SPF, DKIM & DMARC Full Guide: Setup, Check and Fix Email Authentication

Do not index

Introduction

SPF, DKIM, and DMARC are the core email authentication standards used to verify who is allowed to send emails on behalf of your domain, protect your brand from spoofing, and improve email deliverability.

If these records are missing, invalid, or misaligned, your emails are more likely to be rejected, filtered to spam, or trusted less by mailbox providers such as Gmail, Outlook, and Yahoo.

This guide explains what SPF, DKIM, and DMARC are, how they work together, how to configure them correctly, and how to troubleshoot the most common authentication problems.

It is designed for marketers, founders, operators, and technical teams who want a practical and structured understanding of email authentication.

What are SPF, DKIM and DMARC?

SPF, DKIM, and DMARC are email authentication protocols stored in DNS.

They are used to verify that emails sent from your domain are legitimate and to define how mailbox providers should handle messages that fail authentication checks.

SPF

SPF is the acronym for Sender Policy Framework.

It defines which mail servers and IP addresses are authorized to send emails on behalf of your domain.

DKIM

DKIM stands for DomainKeys Identified Mail.

It adds a cryptographic signature to your emails so receiving servers can verify that the message was not altered and that it was signed by an authorized domain.

DMARC

DMARC stands for Domain-based Message Authentication, Reporting and Conformance.

It builds on SPF and DKIM by checking alignment with the visible From domain and defining what should happen if authentication fails.

Why SPF, DKIM and DMARC matter

Proper authentication matters for three main reasons.

1. Email deliverability

Mailbox providers use authentication as a trust signal. If your domain is not properly authenticated, your emails are less likely to reach the inbox.

2. Brand protection

These standards reduce domain spoofing and phishing attempts by making it harder for attackers to impersonate your domain.

3. Operational visibility

DMARC reporting helps you see who is sending emails on behalf of your domain and where authentication problems exist.

How SPF, DKIM and DMARC work together

These protocols are related, but they do not do the same thing.

SPF verifies the sending source

SPF checks whether the server sending the email is allowed to send on behalf of the domain.

DKIM verifies message integrity

DKIM checks whether the message was signed with a private key corresponding to a public key published in DNS.

DMARC verifies alignment and defines policy

DMARC checks whether SPF or DKIM aligns with the visible From domain and tells receiving servers what to do if the email fails authentication.

Together, they create a much stronger authentication framework than any one protocol alone.

SPF explained

What is SPF?

SPF is a DNS TXT record that tells receiving mail servers which IP addresses or services are authorized to send emails for your domain.

A basic SPF record starts with:

v=spf1

It then includes rules such as:

ip4 for authorized IPv4 addresses

ip6 for authorized IPv6 addresses

include for third-party senders

a or mx to authorize hosts based on existing DNS records

all to define the default policy

Example SPF record

v=spf1 include:_spf.google.com include:mailgun.org ~all

This means the domain authorizes Google and Mailgun to send emails on its behalf and uses a soft fail policy for any other source.

What SPF checks

SPF evaluates the envelope sender and the sending IP address.

If the sending IP is allowed by the published SPF record, SPF can pass.

If it is not allowed, SPF can fail.

Common SPF problems

No SPF record

If no SPF record exists, mailbox providers cannot verify authorized senders for your domain.

Multiple SPF records

A domain should publish only one SPF TXT record. Multiple SPF records often cause authentication failure.

Too many DNS lookups

SPF evaluation is limited to 10 DNS lookups. Too many nested includes can trigger permerror.

Overly permissive configuration

Using weak or overly broad rules reduces protection and can make troubleshooting harder.

SPF best practices

publish only one SPF record per domain

include all legitimate sending services

remove unused services and stale includes

stay under the 10-lookup limit

use ~all during rollout and move to all when stable

DKIM explained

What is DKIM?

DKIM uses asymmetric cryptography to sign outgoing emails.

The sending server uses a private key to sign the message. The receiving server retrieves the public key from DNS and verifies the signature.

