SPF, DKIM, DMARC: The DNS Records That Keep You Out of Spam

We audit 5-10 new accounts every month. In about 70% of them, DNS authentication is either missing or misconfigured. This is the first thing we fix because nothing else matters if your emails do not reach the inbox.

SPF (Sender Policy Framework)

SPF tells receiving servers which IP addresses are allowed to send email from your domain. Without it, anyone could send email pretending to be you.

The record goes in your DNS as a TXT record. It lists the IP addresses and third-party services authorized to send on your behalf. If you use Klaviyo, Mailchimp, and a transactional service like Postmark, all three need to be in your SPF record.

The common mistake: too many DNS lookups. SPF has a 10-lookup limit. Each "include" statement counts as a lookup. If you exceed 10, SPF fails silently and your emails get flagged.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to your emails. The receiving server checks this signature against a public key in your DNS. If the signature matches, the email has not been tampered with in transit.

Your ESP provides the DKIM keys. You add them as CNAME or TXT records in your DNS. Each ESP has its own keys, so if you use multiple sending services, each gets its own DKIM record.

The common mistake: not rotating keys. DKIM keys should be rotated annually. Most brands set them once and forget them. Old keys are more vulnerable to spoofing.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC tells receiving servers what to do when SPF or DKIM checks fail. Without DMARC, failed authentication is handled at the receiving server's discretion (usually spam folder).

Start with a DMARC policy of "none" (monitoring only). This sends you reports about who is sending email from your domain without affecting delivery. Review the reports for 2-4 weeks. Once you confirm all legitimate senders pass SPF and DKIM, move to "quarantine" and then "reject."

The common mistake: jumping straight to "reject" without monitoring. This blocks legitimate email from services you forgot to authenticate.

BIMI (Brand Indicators for Message Identification)

BIMI displays your brand logo next to your emails in supported inboxes (Gmail, Yahoo). It requires a verified DMARC policy at "quarantine" or "reject" and a Verified Mark Certificate (VMC).

The VMC costs around $1,500/year. For brands sending high volume, the recognition boost in the inbox is worth it. Open rates increase 5-10% for brands with BIMI logos in our experience.

Check your setup right now

Go to your DNS provider. Look for TXT records starting with "v=spf1" and "v=DMARC1". Look for CNAME records from your ESP for DKIM. If any are missing, that is your first priority. Get them set up before you touch anything else in your email program.