SPF, DKIM and DMARC Guide for Email Authentication
SPF, DKIM and DMARC are the three protocols that prove your emails genuinely come from your domain. Without all three configured, a large share of your campaigns will land in spam, or never arrive at all. Since February 2024 Google and Yahoo require SPF, DKIM and DMARC for any domain sending more than 5,000 emails a day. Microsoft followed with the same rules for Outlook in May 2025 (Google Postmaster Guidelines, 2024).
This guide explains each protocol in plain language, shows real DNS record examples, and walks through the setup process step by step. Even if your technical background is limited, you will be able to configure all three for your own domain by the end.
Why SPF, DKIM and DMARC matter for deliverability
Email still delivers the highest return on investment of any marketing channel. Yet when SPF, DKIM and DMARC authentication is missing, receiving servers (Gmail, Outlook, Yahoo) either send your messages to spam or reject them outright.
The enforcement timeline has moved quickly. Google and Yahoo introduced SPF and DKIM requirements in February 2024. Microsoft applied the same rules to Outlook users in May 2025. French provider La Poste joined the list in September 2025. These protocols are no longer optional; they are prerequisites for sending.
The phishing and spoofing threat
Criminals impersonate legitimate business domains, a technique called spoofing, to send fake emails. SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance) are designed to stop this. When configured correctly, no one else can send email pretending to be your domain.
There is also an indirect effect. If a provider sees both authenticated and unauthenticated emails from the same domain, it lowers the trust score for the entire domain. Skipping authentication does not just affect one campaign; it undermines every message you send.
Direct impact on business results
When these protocols are in place:
- Email providers recognise you as a trusted sender
- Spam folder placement drops significantly
- Open and click rates improve because messages reach the inbox
- Your domain is protected from phishing impersonation
- UK GDPR (General Data Protection Regulation) compliance strengthens because data security infrastructure improves
At MailGraf, SPF, DKIM and DMARC records are configured automatically for every new account. This single step noticeably lifts inbox placement rates from day one.
What is SPF (Sender Policy Framework)?
SPF is a DNS (Domain Name System) record that specifies which servers are authorised to send email from your domain. Think of it as an access list: "Only these servers may send email on behalf of this domain."
How SPF works
The process follows four steps:
- You, the domain owner, add an SPF record to your DNS. The record lists the IP addresses of authorised sending servers.
- When someone sends an email from your domain, the receiving server (Gmail, Outlook and others) looks up your DNS records.
- It checks whether the sending server's IP address appears in your SPF record.
- If the IP is listed, the email is accepted. If not, it is flagged as spam or rejected.
This mechanism blocks email spoofing. If an attacker tries to send an email as you@yourcompany.com, the receiving server checks the SPF record, finds the sending server is not listed, and rejects the message.
SPF record example
A typical SPF record looks like this:
v=spf1 ip4:192.168.1.1 include:_spf.mailgraf.com ~all
| Component | Meaning |
|---|---|
| v=spf1 | SPF protocol version 1 |
| ip4:192.168.1.1 | This IP address is authorised to send |
| include:_spf.mailgraf.com | MailGraf servers are authorised to send |
| ~all | Emails from unlisted servers get a "soft fail" |
~all vs -all: which should you use?
This choice determines whether legitimate emails might be blocked:
- ~all (Soft Fail): Emails from servers not on the list are treated as suspicious but still accepted. Start here. If you have a configuration error, your emails are flagged rather than completely blocked.
- -all (Hard Fail): Emails from servers not on the list are rejected outright. Switch to this once you are confident every sending source is included. A single missing
includemeans those emails never arrive.
SPF setup steps
1. List every source that sends email from your domain
This step is critical and often overlooked. Identify each service:
- Your own mail server (if applicable)
- Email marketing platforms like MailGraf
- Business email services such as Google Workspace or Microsoft 365
- CRM (customer relationship management) tools such as HubSpot or Salesforce
- Transactional email services (order confirmations, password resets)
Each one needs to appear in the SPF record. Miss one and every email from that service fails SPF.
