DNSEmail SecurityDeliverability

SPF, DKIM, and DMARC Explained:
Why Your Emails Are Landing in Spam

·16 min read·By SEOCheckPilot

Your email is sent. It doesn't bounce. But it never arrives in the inbox either — it's sitting in the spam folder of someone who actually wanted to hear from you. Or worse, it's being used by scammers who have figured out they can send email that claims to be from your domain, because you never set up the authentication records that would stop them.

SPF, DKIM, and DMARC are three DNS records that sit between your emails and either the inbox or the spam folder. Together they verify that emails claiming to come from your domain actually do come from your domain — and they tell receiving servers what to do with ones that don't.

In February 2024, Google and Yahoo started requiring all three for bulk senders. But even if you're not a bulk sender, missing any of these records is a deliverability handicap that makes every email you send slightly more suspicious to spam filters. This guide will explain how each one works, how to set them up correctly, and what happens when you get them wrong.

In this guide
  1. Why email authentication exists
  2. SPF — authorizing your sending IPs
  3. DKIM — cryptographic signing
  4. DMARC — the policy and reporting layer
  5. Setting up all three, in order
  6. Common problems and how to diagnose them
  7. Testing your configuration
  8. FAQ

1. Why email authentication exists

Email was designed in an era when the internet was a small, trusted network and nobody was thinking about adversaries. The original SMTP protocol has essentially zero authentication built into it. When a mail server says “I am sending this email on behalf of example.com,” there is nothing in SMTP itself that verifies this claim. Any server on the internet can send an email claiming to be from any domain it wants.

This is how phishing works. This is how business email compromise (BEC) attacks work — someone sends an email that appears to come from your CEO's domain, asking someone in finance to wire money, and the email looks completely legitimate because there's nothing in the protocol to prevent the sender from claiming any identity they want.

SPF, DKIM, and DMARC are the industry's solution to this — retrofitted onto the email infrastructure over the past two decades. They don't change SMTP itself, but they add a verification layer using DNS that lets receiving servers check claims about who sent an email.

The deliverability connection
Mail providers like Gmail, Outlook, and Apple Mail use the presence and configuration of these records as one of many signals to score email trustworthiness. A domain with no SPF record, no DKIM, and no DMARC is a domain that hasn't done the minimum to establish its legitimacy. Spam filters treat that suspicion as a reason to err on the side of routing emails to junk.

2. SPF — authorizing your sending IPs

SPF, which stands for Sender Policy Framework, is the simplest of the three to understand. You publish a DNS TXT record at your root domain listing all the IP addresses and services that are authorized to send email on your behalf. When a receiving server gets an email from your domain, it looks up your SPF record and checks whether the IP address of the sending server is on the authorized list.

📤Your MailServerIP: 203.0.113.1sends email📬Gmail / OutlookReceiving Serverqueries DNSSPF record?🗄️Your DNSv=spf1 ip4:203.0.113.1IP matches?✓ PASS✗ FAIL
SPF checks the IP of the sending server against the authorized list in your DNS record.

A basic SPF record in DNS looks like this:

dns record
Host:  @
Type:  TXT
Value: v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.0/24 ~all

Breaking this down:

  • v=spf1 — declares this is an SPF record, version 1.
  • include:_spf.google.com — authorizes all Google Workspace mail servers. The include: mechanism tells the receiver to also check the SPF record at that domain and include its IPs.
  • include:sendgrid.net — authorizes SendGrid as a sending service (used for transactional email).
  • ip4:203.0.113.0/24 — authorizes a specific IP range (e.g., your own server).
  • ~all — the qualifier. A tilde means “softfail” — emails from unauthorized IPs should be treated with suspicion but not outright rejected. Use -all (hardfail) when you're confident your list is complete. Never use +all — it authorizes every server on the internet.