If the signature is valid, the message is more trustworthy because it proves the email content was not modified and the sender controls the signing domain.

How DKIM works

DKIM records are published in DNS under a selector.

A selector is a label that identifies which key was used.

Example host:

selector1._domainkey.example.com

The record often looks like this:

v=DKIM1; k=rsa; p=PUBLIC_KEY

What DKIM checks

DKIM validates that:

the message was signed

the signature corresponds to the published public key

the signed content was not altered in transit

Common DKIM problems

Missing DKIM record

The receiving server cannot validate the signature if the public key is not published.

Wrong selector

The sending server may sign with a selector that does not exist or is misconfigured in DNS.

Invalid public key

Formatting or key issues can prevent verification.

Weak key length

1024-bit keys are still seen in some environments, but 2048-bit keys are generally preferred.

Emails not signed

If the mail server is not applying DKIM signing correctly, DKIM will fail even if the DNS record exists.

DKIM best practices

use unique selectors per sending service

prefer 2048-bit keys when supported

rotate selectors periodically

make sure every legitimate sender signs outgoing mail

align DKIM with your domain strategy

DMARC explained

What is DMARC?

DMARC is a DNS TXT record published at:

_dmarc.example.com

It tells mailbox providers how to handle emails that fail SPF and DKIM alignment checks.

It also allows domain owners to receive reports about authentication activity.

Example DMARC record

v=DMARC1; p=none; rua=mailto:dmarc@example.com

This means:

DMARC version 1

policy is monitoring only

aggregate reports should be sent to the specified address

DMARC policies

p=none

Monitoring only. No enforcement.

p=quarantine

Failing emails should be treated as suspicious and may be sent to spam.

p=reject

Failing emails should be rejected.

What is DMARC alignment?

DMARC does not just check if SPF or DKIM passes. It checks whether the authenticated domain aligns with the visible From domain.

This is a critical distinction.

You can have SPF pass and still fail DMARC if the authenticated domain does not align with the visible sender domain.

Common DMARC problems

No DMARC record

Without DMARC, your domain has no policy layer for authentication failures.

Policy set to none forever

A monitoring-only policy is useful at the beginning, but it does not protect your domain from spoofing.

Missing reporting

Without rua, you lose visibility into real authentication activity.

SPF and DKIM misalignment

DMARC fails when neither SPF nor DKIM aligns with the visible From domain.

Incorrect syntax

DMARC tags must be properly formatted.

DMARC best practices

publish a DMARC record for every sending domain

start with p=none

review reports and fix misaligned senders

move progressively to quarantine and then reject

keep SPF and DKIM aligned with the visible From domain

SPF vs DKIM vs DMARC

These protocols are often discussed together, but they serve different purposes.

SPF

Confirms whether the sending server is authorized.

DKIM

Confirms whether the message was signed and remained intact.

DMARC

Confirms whether SPF or DKIM aligns with the visible From domain and defines policy.

The best way to understand them is:

SPF checks source

DKIM checks integrity

DMARC checks alignment and enforcement

Why SPF and DKIM pass is not always enough

Many teams think that having SPF and DKIM in place is enough.

It is not.

Mailbox providers increasingly look for domain-level consistency and policy.

Without DMARC, you may still have:

spoofing risk

incomplete visibility

inconsistent trust signals

reduced control over authentication failures

DMARC turns passive authentication into an enforceable strategy.

How to set up SPF, DKIM and DMARC correctly

Step 1: inventory all sending services

List every platform that sends emails for your domain, such as:

Google Workspace

Microsoft 365

Mailgun

SendGrid

CRM systems

marketing platforms

support tools

If you forget one legitimate sender, authentication may fail later.

Step 2: configure SPF

Create one SPF TXT record including all valid sending services.

Review includes carefully and avoid unnecessary complexity.

Step 3: configure DKIM

Enable DKIM signing for each service that sends emails on behalf of your domain.

Publish the correct public key in DNS.

Verify selectors and make sure signatures are actually being applied.

Step 4: publish DMARC

Start with a monitoring policy.

