If your emails are still hitting spam after “warming up,” chances are your DNS authentication isn’t properly configured.
SPF, DKIM, and DMARC are the three records that mailbox providers (like Gmail, Outlook, Yahoo) use to decide if your emails are trustworthy. Skip them, and your campaigns look suspicious, even if you’re sending high-quality content.
This guide breaks down:
By the end, you’ll have the technical foundation to stop spam folder headaches and start inboxing consistently.
👉 For the bigger picture of deliverability, see The Ultimate Guide to Email Deliverability in 2025
Inbox providers want proof you are who you say you are. These DNS records provide that proof.
Without these, your emails are far more likely to:
You’ll add your SPF record in your DNS settings (wherever your domain is hosted — GoDaddy, Cloudflare, Namecheap, etc.).
SPF is a TXT record in DNS. It looks like this:
v=spf1 include:mailgun.org include:_spf.google.com -all
Breakdown:
v=spf1
→ Start of recordinclude:service.com
→ Authorizes services (e.g., Gmail, Mailgun)-all
→ Reject everything else
Save the TXT record in your DNS host. Use tools like MX Toolbox SPF Checker to confirm it’s valid.
👉 For help understanding SPF policies (soft vs hard fail) and testing, see Mailivery’s step-by-step guide for How to set up an SPF record
✅ Best Practices:
Most email providers (Google Workspace, Microsoft 365, Mailgun, SendGrid) let you generate DKIM in their dashboard. This gives you a public key (TXT record for DNS) and a private key (used by the server).
A DKIM record looks like this:
default._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa;p=MIIBIjANBgkqh..."
Breakdown:
default
= selector name (providers may give you something else like “google” or “mail”)_domainkey
= required suffixp=
= your public key
Once the DNS record is added, turn on DKIM signing in your ESP or mail service.
✅ Best Practices:
👉 Learn more about DKIM and email authentication
DMARC ties SPF + DKIM together and enforces rules. Policies:
Add this TXT record in DNS:
_dmarc.yourdomain.com TXT "v=DMARC1; p=quarantine; rua=mailto:reports@yourdomain.com; ruf=mailto:forensics@yourdomain.com; sp=quarantine;aspf=r; adkim=r"
Breakdown:
p=
→ policy (none, quarantine, reject)rua=
→ aggregate reports (daily logs)ruf=
→ forensic reports (failed email details)aspf= / adkim=
→ alignment mode (relaxed vs strict)
Begin with p=none to gather reports without blocking mail. Once confident, move to quarantine or reject.
👉 To understand how to interpret DMARC reports, check Mailivery’s setting up DMARC and DKIM
✅ Best Practices:
Or use free testing tools:
Do I need all three (SPF, DKIM, DMARC)?
Yes. SPF + DKIM prove authenticity. DMARC enforces alignment and tells inboxes how to treat failures.
How long does setup take?
Usually 15–30 minutes once you know your DNS host. Propagation can take up to 24 hours.
Can I send cold emails without these?
Technically yes, but deliverability will be terrible. These are non-negotiable if you want to inbox consistently.
What’s the best DMARC policy?
Start with none, then move to quarantine, and only use reject when you’re sure everything is aligned.
If email warm-up is about building trust, SPF/DKIM/DMARC is about proving your identity. Without them, every campaign is fighting uphill against spam filters.
Once your DNS records are properly set, you can layer on:
That’s how you go from “why are my emails in spam?” to predictably landing in inboxes.
👉 Use Mailivery to warm up your domain and monitor inbox placement after you’ve set up authentication.