Introduction

Email deliverability refers to the success rate of emails reaching inboxes instead of spam folders, and a proper DKIM SPF DMARC setup plays a key role in achieving this. Many businesses struggle with emails being marked as spam, even when they’re legitimate. This is frequently due to missing or improper email authentication. Setting up SPF, DKIM, and DMARC helps verify your identity as a sender, prevents spoofing, and improves deliverability. In this blog, we’ll guide you through a simple, step-by-step process to set up these records and fix common email delivery issues effectively.

Key Takeaways

• Email deliverability is not just about sending emails—it’s about making sure they reach the inbox, not spam.
• SPF, DKIM, and DMARC are crucial for authenticating your domain and establishing trust with ISPs.
• SPF defines who can send emails on your behalf. DKIM signs messages to ensure integrity. DMARC enforces policies and reports misuse.
• Without proper setup, your emails risk being rejected, throttled, or marked as suspicious.
• Implementing these protocols reduces spoofing, phishing, and helps maintain a strong sender reputation.
• Regularly test your configuration with tools like MXToolbox, Google Postmaster Tools, and Mail-tester.com.
• Monitor DMARC reports and maintain clean email practices to boost your inbox placement over time.

Table of Contents

1. Introduction
2. What Is Email Deliverability and Why It Fails
3. Why SPF, DKIM, and DMARC Setup Is Necessary
4. What Are DKIM, SPF, and DMARC?
5. Step-by-Step DKIM, SPF, and DMARC Setup Guide
6. Tools to Check and Verify Your Setup
7. Best Practices for Better Email Deliverability
8. Conclusion

What Is Email Deliverability and Why It Fails

Email deliverability refers to the ability of your emails to successfully reach your recipients’ inboxes—not just their email servers. Even if an email is “delivered,” it may end up in the spam or junk folder, meaning it technically arrived but was never seen or acted upon.

Common Reasons for Poor Email Deliverability:

• Missing Authentication: Without proper SPF, DKIM, and DMARC records, email providers can’t verify that your message is coming from a trusted source. This increases the likelihood that your emails may be detected as spam or rejected outright.
• Spammy Content: Using misleading subject lines, excessive capitalization, suspicious links, or sales-heavy language can trigger spam filters and damage trust with recipients.
• Low Sender Reputation: Internet Service Providers (ISPs) assign scores to sending domains and IPs. A poor track record (e.g., high bounce rates, spam complaints, or sending to invalid addresses) can cause your emails to be blocked or sent to spam.

How ISPs Filter Unauthenticated Emails:

ISPs use sophisticated filtering systems to protect users from phishing and spam. Emails without authentication (SPF/DKIM/DMARC) cannot authenticate the email’s origin. As a result, the ISP may:

• Mark it as suspicious and direct it to the spam folder.
• Reject it outright with a soft or hard bounce
• Throttle delivery to limit potential abuse

Proper authentication builds trust with ISPs, improves sender reputation, and ensures that your emails reach the inbox—not the junk folder.

Why SPF, DKIM, and DMARC Setup Is Necessary

SPF, DKIM, and DMARC are required for a secure and effective email strategy. Without them, your domain is vulnerable to spoofing and phishing, where attackers impersonate your brand. These protocols help email providers verify that your messages are legitimate and unaltered. SPF allows only authorized servers to send emails on your behalf, DKIM verifies message integrity, and DMARC tells providers how to handle failed authentications. Implementing them boosts trust with ISPs, improves email deliverability, and reduces spam folder placement. They also offer valuable reporting and insights into how your domain is being used. In today’s digital world, where inbox placement and sender credibility are vital, setting up SPF, DKIM, and DMARC is no longer optional—it’s essential for protecting your email reputation and ensuring successful communication.

What Are DKIM, SPF, and DMARC?

What Is SPF (Sender Policy Framework)?

SPF (Sender Policy Framework) is an email authentication system that specifies which mail servers can send emails on your domain’s behalf.

Purpose

SPF stops spammers and attackers from sending fraudulent emails from your domain. When a receiving mail server receives an email that appears to be from your domain, it verifies the SPF record to ensure that the sending server is listed as an approved sender.

Format

SPF records are saved as TXT records in your domain’s DNS configuration. They specify which IP addresses or hostnames are allowed to send email from your domain.

Example SPF Record

ini

v=spf1 include:_spf.google.com ~all

• v=spf1: Specifies the SPF version.

• include:_spf.google.com: Authorizes Google’s mail servers to send emails.

• ~all: Indicates a soft fail for any server not listed (can also use -all for a hard fail).

Correctly setting up SPF is a foundational step in email authentication and a key factor in improving inbox placement.

Step-by-Step DKIM, SPF, and DMARC Setup Guide

Setting up DKIM, SPF, and DMARC properly ensures your emails are authenticated, protected from spoofing, and more likely to land in the inbox. Here’s a step-by-step guide to help you configure these records correctly.

Step 1 – Set Up SPF Record

The SPF setup process begins with identifying who is sending email on behalf of your domain and ends with verifying your DNS records to ensure everything is working as intended.

