Skip to content

Free Tech Tutor

SPF, DKIM, and DMARC Explained: Why Your Emails Land in Spam

SPF, DKIM, and DMARC explained in plain English: what each DNS record does, how they work together, and how to check yours before your mail lands in spam.

I spent an afternoon last year staring at a client’s Gmail deliverability report, watching cold emails land straight in spam even though the copy was clean and the list was opted-in. The fix had nothing to do with subject lines. It came down to SPF, DKIM, and DMARC — three DNS records that tell inbox providers whether an email really came from its claimed sender.

Most people hear these acronyms and decide they’re too technical to bother with. The crux is simpler than it looks: SPF says who’s allowed to send, DKIM proves the message wasn’t tampered with, and DMARC tells inboxes what to do when either check fails. See them as three separate jobs, not one block of jargon, and the rest clicks fast.

Quick Answer

SPF, DKIM, and DMARC are DNS records that authenticate outgoing email. SPF lists approved sending servers, DKIM adds a signature proving the message wasn’t altered, and DMARC tells receiving servers what to do when a message fails either check — reject, quarantine, or allow it through.

What Are SPF, DKIM, and DMARC?

Each record solves a different piece of the same problem: proving an email is genuinely from your domain, not a spoofed copy.

What Is SPF?

Sender Policy Framework is a text record in your domain’s DNS listing every mail server allowed to send on your behalf — host, email provider, marketing tool. The receiver checks the sending IP against that list; not on it, and the message fails SPF.

What Is DKIM?

DomainKeys Identified Mail attaches a digital signature to every outgoing message using a private key your mail server holds. The receiver checks the matching public key in your DNS. Change even one character in transit and the signature breaks.

What Is DMARC?

Domain-based Message Authentication, Reporting, and Conformance sits on top of both, reading the SPF and DKIM results and applying a policy you choose: do nothing, quarantine, or reject. It also emails daily reports showing who’s sending mail using your domain — how you catch spoofing you didn’t know was happening.

Record Verifies Lives At On Failure
SPF Sending server is authorized TXT on root domain Nothing alone — needs DMARC
DKIM Content wasn’t altered TXT on selector subdomain Nothing alone — needs DMARC
DMARC SPF/DKIM results plus alignment _dmarc.yourdomain.com Enforces policy: none, quarantine, reject

SPF and DKIM are checks; DMARC is the decision-maker that acts on what those checks find.

How Do These Three Work Together to Stop Spoofing?

A single failed check rarely sends legitimate email to spam alone — providers weigh dozens of signals. Together, these three close the loop spammers rely on.

Alignment Is the Piece Most Guides Skip

Your server signs the message with DKIM and sends it. The receiver checks the IP against SPF, verifies the DKIM signature, then checks “alignment” — whether the visible From address matches the domain that passed SPF or DKIM. A scammer’s mail can pass SPF on their own server while forging your domain in the From field; DMARC catches that mismatch. It’s the same forged-sender trick behind most messages in my guide to spotting phishing emails.

SPF and DKIM run independent checks, and DMARC only accepts a pass when the visible sender domain lines up with the one that actually authenticated.

How Do I Check My Domain’s Email Authentication Setup?

A few free lookups tell you everything.

Check SPF and DMARC

Run a TXT lookup on your root domain with a tool like MXToolbox, looking for a line starting with v=spf1. Then look up _dmarc.yourdomain.com; a record like v=DMARC1; p=none; rua=mailto:you@yourdomain.com means it’s monitoring only, not enforcing yet.

Check DKIM

DKIM sits on a selector subdomain, so you need the selector name from your provider’s settings — Google’s email authentication documentation shows where to find it in Workspace. Look up selector._domainkey.yourdomain.com and confirm a public key returns.

Pro tip: start every new domain at p=none for two to three weeks, confirm every legitimate sender passes in the reports, then move to p=quarantine before ever setting p=reject — jumping straight to reject is the fastest way to lose real customer emails.

Free DNS lookup tools confirm all three records in under five minutes without touching your mail server.

Why Do Emails Still Land in Spam With SPF and DKIM Enabled?

Passing is necessary but not sufficient — spam filters also weigh sender reputation and engagement. I’ve seen a fully authenticated domain get flagged simply because its sending IP was new with no reputation history. Authentication proves who you are; it doesn’t guarantee anyone wants what you’re sending. If your own inbox is the messy one instead, my guide on how to stop spam emails in Gmail covers that side.

Troubleshooting: Records Look Right but Mail Still Fails

Check for a duplicate SPF record first — two (often left from an old host plus a new tool) breaks things instead of merging. Also confirm you haven’t crossed SPF’s 10 lookup limit, which silently invalidates the record.

A broken SPF record is usually caused by duplicates or too many nested lookups, not a typo.

Common Mistakes to Avoid

Publishing Two SPF Records

A domain can only have one. Fix: merge every sender into a single v=spf1 line with include: statements.

Setting DMARC to Reject Too Soon

Fix: start at p=none, review reports, then step up to p=quarantine before ever trying p=reject.

Forgetting Third-Party Senders

Invoicing tools and marketing platforms need to be in your SPF record or sign their own DKIM. Fix: audit every tool that sends mail for you.

Never Reading the DMARC Reports

Fix: point rua at a mailbox you actually check — it’s the only way to spot unauthorized senders.

Assuming One Record Covers Everything

Each protects a different failure mode. Fix: treat SPF, DKIM, and DMARC as one bundled setup — skipping one is how domains end up spoofed, as in my email account hacked checklist.

Frequently Asked Questions

Do I need all three records or just one?

Yes, all three — each closes a different gap. I’ve seen domains with only SPF still get spoofed, since nothing stopped a forged From address on the attacker’s own server.

Will setting up DMARC break my existing email?

Not if you start at p=none, which only monitors. I always leave a new record at monitoring-only for a few weeks, and it’s caught misconfigured tools before they caused a problem.

How long does it take for these records to start working?

DNS changes typically propagate within hours. My own domain’s new SPF record was recognized by Gmail in about three hours.

What’s the difference between DMARC “quarantine” and “reject”?

Quarantine sends failing mail to spam; reject blocks it before delivery. I recommend quarantine first, since it still catches mail that would otherwise vanish under reject.

Conclusion

SPF, DKIM, and DMARC work as a team: SPF authorizes servers, DKIM signs content, and DMARC decides what happens when either check fails. Set them up in that order, starting DMARC in monitoring mode, then tighten the inbox side too with Gmail filters and labels. Check your DNS records today with a free lookup tool to see where your domain stands.

Author Tech TutorPosted on July 3, 2026Categories Email and CloudTags cybersecurity, email-setup, email-tips, Gmail, Outlook, spam email

Post navigation

Previous Previous post: Unsubscribe From Bulk Emails Fast: Clear Your Inbox in 15 Minutes
Next Next post: Use Gmail Offline: Read and Write Email With No Internet

Archives

  • July 2026
  • June 2026

Categories

  • AI Tools
  • Android
  • Browsers
  • Email and Cloud
  • Internet and Wi-Fi
  • iOS
  • Messaging and Apps
  • Productivity
  • Security and Privacy
  • Windows

Anti Drone System

Recent Posts

  • Update Router Firmware the Right Way: A Step-by-Step Guide
  • Revoke Third-Party App Access to Your Google and Social Accounts
  • How to Remove Your Personal Info From Google Search Results
  • Phone Stolen? Do This in the First Hour to Protect Your Data
  • What Is End-to-End Encryption and How Does It Actually Protect You
Free Tech Tutor Privacy Policy