SPF, DKIM and DMARC Explained for Marketers
A non-technical guide to email authentication — what SPF, DKIM, and DMARC actually do, why they affect your deliverability, and how to set them up without calling your IT team every five minutes.
Why Email Authentication Matters
If your marketing emails land in spam, or worse — get rejected entirely — email authentication is the first place to look.
Most marketers know these three acronyms exist, but few actually understand what they do or how to verify they’re working correctly. This guide fixes that.
The Problem: Email Spoofing
Email was designed in an era when trust was assumed. Anyone can send an email claiming to be newsletter@yourcompany.com. Spam filters and inbox providers (Gmail, Outlook) needed a way to verify that emails actually come from the domain they claim to be from.
SPF, DKIM, and DMARC are the three-layer solution to this problem.
SPF — Sender Policy Framework
What it is: A DNS record that lists which IP addresses and servers are authorised to send email on behalf of your domain.
How it works:
When Gmail receives an email claiming to be from @yourbrand.com, it checks your domain’s DNS for an SPF record and verifies that the sending IP is on the approved list.
Example SPF record:
v=spf1 include:_spf.google.com include:salesforce.com include:amazonses.com ~allBreaking it down:
v=spf1— declares this is an SPF recordinclude:_spf.google.com— authorises Google’s mail serversinclude:salesforce.com— authorises Salesforce Marketing Cloud~all— softfail: emails from other IPs will be tagged as suspicious (not rejected)
Marketer tip: Every ESP (email service provider) you add — Mailchimp, HubSpot, Salesforce MC — needs to be included in your SPF record.
Common mistake: Adding too many include: directives. SPF has a 10 DNS lookup limit. Exceeding this causes your SPF to fail silently.
DKIM — DomainKeys Identified Mail
What it is: A cryptographic signature added to every email you send. The receiving server uses a public key (published in your DNS) to verify the signature.
How it works:
- Your ESP generates a public/private key pair
- The private key signs each outgoing email’s headers and body
- The public key is published as a DNS TXT record on your domain
- Gmail checks the signature against the public key
Example DKIM DNS record:
mail._domainkey.yourbrand.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ..."Why it matters: DKIM proves the email was not tampered with in transit. It’s the “wax seal” on your digital envelope.
Marketer tip: If you switch ESPs or add a new sending domain, always generate new DKIM keys and update your DNS records.
DMARC — Domain-based Message Authentication Reporting and Conformance
What it is: A policy that tells inbox providers what to do with emails that fail SPF or DKIM — and sends you reports when they do.
DMARC is the orchestrator: It ties SPF and DKIM together and enforces your policy.
Example DMARC record:
_dmarc.yourbrand.com TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourbrand.com; pct=100"Breaking it down:
p=quarantine— emails failing authentication go to spam (not inbox)p=reject— emails failing authentication are rejected entirelyp=none— monitoring mode only (useful for initial setup)rua=mailto:— where to send aggregate reportspct=100— apply policy to 100% of emails
DMARC Rollout Strategy
| Phase | Policy | Goal |
|---|---|---|
| Week 1–2 | p=none | Collect reports, identify all sending sources |
| Week 3–4 | p=quarantine; pct=10 | Test impact on 10% of traffic |
| Week 5+ | p=quarantine; pct=100 | Full quarantine enforcement |
| Month 2+ | p=reject | Full rejection (maximum protection) |
Checking Your Current Status
Quick tools to verify your setup:
# Check SPF
nslookup -type=txt yourdomain.com
# Check DMARC
nslookup -type=txt _dmarc.yourdomain.comOr use these web tools:
- MXToolbox — full email headers analysis
- Google Postmaster Tools — Gmail-specific deliverability insights
- DMARC Analyzer — read your DMARC reports
Google’s 2024 Sender Requirements
As of February 2024, Google requires bulk senders (1,000+ emails/day to Gmail) to have:
- ✅ Valid SPF record
- ✅ Valid DKIM signing
- ✅ DMARC policy (
p=noneat minimum) - ✅ One-click unsubscribe header
Brands that don’t meet these requirements see significantly lower inbox placement rates.
Lessons from Implementation at Scale
At Health & Glow and Kushals, setting up proper email authentication was part of a broader CRM infrastructure overhaul:
- Tracking loss reduced by 40% after implementing proper domain authentication alongside MMP setup
- Open rates improved 12% after moving from shared IPs to dedicated sending domains with proper DKIM
- WhatsApp Business verification also benefited from having a properly authenticated domain
The technical setup takes 2–4 hours. The deliverability dividend lasts for years.
Quick Checklist
- SPF record exists and includes all your ESPs
- SPF has fewer than 10 DNS lookups
- DKIM keys configured for all sending domains
- DMARC record exists (
p=noneat minimum) - DMARC reporting email set up and being monitored
- Listed in Google Postmaster Tools
Need help auditing your email authentication setup? Get in touch →