DKIM, SPF, and DMARC Guide for Email Deliverability and Inbox Placement

If your emails go to spam, one big reason is missing or broken email authentication.

Email providers like Gmail, Outlook, and Yahoo want proof that you are a real sender. They want to stop fake senders who pretend to be you. That is why DKIM, SPF, and DMARC exist.

These three records are added in your domain DNS. They help inbox providers trust your emails. If you set them correctly, you get:

Better inbox placement
Lower spam risk
Fewer spoofing attacks on your domain
Better domain reputation over time

What Email Authentication Means

Email authentication means your domain proves:

Who is allowed to send emails for your domain
Whether the email was changed during delivery
What inbox providers should do if checks fail

SPF and DKIM do the checks.
DMARC tells inbox providers how to use those results.

Part 1: SPF Explained Simply

What SPF Is

SPF stands for Sender Policy Framework.

SPF tells inbox providers which servers are allowed to send emails using your domain.

Example idea:
If someone tries to send email as you from a random server, SPF can fail, and the email can be rejected or marked as spam.

Where SPF Lives

SPF is a DNS TXT record on your domain.

Usually it is on:

@ (root domain)
or
your sending subdomain, if you use one

How SPF Works

When you send an email, the receiving server checks:

The “envelope from” domain (also called Return Path or Mail From)
The IP address that sent the email
Your domain SPF record

If that IP is allowed in your SPF record, SPF passes.

A Simple SPF Record Example

If you use Google Workspace:

v=spf1 include:_spf.google.com ~all

If you use Microsoft 365:

v=spf1 include:spf.protection.outlook.com ~all

If you use multiple senders, you add more includes.

Common SPF Mistakes

1. Having two SPF records

You should have only one SPF record per domain.
If you add two, SPF can fail.

2. Too many DNS lookups

SPF has a limit of 10 DNS lookups.
If you include too many services, SPF can break.

3. Wrong “all” setting

The last part matters:

~all means soft fail (still accepted, but suspicious)
-all means hard fail (not allowed)

Many start with ~all and later move to -all after testing.

Part 2: DKIM Explained Simply

What DKIM Is

DKIM stands for DomainKeys Identified Mail.

DKIM adds a digital signature to your email. This signature proves:

The email really came from your domain
The message was not changed during delivery

It is like a sealed envelope. If the seal breaks, inbox providers know something changed.

Where DKIM Lives

DKIM uses:

A private key stored with your email provider
A public key stored in your DNS as a TXT record

The public key sits on a special DNS name like:

selector._domainkey.yourdomain.com

The word “selector” is a label chosen by your provider.

How DKIM Works

When you send an email:

Your server signs the email using the private key
The receiver checks your DNS public key
If it matches, DKIM passes

DKIM Record Example

It looks like a TXT record with a long value such as:

v=DKIM1; k=rsa; p=MIIBIjANBgkqh...

The p= part is the public key.

Common DKIM Mistakes

1. DKIM not enabled in the provider

Some people add DNS, but do not enable DKIM signing in the email service.

2. Wrong selector

If your provider gives selector1 but you publish selector2, it will fail.

3. Formatting errors

Extra spaces, missing quotes, or broken lines can cause problems.

Part 3: DMARC Explained Simply

What DMARC Is

DMARC stands for Domain based Message Authentication, Reporting, and Conformance.

DMARC tells inbox providers what to do when SPF and DKIM fail.

It also gives you reports so you can see who is sending email using your domain.

DMARC protects your brand from spoofing.

Where DMARC Lives

DMARC is a DNS TXT record on:

_dmarc.yourdomain.com

How DMARC Works

DMARC checks two things:

SPF result
DKIM result

But DMARC also checks alignment.

Alignment means:

The domain used in SPF and DKIM should match the domain shown in the From address

This is important.

Example:

If your From address is:
hello@yourdomain.com

Then DMARC wants SPF or DKIM to align with yourdomain.com.

DMARC Policy Levels

DMARC has three main policies:

1. p=none

Do not block anything. Only monitor.
Good for starting.

2. p=quarantine

Send failing mail to spam or junk.
Good when you are more confident.

3. p=reject

Reject failing mail. Strongest protection.
Best for anti spoofing and trust, but only after you verify all legit senders.

A Simple DMARC Record Example

For monitoring:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; fo=1; adkim=s; aspf=s;

You can remove ruf if you do not want forensic reports.

Common DMARC Mistakes

1. Setting p=reject too early

If you forget any legitimate sender, their emails may get blocked.