1. Identify All Sending Sources

Before creating your SPF record, list all platforms and services that send emails using your domain. This might include:

• Webmail services (e.g., Gmail, Outlook)
• SMTP servers (e.g., SendGrid, Mailgun)
• Marketing platforms (e.g., SMTPMaster, ActiveCampaign)
• Transactional email tools (e.g., SMTPMaster, Amazon SES)

Missing even one legitimate sender can cause deliverability issues, so be thorough.

2. Create Your SPF Record in DNS

Once you’ve identified all sources, create an SPF TXT record in your DNS zone.

Example SPF record:

makefile

v=spf1 include:_spf.google.com include:mailgun.org ip4:203.0.113.10 ~all

• v=spf1: Indicates the SPF version.

• include:: Adds other domains that are allowed to send on your behalf.

• ip4:: Lists specific IPs you authorize.

• ~all: Soft fail for any unauthorized senders (use -all for strict fail).

3. Test with Tools Like MXToolbox

Once the record is added, test your domain using tools like:

• MXToolbox SPF Lookup
• Google Admin Toolbox Dig

These tools validate that your SPF record is properly configured and not too long or conflicting.

Tip: Ensure you don’t exceed the 10 DNS lookup limit in SPF, as this can break the record. Use includes wisely and combine IPs where possible.

Step 2 – Enable DKIM Signing

DKIM (DomainKeys Identified Mail) adds a digital signature to your email headers, allowing receiving servers to verify that the message hasn’t been altered and was truly sent from your domain. 

Here’s how to set it up:

1. Generate Public/Private Key Pair from Your Email Server or ESP

Most Email Service Providers (ESPs) or SMTP servers—such as Gmail, SMTPMaster, Mailchimp, or Amazon SES—offer built-in tools to generate a DKIM key pair:

• Private Key: This stays securely on your mail server and is used to sign outgoing messages.

• Public Key: This is published in your DNS records so receiving servers can verify the signature.

Depending on your provider, the process may be automatic or require manual setup.

2. Add DKIM Public Key as TXT Record in DNS

Once you have the public key:

• Log in to your domain’s DNS management panel.
• Create a TXT record using the selector provided (e.g., default._domainkey.yourdomain.com).

• Paste the DKIM public key as the value.

Example:

vbnet

Host/Name: default._domainkey

Type: TXT

Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqG… (your full key here)

Tip: The selector (e.g., “default”) helps identify which key was used to sign the email.

3. Enable DKIM Signing in Your Sending Platform

After updating your DNS

• Go back to your email platform or ESP.
• Enable DKIM signing for your domain.
• Some platforms will verify the DNS record automatically, while others may require manual confirmation.

Once activated, all outgoing emails will include a DKIM signature in the header. Receiving mail servers will use your public key to confirm authenticity, boosting your sender reputation and improving inbox placement.

Step 3 – Configure DMARC Policy

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a powerful email authentication protocol that builds on SPF and DKIM. It tells receiving mail servers what to do if an email fails SPF or DKIM checks—and provides visibility into how your domain is being used.

1. Choose Your DMARC Policy

Your DMARC policy defines how ISPs handle unauthenticated emails

• none – Monitor only. The system takes no action but sends reports. Ideal for initial setup.

• quarantine – Suspicious emails are delivered to the spam/junk folder.

• reject – Unauthenticated emails are blocked entirely. Recommended only after SPF and DKIM are fully working.

Start with none and move toward reject as you gain confidence in your authentication setup.

2. Add DMARC TXT Record to DNS

Create a TXT record at your domain’s DNS:

Example

makefile

Host/Name: _dmarc.yourdomain.com  

Type: TXT  

Value: v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:forensics@yourdomain.com; sp=quarantine; adkim=s; aspf=s;

Explanation:

• v=DMARC1: DMARC version.

• p=quarantine: Policy (can be none, quarantine, or reject).

• rua=: Aggregate report email address (RUA).

• ruf=: Forensic report email address (RUF).

• aspf / adkim: Alignment mode for SPF and DKIM (strict s or relaxed r).

• sp=: Subdomain policy (optional).

3. Set Up Email Reporting (RUA/RUF) for Monitoring

DMARC reports help you monitor who is sending on behalf of your domain and whether those emails pass SPF and DKIM checks:

• RUA (Aggregate Reports): Summary of email authentication results. Sent daily.

• RUF (Forensic Reports): Detailed failure reports for each message. Sent immediately (optional and more sensitive).

Use third-party tools like:

• Postmark DMARC Digests
• Google Postmaster Tools
• dmarcian

These tools help visualize and interpret your DMARC reports for better insight and control.

Final Tip: Gradually shift from p=none to p=reject after ensuring all legitimate senders pass SPF and DKIM to fully protect your domain from spoofing.

What Is DKIM (DomainKeys Identified Mail)?

DKIM (DomainKeys Identified Mail) authenticates emails to ensure their content remains unchanged during transit. It works by adding a digital signature to the email headers, which the recipient’s server can verify using a public key published in your DNS.

Purpose

DKIM cryptographically signs your email headers, allowing the receiving server to confirm:

• The email truly came from your domain.
• No one has altered the message after sending it.

