SPF, DKIM, and DMARC
Three email authentication protocols that verify your emails are actually sent from your domain, preventing spoofing and phishing while improving inbox placement.
Authentication Is the Bouncer at the Inbox Door
SPF, DKIM, and DMARC work together to prove that your emails are legitimate. Without them, email providers have no way to verify that an email claiming to be from your domain is actually from you. It is the equivalent of showing up to a meeting without an ID — you might get in, but you are more likely to get turned away.
Since Google and Yahoo’s 2024 authentication requirements, these protocols went from “best practice” to “mandatory.” If you are sending marketing or outbound emails without all three configured, you are leaving deliverability on the table.
How Each Protocol Works
| Protocol | What It Does | How It Works |
|---|---|---|
| SPF (Sender Policy Framework) | Lists which servers can send email from your domain | DNS TXT record listing authorized IPs and services |
| DKIM (DomainKeys Identified Mail) | Adds a digital signature to each email | Cryptographic key pair — private key signs, public key verifies |
| DMARC (Domain-based Message Authentication) | Tells receivers what to do when SPF or DKIM fails | DNS TXT record with policy: none, quarantine, or reject |
SPF says “these servers are authorized to send for us.” DKIM says “this email has not been tampered with in transit.” DMARC says “if an email fails both checks, here is what to do with it.” Together, they form a complete authentication chain.
Setting Up DMARC Correctly
Start with a DMARC policy of p=none — this monitors authentication failures without blocking emails. Review DMARC reports for 2-4 weeks to identify all legitimate sending services (your CRM, marketing platform, transactional email provider). Add each to your SPF record. Once you are confident all legitimate sources pass authentication, move to p=quarantine (sends failing emails to spam) and eventually p=reject (blocks them entirely). Jumping straight to p=reject before auditing your sending services will block your own legitimate emails. Use a tool like Valimail or DMARC Analyzer to parse the XML reports — reading them raw is painful.
Frequently Asked Questions
What happens if I do not set up SPF, DKIM, and DMARC?
Your emails are significantly more likely to land in spam. As of February 2024, Google and Yahoo require SPF and DKIM for all senders and DMARC for anyone sending 5,000+ emails per day. Without these, your deliverability drops 20-40% on Gmail alone. It is not optional anymore — it is table stakes.
How do I check if my domain has SPF, DKIM, and DMARC configured?
Use MXToolbox.com — enter your domain and check SPF, DKIM, and DMARC records. Google Admin Toolbox also works for DKIM verification. Your DNS records should show a TXT record for SPF (v=spf1...), a CNAME or TXT record for DKIM, and a TXT record for DMARC (_dmarc.yourdomain.com). If any are missing, your IT team or domain registrar can add them in 15 minutes.
