SPF, DKIM, and DMARC Explained for Email Senders
SPF authorizes your servers, DKIM signs your messages, and DMARC sets the policy when they fail. See how all three work together and why senders need them.

Md. Yaikub Hossain Razon
SPF, DKIM, and DMARC are three email authentication protocols that prove an email genuinely comes from your domain. SPF authorizes which servers may send for you, DKIM cryptographically signs each message, and DMARC tells receiving servers what to do when SPF or DKIM fails and reports the results back to you.
Together they stop spoofing and lift deliverability. Each is a DNS TXT record. Each solves a different part of the same problem, which is why receivers such as Gmail and Yahoo now expect all three.
What is email authentication?
Email authentication is a set of DNS-based checks that let a receiving server verify a message really came from the domain in the From address. Without it, anyone can forge your domain and send email as you, because the email protocol itself does not confirm sender identity.
SPF, DKIM, and DMARC are the three standards that provide this verification. They are complementary, not redundant: SPF checks the sending source, DKIM checks message integrity, and DMARC ties both to the visible From domain and sets a policy. All three are published as DNS TXT records that any receiving server can look up.
What is SPF and how does it work?
SPF (Sender Policy Framework) is a DNS TXT record that lists every server authorized to send email for your domain. When a message arrives, the receiving server reads the SPF record and checks whether the sending IP address is on the authorized list. If it is, SPF passes; if not, SPF fails or soft-fails.
An SPF record looks like this:
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all
The include mechanisms authorize your providers, and ~all soft-fails everything else. SPF has one important limit defined in RFC 7208: a record may trigger no more than 10 DNS lookups, so consolidate includes to stay under the cap. SPF also breaks on forwarding, because the forwarding server's IP is not in your record. DKIM covers that gap.
What is DKIM and how does it work?
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send, proving the message was not altered in transit. Your mail server signs the message with a private key, and the receiving server verifies that signature using a public key you publish in DNS.
The public key lives in a TXT record at a selector:
selector._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIIBIjAN..."
The selector is a label your email provider assigns. Google recommends 2048-bit keys for stronger signatures. Unlike SPF, DKIM survives forwarding, because the signature travels with the message rather than depending on the sending IP. That durability makes DKIM the more resilient of the two verification signals.
What is DMARC and how does it work?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) sits on top of SPF and DKIM. It checks that the domain those protocols authenticate aligns with the domain in the visible From address, then tells the receiving server what to do if the checks fail. DMARC also sends you reports on who is sending email using your domain.
A DMARC record looks like this:
_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:reports@yourdomain.com"
The policy tag p takes three values: none monitors and delivers as normal, quarantine sends failing mail to spam, and reject blocks it outright. DMARC needs only one aligned pass SPF or DKIM to succeed, which is why DKIM keeps forwarded mail authenticated when SPF breaks. Deploy DMARC safely by starting at p=none, reviewing the reports for two to four weeks, fixing any legitimate mail that fails, then tightening to quarantine and finally reject.
How do SPF, DKIM, and DMARC work together?
The three run in sequence on every message a receiver evaluates. Each adds a layer the others cannot provide.
- Your server sends an email and signs it with your DKIM private key.
- The receiver reads your SPF record and checks whether the sending IP is authorized.
- The receiver verifies your DKIM signature against your public key.
- The receiver checks DMARC alignment: does the SPF or DKIM domain match the From domain?
- If DMARC passes, the message is trusted. If it fails, the receiver applies your DMARC policy, none, quarantine, or reject.
SPF and DKIM produce the verification signals; DMARC supplies the enforcement policy and the reporting loop. A domain with all three, correctly aligned, sends mail that receivers can trust and act on.
Do you need all three, and are they required?
Yes. For any real sending domain, all three are now effectively required, and for bulk senders they are mandatory. Since February 2024, Google and Yahoo require senders of 5,000 or more messages a day to Gmail or Yahoo to publish valid SPF, DKIM, and DMARC, and Microsoft enforced equivalent rules for Outlook and Hotmail from May 2025. Lower-volume senders must have at least SPF or DKIM, and best practice is all three regardless of volume. See Google's Email sender guidelines for the official requirements.