2. Add the SPF record to DNS
Log in to your DNS provider (Cloudflare, GoDaddy, Namecheap or similar). Create a new TXT record:
- Host/Name:
@or your domain name - Type: TXT
- Value: your SPF record
Example for a business using both Google Workspace and MailGraf:
v=spf1 include:_spf.google.com include:_spf.mailgraf.com ~all
3. Test and verify
Check your domain at MXToolbox SPF Lookup. The tool shows whether the record is valid, how many DNS lookups it uses, and any errors. Run this check after every change.
Common SPF mistakes
DNS lookup limit: SPF allows a maximum of 10 DNS lookups. Each include directive uses at least one, and some contain nested lookups. If you use many services you can hit this limit quickly. Solution: remove includes for services you no longer use.
Multiple SPF records: A domain must have exactly one SPF record. Sometimes a second record is created when adding a new service. Two records means neither works and every email fails SPF. Solution: extend the existing record rather than creating a new one.
Syntax errors: Extra spaces, missing colons or wrong characters break the record silently. Use a generator tool and always validate the result.
What is DKIM (DomainKeys Identified Mail)?
DKIM is a digital signature system that proves your emails have not been altered in transit. Where SPF answers "who is allowed to send?", DKIM answers "did this email really come from this source and was the content changed along the way?"
DKIM relies on cryptography. The sending server signs each email with a private key. The receiving server verifies the signature using the corresponding public key published in DNS. If the signature is valid, the email is authentic and unmodified.
SPF vs DKIM comparison
The two protocols complement each other but check different things:
| Criterion | SPF | DKIM |
|---|---|---|
| What does it check? | Sending server's IP address | Cryptographic signature of email content |
| How does it work? | Authorisation list in DNS | Public/private key encryption |
| Email forwarding | May fail when forwarded | Survives forwarding |
| Content verification | Does not check content | Invalid if content is modified |
| Setup difficulty | Easy (single DNS record) | Moderate (key pair + DNS record) |
Why do you need both? SPF performs a simple IP check but can break when emails are forwarded because the forwarding server's IP is not in your SPF record. DKIM uses a signature tied to the content, so it remains valid even after forwarding. Using both covers both scenarios.
DKIM setup step by step
1. Generate a key pair
Most email services, MailGraf included, generate DKIM keys automatically. For manual generation:
openssl genrsa -out dkim_private.pem 2048
openssl rsa -in dkim_private.pem -pubout -out dkim_public.pem
Use 2048-bit keys as a minimum. 1024-bit keys are now considered weak and may be rejected by some providers.
2. Add the public key to DNS
Create a new TXT record in your domain DNS settings:
- Host/Name:
default._domainkey(or the selector your email service specifies) - Type: TXT
- Value: your public key
Example:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...
3. DKIM with your email service provider
Professional email platforms handle key generation for you. MailGraf creates the DKIM record when an account is opened, so you only need to add the DNS record provided by the platform.
4. Verify DKIM is working
After sending a test email, check the email headers on the receiving side:
Authentication-Results: dkim=pass header.d=example.com
dkim=pass means everything is working. dkim=fail suggests the public key in DNS does not match the private key used during signing. Regenerate the key pair and update DNS.
What is DMARC (Domain-based Message Authentication)?
DMARC is a policy and reporting layer that sits on top of SPF and DKIM. If SPF and DKIM are security guards, DMARC is the security manager: it evaluates the results, decides what to do with the email, and sends you a detailed report.
The most valuable feature of DMARC is reporting. Who is sending email from your domain? Which servers fail SPF or DKIM? Are there unexpected sending sources? DMARC reports answer all of these questions.
