SPF, DKIM & DMARC Explained: A Plain-English Guide for Founders

You sent the email. It looked fine. But it never got a reply — because it never reached the inbox. For most founders, the culprit isn't the copy or the subject line. It's three small DNS records most people never set up correctly: SPF, DKIM, and DMARC.

Together these are called email authentication. They're how mailbox providers like Gmail and Outlook decide whether to trust a message claiming to come from your domain. Get them right and your email flows. Get them wrong — or leave them missing — and even legitimate mail quietly gets filtered to spam. Since February 2024, Google and Yahoo require proper authentication for anyone sending in volume, so this is no longer optional.

The 30-second mental model

Think of an email like a letter arriving at a post office (the recipient's mail server). The post office wants to answer three questions before delivering it:

• SPF — "Is this letter coming from a mailroom the sender actually authorized?"
• DKIM — "Has the letter been tampered with in transit, and can I verify the sender's seal?"
• DMARC — "If the first two checks fail, what does the sender want me to do — and where do I report it?"

SPF: who's allowed to send for you

SPF (Sender Policy Framework) is a single line you add to your domain's DNS as a TXT record. It lists the mail servers permitted to send email on behalf of your domain — your email provider (Google Workspace, Microsoft 365), your marketing tool, your transactional sender, and so on.

A typical SPF record looks like this:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

When a server receives your email, it checks whether the sending IP is on this list. The most common mistakes: forgetting to add a new sending service, or having two SPF records (you're only allowed one), which silently breaks the whole thing.

DKIM: a tamper-proof signature

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every message you send. Your sending service signs the email with a private key; the matching public key lives in your DNS. The recipient uses the public key to confirm two things: the message genuinely came from your domain, and nothing was altered along the way.

You don't generate DKIM keys by hand — your email provider gives you the DNS record to paste in. The trap is enabling DKIM in the dashboard but never actually publishing the DNS record, so the signature can't be verified.

DMARC: the policy that ties it together

DMARC (Domain-based Message Authentication, Reporting & Conformance) is the instruction manual. It tells receiving servers what to do when a message fails SPF and DKIM, and it sends you reports so you can see who's sending email as your domain — including spoofers.

A starter DMARC record looks like this:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

The p= value is the policy. Start at p=none (monitor only, change nothing), review the reports for a few weeks, then tighten to p=quarantine and eventually p=reject once you're confident all your legitimate mail passes. Jumping straight top=reject before everything is aligned is the fastest way to block your own email.

How to check yours in 30 seconds

You don't need to read raw DNS to know where you stand. Run your domain through our free email deliverability checker — it inspects SPF, DKIM, DMARC, and your blacklist status instantly, with no signup, and tells you exactly what's missing or misconfigured.

The harder part isn't the one-time setup — it's that these records drift. A teammate adds a new sending tool and forgets SPF. A provider rotates a DKIM key. A domain quietly lands on a blacklist. That's why Zeqo Mail re-checks your domain every single day and alerts you the moment something changes — before your cold emails, newsletters, or password resets start hitting spam.

The takeaway

SPF says who can send, DKIM proves the message is authentic, and DMARC decides what happens when those checks fail. Set all three, start DMARC in monitor mode, and then keep watching them — because deliverability is invisible right up until it breaks. Speaking of which: here's why cold emails still land in spam even with authentication in place.