SPF, DKIM & DMARC Setup Guide for Email Deliverability

If your emails are still hitting spam after “warming up,” chances are your DNS authentication isn’t properly configured.

‍

SPF, DKIM, and DMARC are the three records that mailbox providers (like Gmail, Outlook, Yahoo) use to decide if your emails are trustworthy. Skip them, and your campaigns look suspicious, even if you’re sending high-quality content.

‍

This guide breaks down:

• What SPF, DKIM, and DMARC are
• Why they matter for inbox placement
• How to set them up step-by-step
• How to check if they’re working

‍

By the end, you’ll have the technical foundation to stop spam folder headaches and start inboxing consistently.

👉 For the bigger picture of deliverability, see The Ultimate Guide to Email Deliverability in 2025

‍

Why SPF, DKIM, and DMARC Matter for Deliverability

‍

Inbox providers want proof you are who you say you are. These DNS records provide that proof.

• ‍SPF (Sender Policy Framework): Defines which mail servers are allowed to send on behalf of your domain.‍
• DKIM (DomainKeys Identified Mail): Adds a digital signature to your emails, proving they weren’t altered in transit.‍
• DMARC (Domain-based Message Authentication, Reporting, and Conformance): Aligns SPF + DKIM and tells inboxes how to handle failures (reject, quarantine, or none).

Without these, your emails are far more likely to:

• Get flagged as spam
• Fail authentication checks
• Damage your domain reputation

‍

SPF Setup Guide

‍

Step 1: Check Your Domain Host

You’ll add your SPF record in your DNS settings (wherever your domain is hosted — GoDaddy, Cloudflare, Namecheap, etc.).

‍

Step 2: Create Your SPF Record

SPF is a TXT record in DNS. It looks like this:

v=spf1 include:mailgun.org include:_spf.google.com -all


Breakdown:

• v=spf1 → Start of record
• include:service.com → Authorizes services (e.g., Gmail, Mailgun)
• -all → Reject everything else

‍

Step 3: Publish and Test

Save the TXT record in your DNS host. Use tools like MX Toolbox SPF Checker to confirm it’s valid.

👉 For help understanding SPF policies (soft vs hard fail) and testing, see Mailivery’s step-by-step guide for How to set up an SPF record

‍

✅ Best Practices:

• Only include the platforms you actively send from (Google Workspace, your ESP, etc.).
• Avoid multiple SPF records (consolidate into one).
• Keep it under 255 characters or use “include” to shorten.

DKIM Setup Guide

‍

Step 1: Generate DKIM Keys

Most email providers (Google Workspace, Microsoft 365, Mailgun, SendGrid) let you generate DKIM in their dashboard. This gives you a public key (TXT record for DNS) and a private key (used by the server).

‍

Step 2: Add DKIM Record in DNS

A DKIM record looks like this:

default._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa;p=MIIBIjANBgkqh..."


Breakdown:

• default = selector name (providers may give you something else like “google” or “mail”)
• _domainkey = required suffix
• p= = your public key

‍

Step 3: Enable DKIM in Your Provider

Once the DNS record is added, turn on DKIM signing in your ESP or mail service.

‍

✅ Best Practices:

• Use a 2048-bit key (stronger than 1024).
• Rotate keys yearly for security.
• Each sending service should have its own DKIM record.

‍

👉 Learn more about DKIM and email authentication

‍

DMARC Setup Guide

‍

Step 1: Understand DMARC Policy Options

DMARC ties SPF + DKIM together and enforces rules. Policies:

• p=none → Monitor only (no enforcement).
• p=quarantine → Mark failed emails as spam.
• p=reject → Block failed emails entirely.

‍

Step 2: Create Your DMARC Record

Add this TXT record in DNS:

_dmarc.yourdomain.com TXT "v=DMARC1; p=quarantine; rua=mailto:reports@yourdomain.com; ruf=mailto:forensics@yourdomain.com; sp=quarantine;aspf=r; adkim=r"

Breakdown:

• p= → policy (none, quarantine, reject)
• rua= → aggregate reports (daily logs)
• ruf= → forensic reports (failed email details)
• aspf= / adkim= → alignment mode (relaxed vs strict)

‍

Step 3: Start with “None” Policy

Begin with p=none to gather reports without blocking mail. Once confident, move to quarantine or reject.

‍

👉 To understand how to interpret DMARC reports, check Mailivery’s setting up DMARC and DKIM

‍

✅ Best Practices:

• Always set up reporting (rua email).
• Start with “none” → move to “quarantine” → finally “reject.”
• Use tools like DMARCian or Postmark’s DMARC Digests to read reports.

How to Check if SPF, DKIM, and DMARC are Working

• Send an email to Gmail, open it, and check “Show Original.”
• Look for:
  
  • SPF: PASS
  • DKIM: PASS
  • DMARC: PASS

Or use free testing tools:

• Mailivery Inbox Placement Test (coming soon)
• MX Toolbox DMARC Checker
• Google Postmaster Tools

Common Mistakes to Avoid

• ❌ Having multiple SPF records (merge into one).
• ❌ Forgetting to update SPF/DKIM when changing ESPs.
• ❌ Jumping straight to p=reject on DMARC (blocks too much too soon).
• ❌ Using weak DKIM keys (stick with 2048-bit).

FAQs About SPF, DKIM & DMARC

‍

Do I need all three (SPF, DKIM, DMARC)?
Yes. SPF + DKIM prove authenticity. DMARC enforces alignment and tells inboxes how to treat failures.

‍

How long does setup take?
Usually 15–30 minutes once you know your DNS host. Propagation can take up to 24 hours.

‍

Can I send cold emails without these?
Technically yes, but deliverability will be terrible. These are non-negotiable if you want to inbox consistently.

‍

What’s the best DMARC policy?
Start with none, then move to quarantine, and only use reject when you’re sure everything is aligned.

Wrapping Up: Authentication is the First Step to Deliverability

‍

If email warm-up is about building trust, SPF/DKIM/DMARC is about proving your identity. Without them, every campaign is fighting uphill against spam filters.

‍

Once your DNS records are properly set, you can layer on:

• Mailbox warm-up (Mailivery)
• Reputation monitoring
• Inbox placement testing

‍

That’s how you go from “why are my emails in spam?” to predictably landing in inboxes.

‍

👉 Use Mailivery to warm up your domain and monitor inbox placement after you’ve set up authentication.

‍

‍

‍