SPF, DKIM, and DMARC Explained Simply (Email Authentication Guide)

If your emails are landing in spam—or you've been told you need to "set up authentication"—you've probably run into three acronyms: SPF, DKIM, and DMARC. They sound technical, but the underlying ideas are straightforward. This guide explains what each one does, why inbox providers care about them, and what you actually need to do.

Why Email Authentication Exists

Anyone can send an email claiming to be from your domain. Without authentication, there's nothing stopping a spammer from sending messages that appear to come from yourcompany.com. Authentication records are entries you publish in your domain's DNS that let receiving mail servers verify: "Did this email genuinely come from a server this domain owner authorized?"

Gmail, Outlook, and other major providers check these records automatically. Missing or broken authentication is one of the most common reasons legitimate emails end up in spam—or get rejected outright.

SPF: Listing Who's Allowed to Send

SPF (Sender Policy Framework) is a DNS record that lists the mail servers authorized to send email on behalf of your domain. Think of it as a guest list at a venue door.

When a receiving server gets an email from yourcompany.com, it looks up your SPF record and checks whether the sending server's IP address is on the list. If it isn't, the email fails SPF.

What an SPF record looks like

An SPF record is a TXT record in your DNS. A simple one might look like this:

v=spf1 include:sendgrid.net include:mailchimp.net ~all

That tells receiving servers: "Emails from this domain may come from SendGrid or Mailchimp. Treat anything else with suspicion." The ~all at the end is a soft fail—it flags unauthorized senders rather than outright rejecting them. -all is a hard fail that rejects them.

Common SPF mistake to avoid

You can only have one SPF record per domain. If you add a second one, both are ignored and SPF breaks. If you use multiple sending services, combine them into a single record.

DKIM: A Digital Signature on Every Email

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your outgoing emails. It proves that the email content hasn't been tampered with in transit and that it was sent by someone who controls your domain.

Here's how it works: your sending service generates a private key and uses it to sign each email. You publish the corresponding public key in your DNS. When a receiving server gets the email, it fetches your public key and uses it to verify the signature. If the signature checks out, DKIM passes.

Unlike SPF—which only checks the sending server's IP—DKIM travels with the message itself. This means it survives email forwarding, which SPF does not. That makes DKIM especially important for newsletters and transactional emails that get forwarded frequently.

How to set up DKIM

Your email sending provider generates the DKIM keys for you. They'll give you a TXT record (or CNAME record) to add to your DNS. You copy it in exactly as provided. Most providers have a step-by-step guide in their settings. Once the record propagates—usually within an hour or two—DKIM is active.

DMARC: The Policy That Ties It All Together

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM. It tells receiving servers what to do when an email fails both checks, and it sends you reports so you can see who is sending email using your domain.

What DMARC does

• Enforces a policy: You choose what happens to emails that fail—none (monitor only), quarantine (send to spam), or reject (block entirely).
• Requires alignment: DMARC also checks that the domain in the "From" address matches the domain that passed SPF or DKIM. This closes a loophole that spammers exploit.
• Sends reports: You receive aggregate reports (and optionally forensic reports) showing which servers sent email claiming to be from your domain and whether authentication passed or failed.

A basic DMARC record

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourcompany.com

Start with p=none so you can review reports without affecting email delivery. Once you're confident your legitimate sending sources all pass SPF and DKIM, move to p=quarantine and eventually p=reject for the strongest protection.

The Order That Makes Sense

Set these up in this sequence:

• 1. SPF — authorize your sending servers.
• 2. DKIM — add a signature through your email provider.
• 3. DMARC — set a policy and start receiving reports.

You need SPF and DKIM working correctly before DMARC is useful. DMARC checks whether at least one of them passes and is aligned with your From domain.

What Happens If You Skip This?

Since February 2024, Google and Yahoo have required SPF, DKIM, and DMARC for anyone sending bulk email. Senders who don't comply face higher spam rates or outright rejection. Even if you're not a bulk sender, missing authentication signals to inbox providers that your domain hasn't been properly configured—which quietly hurts your deliverability over time.

Check Your Current Setup

Before making changes, it helps to know where you stand. Rainmail's free deliverability checker scans your domain and shows you exactly which authentication records are present, which are missing, and what needs to be fixed—no technical knowledge required.

Authentication is the foundation of email deliverability. Getting these three records right won't guarantee every email reaches the inbox, but without them, you're starting every send at a disadvantage. Take an hour to check and configure them properly—your future emails will thank you.