This increases confidence and dramatically improves inbox placement by preventing spoofing and phishing.

How It Works (Public/Private Key System)

• Your email server or ESP signs outgoing emails with a private key.
• The recipient’s server queries your DNS records for the public key.
• If the signature matches the public key, email providers consider the message authentic.

Example: DKIM Record Format in DNS

DKIM records are published as TXT records in your DNS under a selector subdomain:

Record name/host:

selector._domainkey.yourdomain.com

Record value (example):

ini

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9uRxY…

Explanation:

• v=DKIM1: Version of DKIM protocol.
• k=rsa: Key type (RSA encryption).
• p=: The public key used for verification.

The “selector” (e.g., default, smtp1, etc.) allows you to manage multiple keys or rotate them without affecting other DKIM records.

Bottom Line: DKIM is a critical layer of email authentication that not only protects your domain’s reputation but also ensures your emails maintain their integrity from sender to recipient.

What exactly is Domain-Based Message Authentication, Reporting, and Conformance (DMARC)?

DMARC is an advanced email authentication protocol that works alongside SPF and DKIM to protect your domain from spoofing, phishing, and unauthorized use. Email providers actively enforce authentication policies and offer visibility, enabling domain owners to decide how to handle emails when authentication fails.

Purpose

DMARC’s primary goal is to:

• Align SPF and DKIM with the domain shown in the “From” address (visible to users).
• Instruct ISPs on what to do with emails that fail authentication (none, quarantine, or reject).
• Provide reporting so you can monitor how your domain is being used (or abused) across the internet.

DMARC ensures that only properly authenticated messages—those passing SPF or DKIM and matching the domain—are considered valid.

How It Works

1. Your domain sends an email.
2. The recipient’s server checks the SPF and DKIM authentication.
3. If either passes and is aligned with the “From” domain, the email is accepted.
4. If both fail (or fail alignment), the receiving server follows your DMARC policy.

Example DMARC Policy:

txt

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

• v=DMARC1: Specifies the DMARC protocol version.
• p=reject: Tells ISPs to block unauthenticated emails.
• rua=: Defines where aggregate reports (RUA) should be sent for monitoring.

You can adjust the policy (p) as needed

• none: Monitor only—no impact on delivery.
• quarantine: Deliver to spam folder.
• reject: Block unauthorized emails completely.

In Summary

 DMARC aligns SPF and DKIM with your visible domain, protects your brand, improves deliverability, and gives you deep insight into who’s sending on your behalf. When properly deployed, it is one of the most effective defenses against email spoofing.

Tools to Check and Verify Your Setup

Once you’ve configured SPF, DKIM, and DMARC, it’s essential to test and verify that everything is working correctly. Fortunately, there are several free and reliable tools available to help you diagnose issues, validate your records, and monitor email performance. 

1. MXToolbox

https://mxtoolbox.com

MXToolbox offers a comprehensive suite of diagnostics for SPF, DKIM, DMARC, and general DNS records. Just enter your domain to:

• Check if SPF and DKIM are valid
• Confirm DMARC policy syntax
• Identify blocklist status
• Analyze mail server health

2. Google Postmaster Tools

https://postmaster.google.com

Google Postmaster Tools is ideal if you’re sending a high volume of emails to Gmail users. It helps you:

• Monitor sender reputation
• Check spam rates
• View DKIM, SPF, and DMARC alignment
• Track delivery errors

You must verify domain ownership to access these insights.

3. Mail-tester.com

https://www.mail-tester.com

Send a test email to the address provided by Mail-tester, and it will:

• Evaluate your SPF, DKIM, and DMARC status
• Check your content for spam triggers
• Test blocklisting and mail headers
• Provide an overall deliverability score

Great for quick pre-campaign checks.

Best Practices for Better Email Deliverability

To ensure better email deliverability, always use a custom domain email address instead of free services like Gmail or Yahoo. This builds credibility and supports proper authentication. If you’re using a new domain or IP, warm it up gradually by sending emails in small volumes and increasing over time to build a good sender reputation. Avoid spammy content, misleading subject lines, and excessive links, as these can trigger spam filters. Maintain a clean and verified email list by removing inactive or invalid addresses regularly to reduce bounce rates and spam complaints. After setting up DMARC, monitor the feedback reports to identify unauthorized senders, alignment failures, or spoofing attempts. These insights help you make informed decisions and strengthen your email security. Following these best practices ensures your emails are more likely to land in the inbox, maintain trust with ISPs, and improve engagement with your audience.

Conclusion

Email deliverability is critical to the success of any DKIM SPF DMARC setup in your email marketing or communication strategy. Without proper authentication and monitoring, even legitimate emails can end up in spam folders, damaging both your brand reputation and campaign performance. By setting up SPF to authorize your sending sources, enabling DKIM to prove the integrity of your messages, and configuring DMARC to align and enforce your policies, you create a strong foundation for trusted email delivery.

Implementing these steps not only protects your domain from abuse but also significantly increases your chances of reaching your audience’s inbox—where your emails belong.

Oh! Still not using our email marketing service? Try Now!

Our Plans:-Yearly Email Marketing Plans and Monthly Email Marketing Plans.