DMARC policy options
DMARC offers three policies. Knowing when to use each one is critical:
p=none (monitor mode)
v=DMARC1; p=none; rua=mailto:dmarc@example.com
Accept the email even if SPF or DKIM fails, but send a report. Use this when you first set up DMARC. No emails are blocked, but you learn who is sending from your domain and what is passing or failing.
p=quarantine
v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@example.com
Send failed emails to the spam folder. The pct=50 parameter applies the policy to only 50 percent of emails, allowing a gradual transition. Move to this after reviewing reports for one to two weeks.
p=reject
v=DMARC1; p=reject; rua=mailto:dmarc@example.com
Reject failed emails entirely. The receiving server does not accept the message at all. This is the strongest protection but also the highest risk. Do not use it until you are completely sure every legitimate source passes SPF and DKIM. Starting directly with reject can block your own marketing emails.
DMARC setup steps
1. Confirm SPF and DKIM are working
DMARC requires at least one of these to pass. Test both with MXToolbox or mail-tester.com before proceeding.
2. Create a reporting address
Set up a dedicated address such as dmarc-reports@yourdomain.com. Reports arrive in XML (Extensible Markup Language) format. DMARC analysis services (dmarcian.com, Postmark, Valimail) convert these into readable dashboards. Most offer a free tier to start.
3. Add the DMARC record to DNS
Create a new TXT (text) record:
- Host/Name:
_dmarc - Type: TXT
- Value: a safe starting record
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; sp=none; ri=86400
| Parameter | Meaning | Example |
|---|---|---|
| v=DMARC1 | DMARC version | Fixed |
| p=none | Main policy | none / quarantine / reject |
| rua | Address for aggregate reports | mailto:dmarc@yourdomain.com |
| sp=none | Subdomain policy | Can be set independently of the main policy |
| ri=86400 | Reporting interval in seconds | 86400 = 24 hours |
4. Monitor and analyse reports
During the first week, look for answers to these questions:
- Which IP addresses are sending email from your domain?
- Where are SPF and DKIM failing?
- Are there unexpected sending sources? (This could be a spoofing attempt.)
- Which email services have not been included in SPF or DKIM yet?
5. Tighten the policy gradually
After one to two weeks on none:
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourdomain.com
If no issues appear, increase to pct=25, then 50, then 100. Final stage:
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com
This gradual transition typically takes four to six weeks. Do not rush; check reports at every stage.
How SPF, DKIM and DMARC work together
The three protocols form a multi-layered authentication system. A concrete scenario makes this clearer:
Scenario: Sarah sends a marketing campaign from company.com using MailGraf.
Step 1. Sending: Sarah clicks "Send" in MailGraf. The server signs the email with a DKIM private key and starts delivery.
Step 2. SPF check: The recipient's email server looks up company.com's DNS records. It checks whether MailGraf's IP address is in the SPF record. The IP is listed, so SPF passes.
Step 3. DKIM check: The server sees the DKIM signature in the email header. It verifies the signature using the public key in company.com's DNS. The signature is valid and the content has not been modified.
Step 4. DMARC evaluation: The server reads company.com's DMARC record. At least one of SPF or DKIM must pass with alignment. Both pass, so the email lands in the inbox.
Now consider the same scenario with an attacker. A fraudster tries to send a fake email impersonating company.com. The sending server's IP is not in the SPF record (SPF fail). The email has no valid DKIM signature (DKIM fail). The DMARC policy is set to reject, so the email is blocked entirely. The recipient never sees it.
Understanding alignment
Alignment is a critical DMARC concept:
- SPF alignment: The Return-Path domain (the technical sender) must match the From domain (what the recipient sees).
- DKIM alignment: The domain in the DKIM signature (
d=value) must match the From domain.
At least one must align. This prevents a server from passing SPF while sending on behalf of a completely different domain.
Authentication and bulk email sending
If you send campaigns in bulk, correct authentication is non-negotiable. Email providers scrutinise high-volume senders far more closely than individual messages.
Dedicated IP vs shared IP
Shared IP (Internet Protocol): You use MailGraf's shared, CSA-certified (Certified Senders Alliance) IP pool alongside other senders. Suitable for volumes up to around 50,000 emails per month. IP reputation is managed by MailGraf.
Dedicated IP: A single IP address is allocated exclusively to you. Recommended for volumes above 100,000 emails per month. You own the reputation entirely. The advantage is isolation from other senders' behaviour, but you need to warm the IP up from scratch.
