Email Deliverability: SPF, DKIM and DMARC Explained
Your emails land in spam or get rejected, and you keep hearing you need 'SPF, DKIM, and DMARC'.
Common signs of this issue
- Your legitimate emails frequently land in recipients' spam or junk.
- Some messages bounce with authentication or 'unauthenticated' errors.
- Gmail or Outlook recently warned senders to add authentication.
- Someone may be spoofing your domain to send fake email.
Safe checks you can do yourself
None of these require sharing passwords with anyone.
- Use a free email authentication checker (many exist) to see whether your domain has valid SPF, DKIM, and DMARC — no login needed.
- Confirm you have one SPF record that lists every service that sends mail for you (your mail provider, plus any newsletter or form tools).
- Make sure DKIM is enabled at your mail provider and its key is published in DNS.
- Add a DMARC record, starting in monitoring mode (p=none), so you can see what is sending as you before tightening.
- Re-test after DNS changes propagate, and keep adjusting until all three pass.
What this usually means
These three records prove your email is really from you. SPF lists who is allowed to send for your domain; DKIM cryptographically signs your messages; DMARC tells receivers what to do with mail that fails and reports who is sending as you.
When they are missing or wrong, big providers treat your mail as suspicious — so it lands in spam or bounces. Setting all three correctly is the single biggest deliverability improvement for most senders.
What not to do
- Don't create two SPF records — there must be exactly one, combining all your senders.
- Don't jump straight to a strict DMARC policy (p=reject) before monitoring, or you may block your own legitimate mail.
- Don't forget third-party senders (newsletters, CRMs, form tools) when listing who may send for you.
When to get help
DNS authentication records are easy to get subtly wrong, and a mistake can silently block real mail. A specialist can set SPF, DKIM, and DMARC correctly, then tighten DMARC safely over time so your mail is trusted without losing any.
Not sure what to do next?
Answer a few short questions and we'll point you to the safest next step — DIY, a freelancer, or a direct review. No passwords required.
Is this a business website? If this issue may be costing you leads, sales, or trust, you may want a direct review instead of trial and error.
Frequently asked questions
Do I need all three?
For reliable delivery today, yes. SPF and DKIM are essential, and DMARC (even in monitoring mode) is increasingly expected by Gmail and Outlook.
Will this stop people spoofing my domain?
A properly enforced DMARC policy (after monitoring) tells receivers to reject mail that fails authentication, which blocks most domain spoofing.