SPF, DKIM, and DMARC Setup Guide (2026): DNS Records for Better Deliverability
If your business emails—invoices, password resets, or sales pitches—are consistently landing in your customers' spam folders, your domain is likely failing DNS-based authentication.
In early 2024, Google and Yahoo introduced strict authentication requirements for bulk senders. By 2026, these policies apply globally. If you send emails without aligning SPF, DKIM, and DMARC, your messages will be silently discarded or flagged.
1. SPF (Sender Policy Framework)
SPF tells the receiving email server (like Gmail) exactly which IP addresses or third-party mailing services (like Mailchimp, SendGrid, or Google Workspace) are legally authorized to send email on behalf of your domain.
It is implemented as a simple TXT record in your DNS. Example SPF Record:
v=spf1 include:_spf.google.com include:sendgrid.net -all
Expert Tip: Notice the -all flag at the end. This is a "hard fail" meaning any IP not listed in the include statements will be rejected.
2. DKIM (DomainKeys Identified Mail)
While SPF authorizes the sender, DKIM ensures the content has not been tampered with in transit. DKIM adds an encrypted mathematical signature to your email headers.
The receiving server checks your domain's public DNS for the corresponding public key and decrypts the signature. If the email contents were altered by a man-in-the-middle, the decryption fails. Expert Tip: Always generate 2048-bit DKIM keys instead of 1024-bit keys. Modern computing power can crack 1024-bit keys, and many enterprise firewalls now require 2048-bit encryption.
3. DMARC (Domain-based Message Authentication)
DMARC ties SPF and DKIM together. It is instructions from you to the receiving server detailing exactly what they should do if an email fails the SPF or DKIM checks.
Example DMARC Record:
v=DMARC1; p=quarantine; ruf=mailto:forensics@yourdomain.com; rua=mailto:reports@yourdomain.com;
p=quarantine: Tells the receiver to put failing emails in the user's spam folder. (Eventually, you want to upgrade this top=reject).rua=: This sets up aggregate reporting. Google and Yahoo will send you XML daily reports summarizing exactly who is trying to spoof your domain.
How to Verify Your Setup
DNS propagation can take a few minutes. Once deployed, never send production emails blindly. Use our Free DNS Lookup Tool to ensure the records are published globally, and use the Email Auth Checker to parse the syntax and ensure your alignment passes strict mode.
Migration strategy without breaking mail flow
Roll out DMARC in phases: start with reporting, then quarantine on low-risk subdomains, and only move to reject when alignment remains stable across transactional and marketing streams.
Common setup mistakes to avoid
Oversized SPF records, duplicated DKIM selectors, and missing rua mailboxes are frequent causes of silent deliverability failure in production environments.
Related Reading
Continue with the next most relevant guides in this topical cluster.
BIMI, VMC, and DMARC Setup Guide (2026): Stop Emails Landing in Spam
Step-by-step DMARC, BIMI, and VMC implementation guide to improve inbox placement in Gmail and Yahoo while reducing spoofing risk.
SecurityDNSSEC Explained: Why It Matters and How to Enable It Safely
A practical DNSSEC guide for domain owners who need stronger trust signals, safer DNS resolution, and lower spoofing risk.
SecurityContent Security Policy (CSP) Guide: Prevent XSS Without Breaking UX
Deploy a robust CSP with report-only rollout, trusted sources, and measurable security outcomes across production environments.