SPF, DKIM & DMARC Explained (and How to Set Them Up)
If your cold emails are landing in spam, the first place to look isn’t your copy — it’s your authentication. SPF, DKIM and DMARC are the three DNS records that prove your email is really from you. Since Google and Yahoo updated their sender requirements, they’re not optional: without them, cold email rarely reaches an inbox.
Here’s what each record does, in plain English, and exactly how to set them up — with free tools to check and generate yours as you go.
Why authentication matters now
For years, authentication was best practice. Now it’s a requirement. Google and Yahoo’s bulk-sender rules mean mail without proper SPF, DKIM and DMARC is far more likely to be filtered or rejected outright. The reason is spoofing: anyone can put your domain in the “from” field, and authentication is how a receiving server checks that a message claiming to be from you actually came from a server you authorized — and what to do if it didn’t. Get these three right and you clear the single biggest deliverability hurdle. (For the full inbox picture, see our email deliverability guide.)
Grade your domain in seconds. The free Domain Health Checker tests SPF, DKIM, DMARC and MX in one pass and tells you exactly what to fix first. Run the check →
SPF (Sender Policy Framework)
SPF is a DNS TXT record that lists which servers are allowed to send email for your domain. When a server receives mail claiming to be from you, it checks your SPF record: if the sending server is on the list, the message passes SPF; if not, it looks suspicious. Where DKIM verifies the message, SPF verifies the sending server.
What an SPF record looks like
A simple record reads like: v=spf1 include:_spf.google.com ~all. The “include” points to your email provider, and the ~all (soft fail) or -all (hard fail) at the end tells receivers how strict to be about servers that aren’t on the list.
Common SPF mistakes
- More than one SPF record on a domain — only one is allowed, and multiples cause all of them to be ignored.
- Exceeding the 10-DNS-lookup limit, which invalidates the record.
- Ending with +all, which authorizes anyone to send as you.
Check your SPF in seconds with our free SPF Record Checker, or build a valid one with the SPF Record Generator.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to every email you send. Your sending server signs the message with a private key; the matching public key lives in your DNS. The receiving server uses that public key to confirm the message wasn’t altered in transit and genuinely came from your domain.
How DKIM is set up
DKIM uses a selector — a label that points to the public key in your DNS (for example, google._domainkey.yourdomain.com). Your email provider generates the key pair and gives you a TXT record to publish; once it’s live, your mail is signed automatically. Confirm yours is published with our free DKIM Record Checker (enter your selector, or let it try the common ones).
DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC ties SPF and DKIM together. It tells receiving servers what to do when a message fails authentication, and it sends you reports on who is sending mail using your domain — including spoofers. It also requires alignment: the domain in your “from” address must line up with the domain that passed SPF or DKIM.
The DMARC policy (p=)
- p=none — monitor only. Nothing is blocked, but you get reports. Start here.
- p=quarantine — failing mail goes to spam.
- p=reject — failing mail is blocked outright. The end goal.
How to roll out DMARC safely
- Publish a DMARC record at p=none with a reporting address (rua).
- Watch the reports for a few weeks to confirm all your legitimate mail passes.
- Tighten to p=quarantine, then to p=reject once you’re confident.
Generate a correct record with the DMARC Generator and verify it with the DMARC Checker.
How the three work together
| Record | What it checks | Set it to |
|---|---|---|
| SPF | Which servers may send for your domain | Authorize your provider; end with -all or ~all |
| DKIM | The message wasn’t altered and is signed by you | Publish the provider’s key on your selector |
| DMARC | What to do on failure, plus reporting | Start at p=none, then quarantine, then reject |
Check your whole setup at once
The fastest way to see where you stand is to grade all four signals — SPF, DKIM, DMARC and MX — in one pass with our free Domain Health Checker. It tells you what’s missing, what’s misconfigured, and what to fix first.
Frequently asked questions
Do I really need all three?
Yes. Google and Yahoo’s sender requirements expect SPF, DKIM and DMARC for bulk senders, and each protects a different part of the chain. Missing any one weakens deliverability and leaves you open to spoofing.
What’s the difference between SPF and DKIM?
SPF checks whether the sending server is authorized; DKIM cryptographically verifies the message itself wasn’t tampered with. They cover different attacks, which is why you need both — and DMARC to tie them together.
Should DMARC start at reject?
No. Start at p=none to monitor, confirm your legitimate mail passes, then move to quarantine and finally reject. Jumping straight to reject can block your own email.
How long do DNS changes take?
Usually minutes to a few hours to propagate, occasionally up to 24–48. After publishing, re-check with the Domain Health Checker.
Skip the DNS work entirely
Outboundry ships mailboxes with SPF, DKIM and DMARC already configured and warmed, so you skip the setup — and live monitoring flags any issue before it costs you replies. Start your free trial, or check your current records with the free Domain Health Checker.