Contents
5 sections · 8 min read
Three shield icons labeled SPF DKIM DMARC protecting email domain
Domain Security

SPF, DKIM, and DMARC Explained: How to Stop Your Email Going to Spam

A
Domain 360 Team
·July 4, 2026·8 min read

Before SPF, DKIM, and DMARC existed, anyone could send an email claiming to be from any domain. Phishing emails routinely arrived appearing to come from banks, employers, and government agencies, with nothing in the email itself to indicate they were fraudulent.

These three records solve that problem. They give email receivers the tools to verify that an email genuinely came from who it claims to come from, and they give domain owners the ability to enforce what happens when verification fails.

SPF: Who Is Allowed to Send Email as Your Domain

SPF (Sender Policy Framework) is a TXT record that lists which mail servers are authorized to send email from your domain. When a mail server receives an email claiming to be from you@yourdomain.com, it checks whether the sending server's IP address is in your SPF record.

SPF record structure: v=spf1 [mechanisms] [qualifier]all

The mechanisms list your authorized senders: include:_spf.google.com allows Google Workspace include:spf.protection.outlook.com allows Microsoft 365 ip4:203.0.113.10 allows a specific IP address

The qualifier before all defines what happens with senders not in the list: ~all (softfail): treat as suspicious, usually delivers to spam -all (hardfail): reject outright +all: accept everything (never use this)

For most businesses: v=spf1 include:_spf.google.com ~all is a correct starting point for Google Workspace. Add other includes for any other services you send email through (marketing platforms, CRM systems, etc.).

One SPF record per domain. If you have multiple services, merge them into one record with multiple includes. Two SPF records cause failures.

DKIM: Cryptographic Proof the Email Was Not Tampered With

DKIM (DomainKeys Identified Mail) adds a digital signature to outgoing emails. The sending mail server signs each email with a private key. The corresponding public key is published in a DNS TXT record. Receiving servers fetch the public key and verify the signature — if it matches, the email has not been altered in transit.

DKIM is configured in your email provider's admin console, not directly in DNS. You enable it in Google Workspace admin, Microsoft 365 admin, or your email host, and the system generates a public/private key pair. You then add the public key as a TXT record in your DNS under a specific selector subdomain — typically something like google._domainkey.yourdomain.com.

The specific record values are provided by your email provider during setup. Copy them exactly.

DMARC: Policy and Reporting

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a policy record that: 1. Tells receiving servers what to do when SPF and/or DKIM fail 2. Requests that receivers send reports of failures back to you

A basic DMARC record: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

The p= value is the policy: none means monitor only — receive reports but take no action on failures. quarantine means failed emails go to spam. reject means failed emails are not delivered at all.

Start with p=none to gather data without risking legitimate email being blocked. Review the reports (or use a DMARC reporting service to parse them) to identify legitimate senders that might be missing from your SPF record. Once you are confident the configuration is complete, move to p=quarantine and eventually p=reject.

How to Check Your Current Setup

From any terminal: nslookup -type=txt yourdomain.com

Look for a line starting with v=spf1 — that is your SPF record. If none exists, SPF is not configured.

For DKIM (replace google with your provider selector): nslookup -type=txt google._domainkey.yourdomain.com

For DMARC: nslookup -type=txt _dmarc.yourdomain.com

MXToolbox.com provides a friendlier web interface that checks all three simultaneously and explains any problems found.

The Connection to Domain Health

SPF, DKIM, and DMARC records live in your domain DNS — meaning they are only valid as long as your domain is registered and DNS is resolving. An expired domain loses these records along with everything else, and email sent during a domain lapse cannot be authenticated. Our guide on what happens to email when a domain expires covers the specific failure modes.

Maintaining these records means maintaining the domain. A domain management dashboard with automatic expiry alerts is the unglamorous but necessary foundation for everything in email security.

Never lose a domain again

Track every domain you own in one dashboard. Free for up to 15 domains.