Skip to content
Glossary

SPF, DKIM & DMARC explained: the three DNS records that determine whether your emails reach the inbox

SPF, DKIM, and DMARC are email authentication protocols that prove you are who you say you are. Without them, your emails end up in spam. Here's what they do and how to set them up.

HT
Hermod Team · AI-powered email marketing

When you send an email, the recipient’s server has a problem: how does it know the email really comes from you — and not from a scammer pretending to be you?

That’s what SPF, DKIM, and DMARC solve. They are three DNS records that together prove your identity as a sender. Without them, you’re anonymous, and anonymous senders end up in spam.

SPF — who is allowed to send from your domain?

Sender Policy Framework is a DNS record that tells the world: “These servers are authorized to send emails from @yourdomain.com.”

When Gmail receives an email from your domain, it looks up your SPF record. If the sending server is on the list, the email passes. If not, it’s a red flag.

What an SPF record looks like:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

This says: “Google and SendGrid are allowed to send from my domain. Anyone else is probably fake (~all).”

Setup:

  1. Find your DNS provider (GoDaddy, Cloudflare, Namecheap, etc.)
  2. Add a TXT record on your domain
  3. Include the servers your email platform uses (they’ll give you the exact record)
  4. Add ~all (softfail) or -all (hardfail) at the end

Important: You can only have one SPF record per domain. If you use multiple senders (Google Workspace + Resend + Mailchimp), they all need to be in the same record with separate include: statements.

DKIM — has the email been tampered with?

DomainKeys Identified Mail is a digital signature that proves the email hasn’t been modified in transit.

Your email platform signs each email with a private key. The recipient’s server verifies the signature with a public key stored in your DNS. If it matches, the email is authentic and unaltered.

What a DKIM record looks like:

selector._domainkey.yourdomain.com  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhki..."

selector is a name your email platform chooses (e.g., resend, google, k1). The public key (p=) is a long string your platform generates.

Setup:

  1. Your email platform generates a DKIM key pair
  2. They give you a DNS record to add (with the public key)
  3. You add a CNAME or TXT record in your DNS
  4. The platform automatically signs all emails with the private key

Important: Each sending system has its own DKIM selector. You can have multiple DKIM records — one per platform that sends from your domain.

DMARC — what happens to fake emails?

Domain-based Message Authentication, Reporting & Conformance ties SPF and DKIM together and tells recipients what to do with emails that fail authentication.

Without DMARC, a server can see that an email fails SPF — but what should it do? Deliver it anyway? Block it? DMARC provides the answer.

What a DMARC record looks like:

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com"

The three policies:

  • p=none — Monitor only. Deliver everything, but send reports. Always start here.
  • p=quarantine — Send failed emails to spam. A good middle ground.
  • p=reject — Block failed emails entirely. Strongest protection, but don’t set it up until you’re sure all legitimate email passes.

rua=mailto: tells servers where to send reports about failed emails. This gives you visibility into who is (attempting to) send from your domain.

Setup in three phases:

Phase 1 (day 1): Add DMARC with p=none and a report email. Monitor for 2-4 weeks. Check the reports — are any legitimate emails failing?

Phase 2 (week 3-4): Switch to p=quarantine. Emails that fail go to spam instead of the inbox. Continue monitoring.

Phase 3 (week 6+): Switch to p=reject when you’re confident that all legitimate email passes SPF and DKIM correctly.

How do they work together?

SPF checks the sending server. DKIM checks the email’s integrity. DMARC ties them together and defines the policy.

An email that passes all three is authenticated. Gmail shows a green checkmark, Apple Mail trusts it, and your deliverability improves.

An email that fails all three is unauthenticated. It ends up in spam — or gets blocked entirely.

Check your domain

You can check your current setup for free:

  1. Send a test email to mail-tester.com — scores 0-10 on everything including SPF/DKIM/DMARC
  2. Use MXToolbox to look up your DNS records directly
  3. Check DMARC reports via DMARC Analyzer or similar tools

Ofte stillede spørgsmål

Do I need all three (SPF, DKIM, and DMARC)?
Yes. Since 2024, Gmail and Yahoo require all bulk senders (5,000+ emails/day) to have all three configured. Even below that threshold, the three records significantly improve your deliverability. Always set up all three.
How long does it take to set up SPF, DKIM, and DMARC?
The actual setup takes 15-30 minutes in your DNS provider. But DNS changes can take up to 48 hours to propagate. Start with SPF and DKIM, wait until they work, then add DMARC with p=none to monitor.
Can SPF/DKIM/DMARC hurt my deliverability?
Correctly configured: no, they always improve it. But a misconfigured DMARC p=reject policy can block your own emails. Always start with p=none (monitor), move to p=quarantine after 2-4 weeks, and only switch to p=reject when you're confident.