</> ProtocolCodes
All Codes Comparisons Glossary Guides Tools
Email Delivery

Improving Email Deliverability: SPF, DKIM, and DMARC Setup

A step-by-step guide to setting up email authentication — SPF records, DKIM signing, and DMARC policies to avoid the spam folder.

Why Emails Land in Spam

Email providers like Gmail and Outlook use authentication checks to filter spam. If your domain doesn't have SPF, DKIM, and DMARC configured, your emails are far more likely to be rejected or sent to spam.

SPF (Sender Policy Framework)

SPF tells receiving servers which IP addresses are authorized to send email for your domain.

How It Works

  • You publish a TXT record in DNS listing authorized senders
  • Receiving server checks the sending IP against your SPF record
  • If the IP isn't listed, SPF fails

Setting Up SPF

# DNS TXT record for example.com
v=spf1 include:_spf.google.com include:amazonses.com -all
  • v=spf1 — Version identifier
  • include:_spf.google.com — Authorize Google Workspace
  • include:amazonses.com — Authorize Amazon SES
  • -all — Reject emails from any other source (use ~all for soft fail during testing)

Important: You can only have ONE SPF record per domain. Combine all includes.

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to each email. The receiving server verifies the signature using a public key in your DNS.

How It Works

  • Your email server signs the message with a private key
  • The signature is added as a DKIM-Signature header
  • Receiving server fetches the public key from DNS and verifies

Setting Up DKIM

  • Generate a key pair (your email provider usually does this)
  • Publish the public key as a DNS TXT record:
# selector._domainkey.example.com TXT
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB...
  • Configure your email server to sign outgoing messages

DMARC (Domain-based Message Authentication)

DMARC ties SPF and DKIM together and tells receivers what to do when authentication fails.

DMARC Policies

  • p=none — Monitor only (receive reports but don't act)
  • p=quarantine — Send failing emails to spam
  • p=reject — Reject failing emails entirely

Setting Up DMARC

# _dmarc.example.com TXT
v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100
  • rua — Where to send aggregate reports
  • pct — Percentage of messages to apply the policy to

Rollout Strategy

  • Start with p=none to collect data without blocking email
  • Monitor DMARC reports for 2-4 weeks
  • Fix any legitimate senders failing SPF/DKIM
  • Move to p=quarantine then p=reject

Verification Commands

# Check SPF record
dig example.com TXT | grep spf

# Check DKIM record
dig selector._domainkey.example.com TXT

# Check DMARC record
dig _dmarc.example.com TXT

Related Protocols

SMTP DNS

Related Glossary Terms

SPF, DKIM, and DMARC Email
DNS Record Types DNS
SMTP Relay Email

More in Email Delivery

SMTP Reply Codes: What Your Email Server Is Telling You Diagnosing Email Bounces: Soft (4xx) vs Hard (5xx)
← Back to Guides