2. Not adding rua

Without reports, you cannot see what is happening.

3. Ignoring alignment

You can have SPF pass and still fail DMARC if alignment is wrong.

How SPF, DKIM, and DMARC Work Together

This is the simple relationship:

SPF checks who is allowed to send
DKIM checks if the email was changed and signed correctly
DMARC checks if SPF or DKIM passes and aligns with the From domain, then applies the policy

For best deliverability, you want:

SPF pass and aligned
or
DKIM pass and aligned
Ideally both.

What Is Alignment and Why It Matters

Alignment is one of the most misunderstood points.

Your email has different “domains” in different places:

From address domain, visible to users
Return Path domain, used for SPF
DKIM signing domain, used in DKIM signature

DMARC checks if the SPF domain or DKIM domain matches the From domain.

Strict vs Relaxed Alignment

DMARC can use:

Relaxed alignment (default for many setups)
Strict alignment (more strict)

Relaxed means subdomains can align.

Example:

From: yourdomain.com
DKIM: mail.yourdomain.com
This can still align in relaxed mode.

Strict means it must match exactly.

Step by Step Setup Guide in Simple Words

Step 1: List all email senders you use

Make a list of every system that sends email from your domain:

Google Workspace or Microsoft 365
Website forms
CRM
Cold email tools
Transactional email service
Support ticket system
Newsletter tool

This step matters. If you miss any sender, you may break email flow later.

Step 2: Set SPF record

Add one SPF record that includes all senders.

If you already have one, update it.

Do not create a second SPF record.

Step 3: Enable DKIM in your provider

Go to your provider and turn on DKIM signing.

It will give you one or more DKIM DNS records. Add them.

Step 4: Add DMARC as monitoring first

Start with p=none so nothing breaks.

Collect reports for a few weeks.

Step 5: Check reports and fix unknown senders

Reports show:

Which IPs are sending as your domain
Whether SPF and DKIM pass
Whether they align
Which messages fail

Fix issues by updating SPF or enabling DKIM on legitimate services.

Step 6: Move to quarantine

After you confirm your real senders are passing, move to:

p=quarantine

Step 7: Move to reject

When you are confident, move to:

p=reject

This gives strong protection and usually improves trust.

Best Practices That Improve Deliverability

Use a custom Return Path or Mail From domain

Some services allow a custom mail from domain. This helps SPF alignment.

Use a dedicated subdomain for marketing emails

Many brands use:

news.yourdomain.com for newsletters
mail.yourdomain.com for campaign tools

This keeps sending reputations organized.

Keep your DNS records clean

Avoid:

Duplicate SPF
Old DKIM selectors that are no longer used
Too many includes in SPF

Rotate DKIM keys sometimes

Some providers let you rotate DKIM keys. This can improve security.

How to Know If Your Setup Is Correct

You can verify in three ways:

1. Send a test email to a mailbox you control

Then check the message headers. Look for:

SPF pass
DKIM pass
DMARC pass

2. Use your email provider’s dashboard

Many platforms show DKIM status and signing.

3. Use DMARC reports

They show if your messages pass or fail in real inbox providers.

Common Questions and Confusions

Does SPF alone guarantee inbox?

No. SPF helps, but you also need DKIM and DMARC for better trust.

If DKIM passes, do I still need SPF?

Yes. Having both is stronger and helps in different cases.

Can DMARC pass if SPF fails?

Yes, if DKIM passes and aligns.

Can DMARC pass if DKIM fails?

Yes, if SPF passes and aligns.

Is DMARC required?

Many providers strongly expect it. It is also important for domain protection.

FAQs

What is the easiest setup for beginners?

Start with SPF and DKIM first, then add DMARC with p=none to monitor.

What should my DMARC policy be?

Start with p=none, then move to quarantine, then reject when safe.

Why do my emails fail DMARC even when SPF passes?

Most times it is alignment. The SPF domain does not match the From domain.

How long does DNS take to update?

It can update within minutes, but sometimes it takes several hours depending on your DNS provider.

What is the biggest deliverability mistake people make?

They skip warm up and send high volume from a new domain or inbox, even with perfect SPF DKIM DMARC.

Conclusion

DKIM, SPF, and DMARC are the foundation of email deliverability.

SPF proves which servers can send. DKIM proves your email is signed and not changed. DMARC ties everything together and tells inbox providers what to do when checks fail.

If you set these correctly and monitor DMARC reports, you build trust and protect your domain. This leads to better inbox placement, fewer spam problems, and safer scaling for cold outreach.