SPF, DKIM & DMARC: The Complete Guide to Email Authentication
Stop your emails from going to spam. Learn how SPF, DKIM, and DMARC work — and check any domain for free.
📋 On This Page
What Is Email Authentication?
Email authentication is how you prove your emails are really from you. Without it, anyone can send emails pretending to be your domain — and your real emails end up in spam folders.
Three protocols work together: SPF says who can send from your domain. DKIM proves the email wasn't tampered with. DMARC tells receivers what to do when checks fail.
⚠️ Did you know? Google and Yahoo require DMARC for anyone sending more than 5,000 emails/day. Without it, your emails to Gmail users get blocked.
SPF — Sender Policy Framework
SPF is a DNS TXT record that lists which mail servers are allowed to send email on behalf of your domain.
How It Works
- You publish an SPF record in your DNS (a TXT record like
v=spf1 mx include:_spf.google.com ~all) - When you send an email, the receiving server checks: did this email come from an IP listed in your SPF?
- If yes → SPF pass. If no → SPF fail (may go to spam).
Example SPF Record
v=spf1 mx a include:_spf.google.com include:mailgun.org ~allBreakdown: mx = allow your MX servers. a = allow your A record IP. include:... = allow Google & Mailgun. ~all = softfail everything else (mark as suspicious).
DKIM — DomainKeys Identified Mail
DKIM adds a cryptographic signature to every email you send. The receiving server verifies this signature against a public key published in your DNS — proving the email wasn't altered in transit.
How It Works
- Your email provider generates a DKIM key pair (private + public)
- The public key goes in a DNS TXT record:
selector._domainkey.yourdomain.com - Every outgoing email gets signed with the private key
- Receiving servers check the signature against your public DNS key
Example DKIM Record
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...Note: You don't create DKIM keys manually. Your email provider (Google Workspace, Outlook, SendGrid, etc.) generates them for you.
DMARC — Domain-based Message Authentication
DMARC is the boss. It ties SPF and DKIM together and tells receiving servers: "When my email fails SPF or DKIM, here's what to do."
DMARC Policies
| Policy | Tag | What Happens |
|---|---|---|
| None | p=none | Log it. Don't block. (Monitoring only) |
| Quarantine | p=quarantine | Send to spam folder |
| Reject | p=reject | Block entirely. Do not deliver. |
Example DMARC Record
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensic@yourdomain.com; pct=100rua = where aggregate reports go. ruf = where forensic reports go. pct=100 = apply to 100% of emails.
How to Set Up All Three — Step by Step
- SPF first — List all your sending services (Google Workspace, Mailchimp, HubSpot, etc.). Combine into one record:
v=spf1 include:spf1.example.com include:spf2.example.com ~all - DKIM next — From each provider, copy their DKIM DNS record and add it to your DNS. Use a unique selector per provider (e.g.,
google._domainkey,mailchimp._domainkey). - DMARC last — Start with
p=nonefor 2-4 weeks. Check the reports. Fix any authentication failures. Then move top=quarantine→ eventuallyp=reject.
Common Problems & How to Fix Them
You can only have ONE SPF record. Combine them: merge all include: parts into one record.
SPF has a 10-lookup limit. Use SPF flattening services (like AutoSPF) or subdomain delegation.
Your selector might be wrong, or the DNS record hasn't propagated. Wait 24-48 hours after making DNS changes.
DMARC requires alignment — the domain in your From: header must match the domain in SPF/DKIM. Check subdomain alignment.
Check Your Domain — Free
Instantly verify SPF, DKIM, DMARC for any domain. Get a deliverability score out of 100 plus specific fixes.