proving the message was not altered in transit. Your mail server signs the message with a private key, and the receiving server verifies that signature using a public key you publish in DNS.

The public key lives in a TXT record at a selector:

selector._domainkey.yourdomain.com  TXT  "v=DKIM1; k=rsa; p=MIIBIjAN..."

The selector is a label your email provider assigns. Google recommends 2048-bit keys for stronger signatures. Unlike SPF, DKIM survives forwarding, because the signature travels with the message rather than depending on the sending IP. That durability makes DKIM the more resilient of the two verification signals.

What is DMARC and how does it work?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) sits on top of SPF and DKIM. It checks that the domain those protocols authenticate aligns with the domain in the visible From address, then tells the receiving server what to do if the checks fail. DMARC also sends you reports on who is sending email using your domain.

A DMARC record looks like this:

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=none; rua=mailto:reports@yourdomain.com"

The policy tag p takes three values: none monitors and delivers as normal, quarantine sends failing mail to spam, and reject blocks it outright. DMARC needs only one aligned pass SPF or DKIM to succeed, which is why DKIM keeps forwarded mail authenticated when SPF breaks. Deploy DMARC safely by starting at p=none, reviewing the reports for two to four weeks, fixing any legitimate mail that fails, then tightening to quarantine and finally reject.

How do SPF, DKIM, and DMARC work together?

The three run in sequence on every message a receiver evaluates. Each adds a layer the others cannot provide.

  1. Your server sends an email and signs it with your DKIM private key.
  2. The receiver reads your SPF record and checks whether the sending IP is authorized.
  3. The receiver verifies your DKIM signature against your public key.
  4. The receiver checks DMARC alignment: does the SPF or DKIM domain match the From domain?
  5. If DMARC passes, the message is trusted. If it fails, the receiver applies your DMARC policy, none, quarantine, or reject.

SPF and DKIM produce the verification signals; DMARC supplies the enforcement policy and the reporting loop. A domain with all three, correctly aligned, sends mail that receivers can trust and act on.

Do you need all three, and are they required?

Yes. For any real sending domain, all three are now effectively required, and for bulk senders they are mandatory. Since February 2024, Google and Yahoo require senders of 5,000 or more messages a day to Gmail or Yahoo to publish valid SPF, DKIM, and DMARC, and Microsoft enforced equivalent rules for Outlook and Hotmail from May 2025. Lower-volume senders must have at least SPF or DKIM, and best practice is all three regardless of volume. See Google's Email sender guidelines for the official requirements.

Enforcement is strict. As of 2026, unauthenticated bulk mail to Gmail, Yahoo, and Outlook is rejected at the SMTP level rather than filtered to spam. The bulk-sender rules also require a spam complaint rate below 0.3 percent and one-click unsubscribe on marketing mail. The upside is large: analysis of inbox placement has found a roughly 60-percentage-point gap between fully authenticated and unauthenticated senders.

How do you check and set up SPF, DKIM, and DMARC?

Check your records by looking up the DNS TXT entries for your domain, then send a test message to confirm all three pass. The fastest check is to send an email to Gmail, open "Show original", and confirm SPF, DKIM, and DMARC each read PASS. A tester such as mail-tester.com reports the same results with the specific rules that fired.

To set them up, publish the SPF record with your provider's include values, enable DKIM in your sending platform and publish the public key at the selector, then add a DMARC record starting at p=none. DNS changes propagate in roughly 15 minutes to 48 hours depending on your TTL. For the full walkthroughs, follow the guides to set up SPF and DKIM records and set up a DMARC record step by step.

Why does authenticated email still land in spam?

Authentication is necessary but not sufficient. SPF, DKIM, and DMARC prove identity; they do not vouch for content or reputation. An authenticated email can still be filtered if the template is image-heavy, the copy trips spam rules, the sending domain has a poor reputation, or the complaint rate is high.

Fix both halves. Keep your authentication passing and your content clean. A well-coded, tested template avoids the content penalties that authentication cannot address — you can build one in MailEditor's email editor and pair it with proper authentication for reliable inbox placement. If your authenticated mail still misses the inbox, work through why your emails go to the spam folder and how to lower your email spam score.

FAQ

Question: What is the difference between SPF, DKIM, and DMARC? 

Answer: SPF authorizes which servers can send email for your domain, DKIM cryptographically signs each message to prove it was not altered, and DMARC checks that SPF or DKIM aligns with the visible From domain and sets the policy for failures. SPF checks the source, DKIM checks the content, and DMARC ties them together.

Question:Do I need all three, SPF, DKIM, and DMARC? 

Answer:  Yes. Google and Yahoo require valid SPF, DKIM, and DMARC for bulk senders of 5,000 or more emails a day since February 2024, and Microsoft enforces similar rules. Lower-volume senders need at least SPF or DKIM, but all three are best practice because each covers a different attack.

Question:What DMARC policy should I start with? 

Answer: Start with p=none, which monitors and reports without affecting delivery. Review the DMARC reports for two to four weeks to confirm your legitimate mail authenticates, fix anything failing, then move to p=quarantine and finally p=reject for full protection against spoofing.

Question: Does DKIM or SPF break when email is forwarded? 

Answer: SPF often breaks on forwarding because the forwarding server's IP is not in your SPF record. DKIM usually survives, because the signature travels with the message. DMARC needs only one aligned pass, so a surviving DKIM signature keeps forwarded mail authenticated.

Question: How long do SPF, DKIM, and DMARC take to work? 

Answer: The DNS records take effect after propagation, typically 15 minutes to 48 hours depending on your TTL settings. After propagation, every message you send is checked against them. Verify by sending a test to Gmail and viewing "Show original" to confirm all three pass.



newsletter

Field notes on email design.

One thoughtful issue a month. Unsubscribe anytime.

Share

Popular Blogs

Not Enough?

Order a Custom Template.

Can't find the perfect template? Our experts will design a custom email template tailored to your brand—responsive, unique, and fully tested for compatibility.

Tested withTested with