The 10-lookup limit

SPF has a hard limit of 10 DNS lookups during evaluation. Every include:, a:, mx:, and redirect= each count as a lookup, and nested includes count too. If your SPF record requires more than 10 DNS lookups to evaluate, receivers are allowed to fail the check immediately — which means legitimate emails get flagged. This is a common problem for organizations that use many email services (Mailchimp, HubSpot, Intercom, Zendesk, plus their email provider). The fix is to use SPF flattening tools that resolve all the includes to explicit IP ranges, eliminating the lookup chain.

SPF's critical weakness: email forwarding

SPF fails silently whenever an email is forwarded. Here's why: when someone at gmail.com forwards your email to their hotmail.com account, Gmail's servers resend the email to Hotmail. Hotmail checks SPF and sees: the email claims to be from your domain, but it arrived from Gmail's IP addresses, which aren't in your SPF record. SPF fails. This is not a misconfiguration — it's a fundamental limitation of how SPF works. This is one of the key reasons DKIM was created.

3. DKIM — cryptographic signing

DKIM (DomainKeys Identified Mail) solves the forwarding problem by signing the email itself rather than checking where it came from. When your mail server sends an email, it generates a cryptographic hash of the email content (including certain headers and the body) and signs that hash with a private key that only your server knows. The signature is added to the email as a DKIM-Signature header.

SENDING SERVERSigns email withPrivate Key 🔑stored on servernever leaves+ DKIM-Signatureheader in emailEmail +Signature HeaderRECEIVING SERVERReads DKIM-SignatureLooks upPublic Key in DNSVerifies signatureDNS TXT Recordselector._domainkey.yourdomain.comPublic Key 🔓✓ Verified✗ Tampered
DKIM uses public-key cryptography: your server signs the email, the receiver verifies using your public key in DNS.

The corresponding public key is published in DNS under a special subdomain format:

dns record
Host:  selector._domainkey.yourdomain.com
Type:  TXT
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

The selector part is just a label — it lets you have multiple DKIM keys simultaneously (useful when rotating keys or using multiple mail providers). Google Workspace uses google._domainkey. Mailchimp uses k1._domainkey. SendGrid often uses s1._domainkey and s2._domainkey.

Why DKIM survives forwarding

When Gmail forwards your email to Hotmail, the DKIM signature your server created is still in the email. Hotmail looks up your public key from DNS and verifies the signature — it checks out, because the email content and headers that were signed haven't changed. The fact that Gmail's servers were the ones that forwarded it doesn't matter. The signature proves the email originally came from a server that held your private key.

Important
DKIM breaks if any part of the signed content is modified in transit. Some spam filters and mailing lists add footers or modify the Subject line, which invalidates the signature. This is a known limitation — a broken DKIM signature isn't necessarily evidence of tampering, it might just mean the email passed through a system that modified it. DMARC handles this edge case by allowing SPF alone to satisfy the alignment requirement.

How to set up DKIM

The process for enabling DKIM depends on your email provider:

  • Google Workspace: Admin Console → Apps → Google Workspace → Gmail → Authenticate email. Google generates the key pair. You copy the TXT record value to your DNS.
  • Microsoft 365: Security & Compliance center → Threat management → Policy → DKIM. Enable DKIM for your domain and add the two CNAME records to DNS.
  • SendGrid: Settings → Sender Authentication → Domain Authentication. SendGrid generates CNAME records for you to add to DNS — they manage the actual key and signing.
  • Self-hosted mail (Postfix, etc.): Install opendkim, generate a key pair with opendkim-genkey, and publish the public key to DNS manually.

4. DMARC — the policy and reporting layer

DMARC doesn't verify emails itself. Instead, it defines what should happen when SPF or DKIM verification fails, and it gives you a way to receive reports about what's happening with email sent using your domain.

