What is SPF, DKIM & DMARC? Why Your Emails Go to Spam

Understand the three pillars of email authentication and why they're essential for inbox delivery.

Published: 2026-01-21 | Updated: 2026-01-21 | Read time: 8 min

Key Takeaways

• SPF, DKIM, and DMARC are the three pillars of email authentication
• Missing authentication is the #1 reason emails land in spam
• You need all three configured correctly for maximum deliverability
• DMARC ties SPF and DKIM together with a policy for failed checks
• Modern email providers require all three for bulk senders

Why Email Authentication Matters

Every day, billions of emails are sent—and email providers like Gmail, Outlook, and Yahoo have one job: separating legitimate emails from spam and phishing attempts. The problem? Without authentication, anyone can send an email claiming to be from your domain. This is called email spoofing, and it's exactly what SPF, DKIM, and DMARC are designed to prevent. If your domain lacks proper authentication records, email providers can't verify you're legitimate. The result? Your emails land in spam—or get rejected entirely.

What is SPF (Sender Policy Framework)?

SPF tells receiving email servers which IP addresses are authorized to send email on behalf of your domain. Think of it like a guest list at a venue. If someone claims to represent your company but isn't on the list, they don't get in.

How SPF Works

1. You publish a DNS TXT record listing your authorized mail servers 2. When you send an email, the receiving server checks your SPF record 3. If the sending IP matches your list, SPF passes 4. If not, the email fails SPF—and may be marked as spam

Example SPF Record

``dns v=spf1 include:_spf.google.com include:sendgrid.net -all `` This record says: "Only Google Workspace and SendGrid can send email for my domain. Reject all others."

What is DKIM (DomainKeys Identified Mail)?

DKIM adds a digital signature to your emails, proving they haven't been tampered with in transit. Think of it like a wax seal on a letter. If the seal is broken, you know someone opened it.

How DKIM Works

1. Your email server signs outgoing emails with a private key 2. The public key is published as a DNS TXT record 3. Receiving servers use the public key to verify the signature 4. If the signature matches, DKIM passes—proving the email is authentic and unmodified

Example DKIM Record

``dns google._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..." `` The "selector" (google) identifies which key to use—you can have multiple DKIM keys for different services.

What is DMARC (Domain-based Message Authentication)?

DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. Think of it as your domain's security policy. You're telling email providers: "Here's how I want you to handle suspicious emails claiming to be from me."

How DMARC Works

1. DMARC checks if SPF or DKIM passes AND aligns with your domain 2. Based on your policy, failed emails are either monitored, quarantined, or rejected 3. You receive reports showing who's sending email as your domain

DMARC Policies

| Policy | What It Does | |--------|--------------| | p=none | Monitor only—don't take action | | p=quarantine | Send failed emails to spam | | p=reject | Block failed emails completely |

Example DMARC Record

``dns _dmarc.yourdomain.com TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com" ``

Why Your Emails Go to Spam

Missing or misconfigured authentication is the #1 reason legitimate emails land in spam. Here's what typically goes wrong:

Common Issues

| Problem | Impact | |---------|--------| | No SPF record | Providers can't verify your sending servers | | SPF too permissive | Using +all lets anyone send as you | | No DKIM | Emails can't be verified as authentic | | No DMARC | No policy = no enforcement | | DMARC p=none | Monitoring only—no protection | | Alignment failures | SPF/DKIM pass but don't match your domain |

The Cold Email Problem

Cold outreach is particularly vulnerable. Email providers are extra suspicious of:

• New domains (under 30 days)
• High volume from low-reputation senders
• Missing authentication records

Without proper setup, your cold emails have almost zero chance of reaching inbox.

How to Check Your Setup

You can manually check your DNS records, but it's tedious and error-prone. That's why we built MailRisk.

What MailRisk Checks

• ✅ SPF record exists and is valid
• ✅ SPF alignment (authorized servers match)
• ✅ DKIM record exists
• ✅ DKIM alignment (signature matches)
• ✅ DMARC record exists
• ✅ DMARC policy strength
• ✅ MX records valid
• ✅ Domain age and reputation

Get Your Risk Score

Enter your domain above to get an instant deliverability risk assessment. See exactly what's configured—and what's missing.

Frequently Asked Questions

Do I need all three (SPF, DKIM, DMARC)?

Yes. Modern email providers expect all three. Missing any one significantly increases your spam risk.

How long does it take for changes to propagate?

DNS changes typically propagate within 1-48 hours, though it can occasionally take up to 72 hours.

Will fixing these guarantee inbox delivery?

No—authentication is necessary but not sufficient. Content quality, sender reputation, and recipient engagement also matter. But without proper authentication, you have zero chance.

Can I set up SPF, DKIM, and DMARC myself?

Yes, if you're comfortable editing DNS records. Our step-by-step guides walk you through each provider.

What if I use multiple email services?

You need to include all authorized senders in your SPF record and set up DKIM for each service. Our provider-specific guides cover this.