Email warmup strategy
Sending high volumes from a new domain or IP on day one triggers spam filters immediately. A gradual ramp-up is essential:
| Week | Daily volume | What to watch |
|---|---|---|
| Week 1 | 500–1,000 | Send only to your most engaged subscribers. Monitor open rates. |
| Week 2 | 2,000–5,000 | Check that bounce rate stays below 2%. |
| Week 3 | 5,000–15,000 | Verify spam complaint rate is under 0.1%. |
| Week 4+ | Scale to target | Continue increasing if all metrics are healthy. |
Set up SPF, DKIM and DMARC before the first send. Running a warmup without authentication contaminates the IP before it has a chance to build reputation.
Quick-start checklist: four steps to email authentication
1. Today: Check your SPF record at MXToolbox. If it is missing, add one. If you have multiple SPF records, merge them.
2. This week: Complete your DKIM setup. If you use MailGraf, the platform generates keys automatically, so just add the DNS record. For manual setup, use 2048-bit keys.
3. This month: Start DMARC with p=none. Set up a reporting address and begin monitoring. Learn who is sending email from your domain.
4. Next month: Based on your reports, move the DMARC policy to quarantine and then reject. Use the pct parameter to transition gradually at each stage.
Periodic maintenance
Email authentication is not a set-and-forget task. Review these items every quarter:
- SPF records: Remove includes for services you no longer use. Confirm new services have been added.
- DKIM key rotation: Renew your keys every six to twelve months. Using the same key indefinitely creates a security risk.
- DMARC reports: If unexpected sending sources appear, investigate immediately; it could be a spoofing attempt.
- Deliverability metrics: Track bounce rate, spam complaint rate and sender reputation regularly.
- Provider updates: Google, Microsoft and Yahoo announce new requirements periodically. Stay current with the latest anti-spam updates.
Frequently asked questions
Can I send email without an SPF record?
Technically yes, but modern providers will almost certainly send your messages to spam. Google, Yahoo and Microsoft require SPF for domains sending more than 5,000 emails per day since 2024. Even for low-volume senders, SPF is strongly recommended.
Is DKIM mandatory?
Not officially, but in practice it is. The SPF and DKIM combination is needed for DMARC to work. Major providers give lower sender scores to bulk emails without a DKIM signature. Google's 2024 update made DKIM effectively mandatory for high-volume senders.
Should I set DMARC to reject straight away?
Definitely not. Start with p=none and review reports. Then test with quarantine using the pct parameter. Only move to reject when you are certain every legitimate source passes. Rushing this step can block your own campaigns. The gradual transition usually takes four to six weeks.
How long until I see results?
DNS changes typically propagate within four to six hours (48 hours maximum). However, the full effect takes one to two weeks. Email providers build sender reputation over time. Do not expect a miracle on day one, but within two weeks you should see a noticeable improvement in inbox placement.
Do SPF, DKIM and DMARC work independently?
SPF and DKIM can function on their own. DMARC, however, uses the results of both to make its decision. At least SPF or DKIM must be working before you set up DMARC. The strongest protection comes from running all three together. Using only one provides partial security at best.
Do subdomains need separate records?
Yes. Subdomains such as newsletter.example.com need their own SPF and DKIM records. In DMARC, the sp (subdomain policy) parameter lets you set a different policy for subdomains. If you do not include subdomains in DMARC, attackers can spoof them instead.
I use MailGraf. do I still need to configure these myself?
SPF, DKIM and DMARC are configured and aligned automatically on the MailGraf infrastructure. You do not need to add any DNS records for your email marketing campaigns to work correctly. authentication is handled as part of the account setup.
My records are correct but emails still land in spam. what should I do?
SPF, DKIM and DMARC are an important part of deliverability but not the only factor. Check for spam trigger words in your content, review whether your sending volume is too high or irregular, look at engagement rates (opens and clicks), and assess your email list quality. All of these need to be optimised together.
Originally published: Apr 9, 2026
Professional email marketing platform.
Don't miss out
Get the latest email marketing tips and exclusive updates.