A DMARC record is a TXT record at _dmarc.yourdomain.com:

dns record
Host:  _dmarc.yourdomain.com
Type:  TXT
Value: v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100; adkim=r; aspf=r

Understanding the tags:

  • p= — the policy. none means monitor only, quarantine means send to spam, reject means block.
  • rua= — aggregate report email address. You'll receive daily XML reports summarizing authentication results.
  • ruf= — forensic report email. Receive reports for individual failing messages. Not all receivers send these.
  • pct= — percentage of failing emails the policy applies to. Start with pct=10 or pct=100 — intermediate values are generally not recommended.
  • adkim= — DKIM alignment mode. r (relaxed) allows subdomains; s (strict) requires exact domain match.
  • aspf= — SPF alignment mode. Same options as adkim.
Incoming EmailSPF or DKIM pass?YesDMARC PASS ✓NoCheck DMARC policy (p=?)p=noneDeliver + send reportp=quarantineMove to spam folderp=rejectBlock email entirely
DMARC evaluates the outcome of SPF and DKIM, then applies your policy: monitor, quarantine, or reject.

What DMARC alignment means

This is where things get subtle. DMARC doesn't just check that SPF passes or DKIM passes — it checks that they pass in alignment with the domain in the From header.

For SPF alignment: the domain in your Return-Path header (which SPF checks) must match your From header domain. For DKIM alignment: the domain in the DKIM signature'sd= tag must match the From header domain.

This matters because DMARC was designed specifically to prevent the attack where a scammer passes SPF by sending from their own domain's legitimate server, while putting your domain in the From header. Without alignment, that attack works: SPF passes (for their domain) but the email claims to be from your domain. With DMARC alignment, that attack fails because the SPF domain and the From domain must match.

5. Setting up all three, in the right order

Order matters. You should never set an enforcing DMARC policy before SPF and DKIM are working correctly, or you'll start blocking legitimate emails.

01

Set up SPF first

Add a TXT record to your root domain listing all services that send email on your behalf. Check with each service (Google Workspace, SendGrid, Mailchimp, etc.) for the include: mechanism they require. Start with ~all (softfail) rather than -all (hardfail) until you're confident your list is complete.

02

Enable DKIM for each sending service

Follow your email provider's DKIM setup guide. Each service has its own DKIM public key that you need to publish as a TXT record at the selector._domainkey.yourdomain.com subdomain. If you use multiple services, you'll have multiple DKIM records, each with a different selector.

03

Publish a DMARC record with p=none

Start monitoring-only: v=DMARC1; p=none; rua=mailto:[email protected]. Set up a dedicated mailbox to receive the reports, or use a DMARC reporting tool (dmarcian, Postmark, EasyDMARC) that parses the XML for you. Spend two to four weeks reading the reports to understand all the sources sending email claiming to be from your domain.

04

Fix gaps revealed by DMARC reports

The reports will show you services sending email on your behalf that aren't in your SPF record, or that don't have DKIM configured. Add them to SPF and set up DKIM for each before moving to an enforcing policy.

05

Upgrade to p=quarantine, then p=reject

Once reports show that ~100% of your legitimate email is passing authentication, upgrade to p=quarantine. Monitor for a few weeks. Then upgrade to p=reject for maximum protection. Some organizations stop at quarantine because they have complex email ecosystems with third-party senders that are difficult to authenticate.

6. Common problems and how to diagnose them

SPF failures

“SPF FAIL” — email server not in SPF record:A service you use to send email isn't included in your SPF record. Check your DMARC reports to find which IP addresses are sending email from your domain and ensure they're authorized.

PermError — too many DNS lookups: Your SPF record exceeds the 10-lookup limit. Use a tool like MXToolbox SPF lookup to count your lookups. The fix is SPF flattening — resolving all includes to IP addresses.

Multiple SPF records: You can only have one SPF TXT record per domain. If you have two, evaluation fails with PermError. Merge them into a single record.

DKIM failures

DKIM signature verification failed: The email content was modified in transit. Common causes: mailing list software adding footers, content rewriting by spam filters, or line ending conversion. Usually not something you can fix — but DMARC in relaxed alignment mode will fall back to SPF.

DKIM selector not found in DNS:The selector in your DKIM-Signature header doesn't match any published TXT record. Either you haven't published the DKIM record yet, or there's a selector mismatch between your mail server configuration and DNS.

