OpsHelp
Guides

SPF, DKIM, and DMARC — in plain English

By OpsHelp Team

You send an important email to a customer. It lands in their spam folder. Or — worse — it disappears entirely. You resend. Same result. You call them, they say "oh, probably spam filter". Business moves on, frustrated.

Nine times out of ten, the reason is one of three things: SPF, DKIM, or DMARC. They're not new, they're not optional any more, and yet loads of small-business mailboxes have them set up badly or not at all.

Here's what each one is, without the jargon.

The problem they solve

Email was designed in an era when nobody imagined anyone would lie about who they were. As a result, by default, anyone can send an email claiming to be you, from your domain, and the receiving mail server has no way to tell.

SPF, DKIM, and DMARC are three different signatures that say "yes, this email really is from the business that claims to be sending it". Without them, spam filters err on the side of caution — and your legitimate email gets caught in the net.

SPF — "who is allowed to send email claiming to be me?"

SPF (Sender Policy Framework) is a list, published in your DNS, of which mail servers are allowed to send email on behalf of your domain.

If you use Google Workspace, your SPF record says "Google's mail servers are allowed to send as me." If you also use Mailchimp for newsletters, your SPF record says "and Mailchimp is allowed to send as me."

When a receiving server gets an email claiming to be from you, it checks your SPF record. If the server that actually sent it isn't on your list, the email looks suspicious.

What it looks like: a single TXT DNS record, like v=spf1 include:_spf.google.com include:mailchimp.com ~all.

Common mistakes: having two SPF records (the spec says you can only have one), forgetting to include a service you actually use, or using +all which basically says "anyone can send as me" — this is worse than having no SPF at all.

DKIM — "is this email exactly as I sent it?"

DKIM (DomainKeys Identified Mail) is a cryptographic signature on the email itself. Your mail provider signs each outgoing email with a private key; your DNS publishes the corresponding public key. The receiving server uses the public key to verify the email wasn't tampered with in transit.

Think of it as a wax seal on a letter: if the seal is intact, the recipient knows nobody opened the envelope and re-wrote the contents.

What it looks like: a TXT record at a specific subdomain like google._domainkey.example.com, containing a long public key string. Most mail providers generate this for you; you just paste the value into your DNS.

Common mistakes: not turning DKIM on in the first place (it's usually a setting, not a default); using short keys that receiving servers now reject; rotating keys and forgetting to update DNS.

DMARC — "what should happen if SPF or DKIM fails?"

DMARC is the policy that ties SPF and DKIM together. It answers two questions: what should receiving servers do if my email fails these checks, and where should they send me reports about it.

Options range from "do nothing, just monitor" (p=none), to "put failing emails in spam" (p=quarantine), to "reject them outright" (p=reject).

Gmail and Yahoo now require senders at any reasonable volume to have DMARC set up, so this has moved from nice-to-have to required.

What it looks like: a TXT record at _dmarc.example.com like v=DMARC1; p=quarantine; rua=mailto:[email protected].

Common mistakes: going straight to p=reject before you know which legitimate services send as your domain — you'll reject your own invoices; not setting up the reporting address (rua=), so you can't see what's being sent; having SPF and DKIM aligned incorrectly.

How to check yours — right now, in 90 seconds

Go to mxtoolbox.com, enter your domain, and look at the "Email Blacklists" and "DNS Lookup" tools. They'll show you exactly what SPF, DKIM, and DMARC records you have — and flag anything obviously wrong.

Or ask in any email-to-Gmail test: send yourself an email from your business address to your personal Gmail, open the email, click the three-dot menu, and hit "Show original". You'll see three lines near the top:

  • SPF: — should say PASS
  • DKIM: — should say PASS
  • DMARC: — should say PASS

If any of those say FAIL, SOFTFAIL, NEUTRAL, or "not found", you've got a problem that's probably sending your real email to spam.

Why it's worth sorting

Email deliverability is boring. It's also the difference between your invoices getting paid on time and them being invisible in a customer's junk folder for a fortnight. For most small businesses, this is one evening of DNS config and then it's done forever.

If you'd rather someone just sort it, drop us a line — it's a common first thing we do when we take on a new client, and we'll tell you plainly whether your current setup is fine or a liability.