SPF, DKIM, and DMARC Explained: Stop Your Emails Landing in Spam

Why email authentication matters

Email was designed in the 1970s without any built-in way to verify who sent a message. Anyone can send an email claiming to be from your domain. This is called email spoofing, and it is the foundation of most phishing attacks.

SPF, DKIM, and DMARC close this gap. They let receiving mail servers verify that an email actually came from an authorized sender. Without them, mail providers like Gmail, Outlook, and Yahoo have no way to distinguish your legitimate emails from spoofed ones — so they err on the side of caution and flag your messages as spam.

Since February 2024, Google and Yahoo require SPF, DKIM, and DMARC for anyone sending more than 5,000 emails per day. But even if you send far fewer, these records significantly improve deliverability.

SPF: who is allowed to send

SPF (Sender Policy Framework) is a TXT record on your domain that lists which mail servers are authorized to send email on your behalf. When a receiving server gets an email from your domain, it checks the SPF record to see if the sending server is on the approved list.

This record says: “Only Google Workspace and SendGrid are allowed to send email for this domain. Reject everything else.” The -all at the end is called a hard fail — it tells receiving servers to reject unauthorized senders. A softer option, ~all (soft fail), marks unauthorized emails as suspicious but does not reject them outright.

DKIM: proving the email was not tampered with

DKIM (DomainKeys Identified Mail) adds a digital signature to every outgoing email. The sending server signs the email with a private key, and the receiving server verifies the signature using a public key published in your DNS records.

DKIM does two things: it proves the email was sent by someone with access to the private key (authentication), and it proves the email body and headers were not modified in transit (integrity). If someone intercepts and alters the email, the signature check fails.

Each email service you use (Google Workspace, Mailchimp, SendGrid, etc.) has its own DKIM key. You need to add a DKIM TXT record for each service. Unlike SPF, you can have multiple DKIM records — they use different selector names to avoid conflicts.

DMARC: the policy layer

DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together with a policy. It tells receiving servers what to do when an email fails authentication checks, and where to send reports about it.

The key settings:

• p=none — monitor only, do not take action on failures (good for starting out)
• p=quarantine — send failing emails to spam
• p=reject — block failing emails entirely (strongest protection)
• rua= — email address where aggregate reports are sent

How to check your setup

All three authentication standards are stored as TXT records in your DNS. You can verify them using ZonePeek:

1. Look up your domain on ZonePeek
2. Filter by TXT records
3. Check for a record starting with v=spf1 — that is your SPF
4. Check for a record starting with v=DMARC1 at the _dmarc subdomain — that is your DMARC policy
5. DKIM records are on selector-specific subdomains (e.g., google._domainkey) — look up that subdomain to verify

If any of these records are missing, your email deliverability is likely suffering.

Key takeaways

• SPF lists which servers can send email for your domain
• DKIM proves emails are authentic and unmodified using cryptographic signatures
• DMARC defines what happens when emails fail SPF or DKIM checks
• All three are stored as TXT records in your DNS and work together as a system
• Google and Yahoo require all three for bulk senders since February 2024
• Start DMARC with p=none, monitor, then gradually tighten to p=reject