SPF DKIM DMARC Setup Explained Simply

spf, dkim and dmarc explained simply

If you’ve ever tried to improve your email deliverability, you’ve probably come across three intimidating acronyms: SPF DKIM DMARC setup.

Most guides make them sound complicated. They don’t have to be.

In this guide we’ll explain exactly what SPF, DKIM, and DMARC are, why they matter for your email deliverability, and how to set them up correctly — in plain English, without the technical jargon.

Why SPF, DKIM, and DMARC Matter

Every day, billions of spam and phishing emails are sent by people pretending to be someone they’re not. A scammer can send an email that looks like it came from your domain — your company name, your email address — without you ever knowing.

Inbox providers like Gmail, Outlook, and Yahoo know this happens constantly. So they built a system to verify whether an email actually came from who it claims to be from. That system is built on three DNS records: SPF, DKIM, and DMARC.

Together these three records tell inbox providers:

  • Which servers are allowed to send email from your domain
  • Whether the email was tampered with in transit
  • What to do if an email fails these checks

Without all three correctly configured, inbox providers treat your emails with suspicion — even if you’re a completely legitimate sender. This means more of your emails land in spam, your sender reputation suffers, and your campaigns get lower open rates.

In 2026, SPF, DKIM, and DMARC are no longer optional. Gmail and Yahoo now require them for all bulk senders. If you’re missing any of these records, your emails will be automatically filtered or rejected.

What Is SPF?

SPF stands for Sender Policy Framework.

SPF is a DNS record that tells inbox providers which mail servers are authorized to send emails on behalf of your domain. Think of it like a guest list at a venue — only servers on the list are allowed in. Any email that arrives from a server not on the list gets flagged as suspicious.

How SPF Works

When someone receives an email from your domain, their inbox provider checks your DNS records for your SPF record. The SPF record lists all the IP addresses and mail servers that are allowed to send email from your domain.

If the email came from an authorized server — it passes SPF. If it came from an unauthorized server — it fails SPF and is treated as suspicious.

What an SPF Record Looks Like

An SPF record is a TXT record added to your domain’s DNS. Here’s an example of what one looks like:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Breaking this down:

  • v=spf1 — identifies this as an SPF record
  • include:_spf.google.com — authorizes Google Workspace servers to send from your domain
  • include:sendgrid.net — authorizes SendGrid servers to send from your domain
  • ~all — tells inbox providers to soft fail any email that doesn’t match (treat with suspicion but don’t reject outright)

SPF Common Mistakes to Avoid

Too many DNS lookups
SPF records are limited to 10 DNS lookups. If your SPF record includes too many services, it breaks silently — emails start failing SPF without any obvious error. Keep your SPF record lean and remove any services you no longer use.

Using -all instead of ~all too early
The -all flag (hard fail) rejects any email that fails SPF. This is the most secure option but can cause problems if your SPF record isn’t perfectly complete. Start with ~all (soft fail) and move to -all once you’re confident your record includes all your sending sources.

Having multiple SPF records
You can only have one SPF record per domain. If you have multiple TXT records starting with v=spf1, they conflict with each other and both fail. Combine everything into a single SPF record.

What Is DKIM?

DKIM stands for DomainKeys Identified Mail.

DKIM adds a digital signature to every email you send. This signature is like a wax seal on a letter — it proves the email genuinely came from your domain and that nobody tampered with it between when you sent it and when it arrived.

How DKIM Works

When you send an email, your mail server adds an encrypted signature to the email header using a private key that only your server knows. Your DNS contains the corresponding public key.

When the recipient’s inbox provider receives your email, it looks up your public key in your DNS and uses it to verify the signature. If the signature matches — the email is authentic and untampered. If it doesn’t match — something is wrong and the email gets flagged.

What a DKIM Record Looks Like

A DKIM record is also a TXT record added to your DNS. It looks something like this:

google._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA..."

The long string of characters is your public key. Your email service provider generates this key for you — you just need to copy it into your DNS exactly as provided.

DKIM Common Mistakes to Avoid

Not enabling DKIM in your ESP
Most email service providers require you to manually enable DKIM signing in your account settings. Simply adding the DNS record isn’t enough — you also need to activate it in your ESP’s dashboard.

Copying the key incorrectly
DKIM keys are long and complex. A single character error breaks the entire record. Always copy and paste rather than typing manually, and verify the record after adding it.

Using a key that’s too short
DKIM keys should be at least 1024 bits — ideally 2048 bits for maximum security. Shorter keys are considered insecure and may be rejected by some inbox providers.

What Is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting and Conformance.

DMARC is the policy layer that sits on top of SPF and DKIM. It tells inbox providers what to do when an email fails SPF or DKIM checks — and it sends you reports so you can see exactly what’s happening with your domain’s email authentication.

