Skip to content
web1o
Blog

Email deliverability: SPF, DKIM and DMARC explained

Why do emails land in spam? SPF, DKIM and DMARC explained plainly and how to set them up so your emails reach the inbox.

  • Email marketing
  • Deliverability
  • Technical

Emails usually land in spam because the receiving mail server cannot confirm the message was really sent on your behalf. Three domain records fix this: SPF, DKIM and DMARC. Once they are configured correctly, Gmail, Outlook and other providers can verify that your message is authentic and place it in the inbox instead of the spam folder. This article explains how each record works, how to check them, and the exact order of steps that gets your marketing and transactional emails reliably delivered.

Why even good emails end up in spam

Good content is only half the battle. Before showing an email to a person, the receiving server runs a chain of checks in milliseconds: did the sending domain authorize this particular server, was the message altered in transit, and what is the reputation of the sending IP and domain. If the answers are unclear, the message is filed under spam or rejected outright.

In 2024 Google and Yahoo tightened their rules for bulk senders: if you send a high volume per day, authentication became mandatory rather than a recommendation. In practice this means that without SPF, DKIM and DMARC, even a perfectly legitimate newsletter or order confirmation may never reach the recipient.

The most common reasons emails fall into spam:

  • No authentication records — the recipient cannot verify the sender's identity.
  • Misconfigured SPF or DKIM — the check fails, which is often worse than having no record at all.
  • Poor sending reputation — many bounces, complaints, or mail sent to nonexistent addresses.
  • Content signals — large images with little text, suspicious links, spammy wording.

Technical authentication solves the first two, and it is the foundation without which everything else is pointless.

Three records that prove the email is really yours

SPF, DKIM and DMARC work together, but each answers a different question. The simplest way to picture them is as three layers of document checking: who is allowed to send, whether the content is untouched, and what to do when something does not match.

SPF — which servers may send on your behalf

SPF (Sender Policy Framework) is a DNS record on your domain that lists the servers and services allowed to send mail in your domain's name. When the receiving server gets a message, it checks whether the sending server's IP address is on that list.

A typical SPF record looks like this:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Here include points to trusted sending services (for example Google Workspace, SendGrid), and ~all (softfail) means any other source is treated as suspicious. The stricter -all (hardfail) means "anything else — reject".

A few practical points worth knowing:

  • You may have only one SPF record per domain; two separate SPF records cause an error.
  • There is a 10 DNS lookup limit — too many include entries trigger a "permerror" and the check fails.
  • SPF checks the so-called "envelope" address, not the one the user sees, so forwarding can "break" SPF — which is exactly where DKIM and DMARC step in.

DKIM — a digital signature that proves the content

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every message. When sending, your system signs the email with a private key, and the recipient fetches the public key from your DNS to verify it. A matching signature proves two things: the email was sent by an authorized system, and the content was not changed in transit.

Unlike SPF, DKIM survives forwarding, because the signature travels with the message. For most recipients DKIM is therefore the stronger authenticity signal. In practice DKIM is set up by adding a TXT record with a "selector" (for example selector1._domainkey.yourdomain.com) whose value your email provider gives you.

Without proper authentication, even a fully legitimate email looks like possible fraud — and the receiving server always chooses caution.

DMARC — a policy for what to do with suspicious mail

DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells the recipient what to do when a message fails the checks. Without DMARC, SPF and DKIM only "inform" but demand nothing.

A typical DMARC record:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

The p policy values:

  1. p=none — do nothing, just monitor and send reports. A sensible start for the first few weeks.
  2. p=quarantine — place suspicious mail in spam.
  3. p=reject — reject unauthenticated mail entirely. The strongest protection against forged email in your name.

DMARC also introduces an alignment requirement: the visible "From" domain must match the one verified by SPF or DKIM. On top of that, the rua address receives XML reports showing who actually sends mail in your name — often revealing forgotten tools or even attempts to impersonate your company.

How to check whether your domain is configured correctly

Before changing anything, see the current state. This takes only a few minutes:

  1. Send yourself a test email to Gmail, open it, choose "Show original" and check that SPF, DKIM and DMARC each say "PASS".
  2. Use free checkers — MXToolbox, dmarcian or similar tools show your DNS records and warn about errors (such as multiple SPF records or an exceeded lookup limit).
  3. Review DNS directly in your domain control panel (at your registrar or hosting provider) and make sure TXT records have no stray spaces or copied quotation marks.
  4. Watch DMARC reports for at least a couple of weeks before tightening the policy from none to quarantine or reject.

If you also manage your own website, it helps to run a general website check periodically — deliverability and a site's technical health often overlap through the same DNS settings.

Other deliverability factors

Authentication opens the door, but whether you stay in the inbox depends on more:

  • Sender reputation. The history of your IP and domain. A new domain has to "build up" reputation by gradually increasing volume (warm-up) rather than blasting thousands of emails at once.
  • List hygiene. Regularly remove nonexistent and inactive addresses. A high bounce or non-open rate harms all of your mail.
  • Consent (opt-in). Send only to people who agreed to receive your email. This is not just a deliverability matter but a GDPR requirement.
  • Content and structure. A balanced text-to-image ratio, a clear "From" name, a visible unsubscribe link, and avoiding spam vocabulary.
  • Engagement. Opens, clicks and replies send a positive signal; bulk deletions without reading send a negative one.

If you want to measure whether email pays off at all, it helps to pair email marketing with clear metrics and real return.

Common mistakes that hurt deliverability

  • Two SPF records on one domain — merge them into a single record with multiple include entries.
  • Exceeding the 10 DNS lookup SPF limit — the check returns "permerror" and is treated as a failure.
  • DKIM not enabled for a new sending tool — after adding a new service (for example a newsletter platform), its DKIM is forgotten.
  • Jumping straight to p=reject without monitoring — you may accidentally block your own legitimate mail. Start with p=none.
  • "From" and the real sender not aligned — DMARC alignment fails even if SPF or DKIM technically "PASS".
  • One provider that always blocks you — sometimes you need a separate subdomain for marketing mail so you do not harm your main domain's reputation.

A practical checklist before you start sending

  1. Inventory your senders — list every service that sends in your name (mail, CRM, newsletters, invoicing system).
  2. Configure SPF — one record with all required include entries and ~all to start.
  3. Enable DKIM for each sending tool and add its selector TXT record.
  4. Set up DMARC with p=none and specify an rua address for reports.
  5. Monitor reports for 2–4 weeks until all legitimate sources pass.
  6. Tighten the policy to quarantine, then to reject.
  7. Maintain reputation — clean your list and track bounce and complaint rates.

These records may look technical, but you configure them once — and the benefit shows up in every email you send. If you want deliverability, authentication and your email flows set up correctly from day one, get in touch through our email marketing service, or combine it with automation so transactional emails — invoices, confirmations, reminders — always reach the customer.

All posts

Related articles

Automated email flows: welcome, abandoned cart and win-back

Automated email flows that sell in the background: welcome, abandoned cart and win-back series with practical examples.

Email or social media? Where to invest as a small business

Email or social media? We compare reach, ROI and risk — and why the smartest move is to use both together.

Email marketing for small business: where to start

Email marketing for small business: how to build a list, pick a tool and send emails that actually sell.