DMARC alignment failures

SPF passes but DMARC fails:Your Return-Path domain doesn't match your From domain. This happens when you use a third-party sending service and they use their own Return-Path domain. Fix: configure the service to use a custom Return-Path on your domain (most services support this — it's called custom envelope domain or bounce domain).

7. Testing your configuration

After setting up your records, verify them using these approaches:

SEOCheckPilot DNS Checker: The DNS & Email Security checker validates your SPF record syntax, checks your DMARC policy, and probes 18 common DKIM selectors to find your configured keys — all in one place without manually querying DNS.

MXToolbox Email Header Analyzer: Send a test email to a Gmail or Outlook account, view the raw message headers (Show original in Gmail), and look for the Authentication-Results header. It will show you whether SPF, DKIM, and DMARC passed or failed and with what result.

Mail-tester.com: Send an email to a unique address provided by mail-tester.com, and it scores your email on deliverability factors including authentication, spam content, blacklist status, and more.

email headers
# What you want to see in Gmail's Authentication-Results header:
Authentication-Results: mx.google.com;
   dkim=pass [email protected] header.s=google header.b=abc123;
   spf=pass (google.com: domain of [email protected] designates 209.85.220.41 as permitted sender) [email protected];
   dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=yourdomain.com
Reading DMARC aggregate reports
The XML reports you receive at your rua= address look intimidating but contain exactly what you need: the source IP of emails claiming to be from your domain, the SPF and DKIM results, and whether DMARC passed. Parse them with a tool like dmarcian or EasyDMARC if you don't want to read XML by hand — both have free tiers that are sufficient for most small domains.

Frequently asked questions

How long does it take for SPF and DKIM changes to take effect?

DNS changes propagate within 5 minutes to 48 hours depending on your domain's TTL setting and which DNS resolvers are caching the old record. Most changes are visible within 15–30 minutes. After adding or changing records, wait at least an hour before testing and up to 24 hours before concluding something is wrong.

Will setting up DMARC break any of my existing emails?

Starting with p=none will not break anything — it's monitoring only. Moving to p=quarantine or p=reject can break email from any sending service not properly authenticated with SPF and DKIM in alignment with your domain. This is why you read the DMARC reports first and fix all legitimate sources before enforcing.

Can I set up DMARC without DKIM?

Technically yes, but you'll have gaps. SPF alone can satisfy DMARC, but SPF breaks on forwarding. Without DKIM, forwarded emails that fail SPF will also fail DMARC, and depending on your policy, get rejected or quarantined. For robust email authentication, you need both SPF and DKIM.

What's the difference between p=quarantine and p=reject?

With p=quarantine, failing emails are delivered but placed in the recipient's spam or junk folder. With p=reject, the receiving server refuses to accept the email at all — it's bounced and never delivered. Reject gives you stronger protection but zero tolerance for authentication gaps. Most well-configured domains eventually move to p=reject.

Do I need separate SPF and DKIM records for each subdomain I use for email?

It depends. SPF records for subdomains are only needed if you actually send email from that subdomain (e.g., [email protected] uses a mail. subdomain). DKIM records need to exist wherever the DKIM-Signature d= tag points, which is usually your root domain regardless of sending subdomain. DMARC has an sp= tag to apply a policy to subdomains.

The short version

SPF says which servers can send email for your domain. DKIM proves an email was signed by your server and wasn't tampered with. DMARC says what to do when they fail and gives you visibility into who is sending email using your domain name.

Set up SPF and DKIM first. Then add DMARC at p=none and read the reports. Fix any legitimate sending sources that aren't passing. Then move to p=quarantine and eventually p=reject. The whole process takes a few weeks but once it's done, your domain is significantly more protected against spoofing and your emails are meaningfully more likely to reach the inbox.

Related tools

Check your DNS & email security configuration

DNS & Email Checker →Full Site Audit →
← Back to all guides