Example:

v=DMARC1; p=none; rua=mailto:dmarc@example.com

Then review the data and fix issues before moving to stronger enforcement.

Step 5: verify alignment

Make sure the visible From domain aligns with SPF or DKIM for each sending service.

This is where many implementations fail.

Step 6: test continuously

Authentication is not a one-time setup.

DNS changes, new tools, and operational changes can all break authentication over time.

Common authentication mistakes

Using one root domain for everything

Sending all traffic from one domain makes reputation and alignment harder to control.

Forgetting third-party services

A helpdesk, CRM, newsletter platform, or transactional sender can silently break alignment if not configured properly.

Leaving old DNS records in place

Stale SPF includes and unused DKIM selectors increase confusion and risk.

Publishing records without verification

A record existing in DNS does not mean it works as intended.

Staying at DMARC p=none forever

Monitoring is useful, but enforcement is what protects your domain.

How authentication affects email deliverability

Authentication alone does not guarantee inbox placement, but poor authentication almost always damages deliverability.

A solid authentication setup improves deliverability by:

increasing trust with mailbox providers

reducing spoofing and impersonation

supporting domain reputation

enabling policy enforcement

reducing technical rejection risk

It is one of the most important foundations of inbox placement.

SPF, DKIM and DMARC for marketers

Marketers often see authentication as a technical issue only.

It is not.

Authentication directly affects:

campaign performance

inbox placement

brand protection

reporting reliability

scalability of email programs

If marketing relies on email, authentication must be treated as a core operational requirement.

SPF, DKIM and DMARC for cold email

Cold email is more sensitive to trust signals than newsletter traffic.

When a domain sends unsolicited or low-context emails, weak authentication increases the chance of spam filtering even more.

For cold email environments, proper setup is not optional. It is required.

That means:

clean SPF

working DKIM

DMARC in place

aligned domains

controlled sending infrastructure

How to check SPF, DKIM and DMARC

The most efficient way to manage authentication is to verify your setup regularly.

With MailX, you can use:

SPF Checker to validate SPF syntax and authorized senders

DKIM Checker to verify selectors, keys, and signatures

DMARC Checker to analyze DMARC policy and alignment

DMARC Generator to create valid DMARC records

SPF Generator to create valid SPF records

DNS lookup tools to inspect supporting DNS configuration

This tools-first workflow is what turns raw records into actionable diagnosis.

Authentication checklist

Use this checklist to review your setup.

SPF checklist

one SPF record only

all legitimate senders included

no duplicate or conflicting entries

lookup count under the limit

final policy defined

DKIM checklist

DKIM enabled for all senders

selectors published correctly

public keys valid

key length appropriate

signatures passing

DMARC checklist

DMARC record published

reporting enabled

alignment verified

policy reviewed

path to enforcement defined

SPF, DKIM and DMARC FAQ

What is SPF in email?

SPF is a DNS TXT record that defines which servers are authorized to send emails on behalf of your domain. It helps mailbox providers verify whether the sending source is legitimate.

What is DKIM in email?

DKIM is an email authentication method that uses cryptographic signatures to verify message integrity and confirm that the email was signed by an authorized domain.

What is DMARC in email?

DMARC is a policy and reporting framework built on SPF and DKIM. It checks domain alignment and tells mailbox providers how to handle messages that fail authentication.

What is the difference between SPF, DKIM and DMARC?

SPF verifies the sending source, DKIM verifies message integrity, and DMARC verifies alignment and defines policy enforcement. They work together as a complete authentication framework.

Do I need all three: SPF, DKIM and DMARC?

Yes. A modern email setup should use all three. SPF and DKIM alone are not enough to provide full control and visibility. DMARC adds enforcement and reporting, making the overall setup much stronger.

Can SPF pass and DMARC still fail?

Yes. SPF can pass while DMARC fails if the authenticated domain does not align with the visible From domain. DMARC depends on alignment, not just authentication pass status.

Can DKIM pass and DMARC still fail?