How DMARC Works

DMARC works by checking two things:

First, it checks whether the email passed SPF or DKIM. Second — and this is the important part — it checks whether the domain in the email’s “From” address matches the domain that passed SPF or DKIM. This second check is called alignment, and it’s what prevents sophisticated spoofing attacks.

If an email fails DMARC, your DMARC policy tells inbox providers what to do with it — nothing, quarantine it, or reject it outright.

What a DMARC Record Looks Like

A DMARC record is a TXT record added to your DNS at _dmarc.yourdomain.com:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

Breaking this down:

  • v=DMARC1 — identifies this as a DMARC record
  • p=quarantine — tells inbox providers to send failing emails to spam (options are none, quarantine, or reject)
  • rua=mailto:dmarc@yourdomain.com — the email address where DMARC reports are sent
  • pct=100 — applies this policy to 100% of failing emails

DMARC Policy Levels Explained

p=none — Monitor only. Failing emails are delivered normally but you receive reports showing what’s failing. Use this when first setting up DMARC to understand your email flows before enforcing a policy.

p=quarantine — Failing emails go to the spam folder. A good middle ground that protects your domain while minimizing the risk of blocking legitimate emails during the transition.

p=reject — Failing emails are rejected entirely and never delivered. The most secure option. Use this once you’re fully confident your SPF and DKIM are correctly configured for all your sending sources.

DMARC Common Mistakes to Avoid

Jumping straight to p=reject
If your SPF or DKIM isn’t perfectly set up, a reject policy will block legitimate emails. Always start with p=none, monitor the reports, fix any issues, move to p=quarantine, then finally p=reject.

Not setting up a reporting email
The rua tag in your DMARC record is how you receive authentication reports. Without it, you’re flying blind. Always set up a reporting address — even a dedicated inbox like dmarc@yourdomain.com works fine.

Not reading the reports
DMARC reports are sent as XML files which aren’t easy to read directly. Use a free DMARC report analyzer like dmarcanalyzer.com or Google’s Postmaster Tools to make sense of the data.

How SPF, DKIM, and DMARC Work Together

Think of these three records as layers of protection that work together:

SPF verifies the sending server is authorized.
DKIM verifies the email content is authentic and untampered.
DMARC enforces policy when either check fails and gives you visibility into your domain’s authentication health.

An email that passes all three checks is trusted by inbox providers. An email that fails any of them is treated with suspicion — and in 2026, with Gmail and Yahoo’s stricter requirements, that often means automatic spam placement or outright rejection.

How to Check Your SPF, DKIM, and DMARC Records

Before assuming your records are correctly set up, verify them. Here are the best free tools to check your authentication records:

MXToolbox → mxtoolbox.com/SuperTool — check SPF, DKIM, and DMARC records for any domain

Google Admin Toolbox → toolbox.googleapps.com/apps/checkmx — Google’s own tool for checking email authentication

Mail-tester → mail-tester.com — send a test email and get a full authentication report

DMARC Analyzer → dmarcanalyzer.com — free DMARC record checker and report analyzer

Run all three checks before launching any email campaign. A broken authentication record you didn’t know about can silently destroy your deliverability.

How LiftInbox Monitors Your Authentication Records Daily

Setting up SPF, DKIM, and DMARC is just the first step. The real challenge is keeping them healthy over time.

DNS records can break unexpectedly — when you change hosting providers, switch email services, update your domain settings, or simply make a typo during a routine DNS change. A broken authentication record you don’t know about can silently destroy your deliverability for days or weeks before you notice.

LiftInbox automatically checks your SPF, DKIM, and DMARC records every single day. The moment something breaks, you receive an instant alert so you can fix it before it affects your campaigns.

Combined with automated email warmup, real-time reputation tracking, and automatic spam rescue, LiftInbox gives you complete visibility and control over your email deliverability — without requiring any technical expertise.

Summary: SPF, DKIM, and DMARC Explained

SPF — tells inbox providers which servers can send email from your domain. Set it up by adding a TXT record to your DNS listing your authorized sending sources.

DKIM — adds a digital signature to your emails proving they’re authentic and untampered. Set it up by generating a key pair in your ESP and adding the public key to your DNS.

DMARC — enforces policy when SPF or DKIM fails and sends you authentication reports. Set it up by adding a TXT record to your DNS starting with p=none, then gradually moving to p=reject.

All three records must be correctly configured and actively monitored for strong email deliverability. Missing or broken authentication is one of the leading causes of emails landing in spam — and it’s entirely preventable.

Protect Your Email Deliverability with LiftInbox

LiftInbox monitors your SPF, DKIM, and DMARC records daily and alerts you instantly if anything breaks — so your emails keep landing in the inbox where they belong.

Get Started with LiftInbox →

Have questions about SPF, DKIM, DMARC or email deliverability? Contact our support team — we’re happy to help.

Scroll to Top