Enforcement is strict. As of 2026, unauthenticated bulk mail to Gmail, Yahoo, and Outlook is rejected at the SMTP level rather than filtered to spam. The bulk-sender rules also require a spam complaint rate below 0.3 percent and one-click unsubscribe on marketing mail. The upside is large: analysis of inbox placement has found a roughly 60-percentage-point gap between fully authenticated and unauthenticated senders.
How do you check and set up SPF, DKIM, and DMARC?
Check your records by looking up the DNS TXT entries for your domain, then send a test message to confirm all three pass. The fastest check is to send an email to Gmail, open "Show original", and confirm SPF, DKIM, and DMARC each read PASS. A tester such as mail-tester.com reports the same results with the specific rules that fired.
To set them up, publish the SPF record with your provider's include values, enable DKIM in your sending platform and publish the public key at the selector, then add a DMARC record starting at p=none. DNS changes propagate in roughly 15 minutes to 48 hours depending on your TTL. For the full walkthroughs, follow the guides to set up SPF and DKIM records and set up a DMARC record step by step.
Why does authenticated email still land in spam?
Authentication is necessary but not sufficient. SPF, DKIM, and DMARC prove identity; they do not vouch for content or reputation. An authenticated email can still be filtered if the template is image-heavy, the copy trips spam rules, the sending domain has a poor reputation, or the complaint rate is high.
Fix both halves. Keep your authentication passing and your content clean. A well-coded, tested template avoids the content penalties that authentication cannot address — you can build one in MailEditor's email editor and pair it with proper authentication for reliable inbox placement. If your authenticated mail still misses the inbox, work through why your emails go to the spam folder and how to lower your email spam score.
FAQ
Question: What is the difference between SPF, DKIM, and DMARC?
Answer: SPF authorizes which servers can send email for your domain, DKIM cryptographically signs each message to prove it was not altered, and DMARC checks that SPF or DKIM aligns with the visible From domain and sets the policy for failures. SPF checks the source, DKIM checks the content, and DMARC ties them together.
Question:Do I need all three, SPF, DKIM, and DMARC?
Answer: Yes. Google and Yahoo require valid SPF, DKIM, and DMARC for bulk senders of 5,000 or more emails a day since February 2024, and Microsoft enforces similar rules. Lower-volume senders need at least SPF or DKIM, but all three are best practice because each covers a different attack.
Question:What DMARC policy should I start with?
Answer: Start with p=none, which monitors and reports without affecting delivery. Review the DMARC reports for two to four weeks to confirm your legitimate mail authenticates, fix anything failing, then move to p=quarantine and finally p=reject for full protection against spoofing.
Question: Does DKIM or SPF break when email is forwarded?
Answer: SPF often breaks on forwarding because the forwarding server's IP is not in your SPF record. DKIM usually survives, because the signature travels with the message. DMARC needs only one aligned pass, so a surviving DKIM signature keeps forwarded mail authenticated.
Question: How long do SPF, DKIM, and DMARC take to work?
Answer: The DNS records take effect after propagation, typically 15 minutes to 48 hours depending on your TTL settings. After propagation, every message you send is checked against them. Verify by sending a test to Gmail and viewing "Show original" to confirm all three pass.
Popular Blogs

Email Design2 mins to read
Top Email Template Builders & HTML Email Editors for 2026
Compare the best email template builders and HTML editors to design professional, responsive campaigns without coding.

Email Tips7 mins to read
Best Drag and Drop Email Editors in 2026
Discover the best drag and drop email editors in 2026. Compare top tools, features, templates, pricing, and automation to build stunning emails fast.

Marketing7 mins to read
4 Best Unlayer Alternatives to Design Emails
Looking for Unlayer alternatives? Explore the 4 best email design tools to create beautiful, responsive emails faster and easier.

Email Design1 min to read
How to Create an HTML Email Template in Mailtrap
Follow this step‑by‑step guide to creating a responsive HTML email template in Mailtrap. Design, code, and customize your template with confidence.

Marketing6 mins to read
5 Beefree Alternatives to Upgrade Email Design Workflows
Looking for a better email design tool? Explore 5 Beefree alternatives that streamline workflows, improve collaboration, and elevate email campaigns.