Yes. DKIM can pass, but DMARC can still fail if the DKIM signing domain does not align with the visible From domain.

What does p=none mean in DMARC?

p=none means monitoring only. Mailbox providers are asked to take no enforcement action. It is useful during rollout, but it does not actively protect your domain.

Should I move from p=none to quarantine or reject?

Yes, once you have visibility into all legitimate senders and have fixed alignment issues. A progressive rollout from none to quarantine and then reject is generally the safest approach.

Why is my SPF record invalid?

An SPF record may be invalid because of syntax errors, multiple SPF records, too many DNS lookups, or missing authorized senders.

Why is my DKIM not working?

DKIM often fails because of missing selectors, invalid public keys, weak key configuration, or because emails are not being signed correctly by the sending system.

Why is my DMARC failing?

DMARC typically fails because SPF and DKIM are not aligned with the visible From domain, or because one or both authentication methods are missing or invalid.

How do I create an SPF record?

You can create an SPF record manually or with an SPF generator. The record is then published in DNS as a TXT record for your sending domain.

How do I create a DMARC record?

You can create a DMARC record manually or with a DMARC generator. The record is published in DNS under _dmarc.yourdomain.com.

Do SPF, DKIM and DMARC improve email deliverability?

Yes. They are foundational trust signals for mailbox providers. While they do not guarantee inbox placement by themselves, they significantly improve trust and reduce technical filtering risk.

Conclusion

SPF, DKIM, and DMARC are not optional technical extras. They are the foundation of modern email authentication.

Together, they help you:

verify legitimate senders

protect your domain from spoofing

improve inbox trust

gain visibility into authentication problems

support stronger email deliverability

Any domain that sends important email should have a clear, verified, and monitored authentication strategy.

Check and improve your authentication setup

If you want to understand whether your domain is correctly authenticated, start by checking:

SPF configuration

DKIM selectors and signatures

DMARC policy and alignment

supporting DNS setup

MailX provides DNS, email deliverability, and network tools to check, lookup, and analyze your domain in one place.

SPF, DKIM and DMARC: The Complete Guide to Email Authentication (2026)

Introduction

What are SPF, DKIM and DMARC?

SPF

DKIM

DMARC

Why SPF, DKIM and DMARC matter

1. Email deliverability

2. Brand protection

3. Operational visibility

How SPF, DKIM and DMARC work together

SPF verifies the sending source

DKIM verifies message integrity

DMARC verifies alignment and defines policy

SPF explained

What is SPF?

Example SPF record

What SPF checks

Common SPF problems

No SPF record

Multiple SPF records

Too many DNS lookups

Overly permissive configuration

SPF best practices

DKIM explained

What is DKIM?

How DKIM works

What DKIM checks

Common DKIM problems

Missing DKIM record

Wrong selector

Invalid public key

Weak key length

Emails not signed

DKIM best practices

DMARC explained

What is DMARC?

Example DMARC record

DMARC policies

p=none

p=quarantine

p=reject

What is DMARC alignment?

Common DMARC problems

No DMARC record

Policy set to none forever

Missing reporting

SPF and DKIM misalignment

Incorrect syntax

DMARC best practices

SPF vs DKIM vs DMARC

SPF

DKIM

DMARC

Why SPF and DKIM pass is not always enough

How to set up SPF, DKIM and DMARC correctly

Step 1: inventory all sending services

Step 2: configure SPF

Step 3: configure DKIM

Step 4: publish DMARC

Step 5: verify alignment

Step 6: test continuously

Common authentication mistakes

Using one root domain for everything

Forgetting third-party services

Leaving old DNS records in place

Publishing records without verification

Staying at DMARC p=none forever

How authentication affects email deliverability

SPF, DKIM and DMARC for marketers

SPF, DKIM and DMARC for cold email

How to check SPF, DKIM and DMARC

Authentication checklist

SPF checklist

DKIM checklist

DMARC checklist

SPF, DKIM and DMARC FAQ

What is SPF in email?

What is DKIM in email?

What is DMARC in email?