Email Deliverability Explained: SPF, DKIM and DMARC

“Our emails keep going to spam” is one of the most common — and most fixable — problems we’re asked to solve. Nine times out of ten the cause is email authentication, and the fix is three DNS records done correctly: SPF, DKIM and DMARC.

Why this matters more than ever

Major mailbox providers now actively penalise or reject mail that isn’t properly authenticated. Getting these records right isn’t optional polish — it’s the difference between landing in the inbox and disappearing.

SPF — who is allowed to send for you

An SPF record is a DNS entry listing which servers are permitted to send email on behalf of your domain. If mail arrives from a server that isn’t listed, it looks like a forgery. The classic mistake is forgetting to include a third-party sender (your CRM, newsletter tool or helpdesk).

DKIM — proof the message wasn’t tampered with

DKIM adds a cryptographic signature to your messages. The receiving server checks that signature against a public key in your DNS, proving the email genuinely came from you and wasn’t altered in transit.

DMARC — the policy that ties it together

DMARC tells receiving servers what to do when SPF or DKIM fails — monitor, quarantine or reject — and can send you reports on who is sending mail as your domain. It’s both a deliverability tool and an anti-spoofing protection for your brand.

Getting it right

• Publish an SPF record that includes every legitimate sender
• Enable DKIM signing on your mail server and publish the public key
• Start DMARC in monitoring mode, review the reports, then tighten the policy
• Test with the many free authentication checkers before relying on it

Set up carefully, these three records dramatically improve deliverability and stop scammers spoofing your domain. Set up carelessly, they can block your own mail — which is exactly why it’s worth doing methodically.

---

#dkim #dmarc #email deliverability #spf