SPF, DKIM, DMARC Explained for People Who Aren't IT Admins

Three Records That Determine If You Land in the Inbox

Your emails might be going to spam and you have no idea why.

You wrote a good subject line. You kept the email short. You're not selling anything sketchy. But your reply rates are terrible because the emails aren't making it to the inbox.

Nine times out of ten, the problem is SPF, DKIM, or DMARC. Three DNS records that tell inbox providers "this email is legitimate." Without them, Gmail and Outlook treat you with suspicion — because spammers never bother setting them up.

Here's what these records actually do, in plain English.

The Club Bouncer Analogy

Think of it like getting into a club.

SPF is the guest list. It says "these are the email servers allowed to send email from our domain." If an email comes from a server that's not on the list, it fails the check.

DKIM is your ID card. It's a cryptographic signature on every email that proves the message wasn't tampered with in transit. The receiving server verifies that the email actually came from who it claims.

DMARC is the bouncer policy. It tells inbox providers what to do when emails fail the SPF or DKIM check — quarantine them, reject them entirely, or let them through while logging the failure.

All three work together. SPF says "these servers are authorized." DKIM proves "this specific email is real." DMARC says "here's what to do when checks fail."

SPF: The Approved Sender List

SPF stands for Sender Policy Framework. It's a DNS TXT record on your domain that lists which email servers are allowed to send on your behalf.

If you're using Google Workspace, your SPF record tells the world: "emails claiming to be from mybusiness.com should only come from Google's servers." If a spammer tries to send email pretending to be from your domain, it fails the SPF check.

An SPF record looks like this:

v=spf1 include:_spf.google.com ~all

The ~all at the end is a "soft fail" — emails that don't match get flagged but not rejected. You can use -all for a "hard fail" (rejected entirely) once you've confirmed your setup is correct. For most small businesses starting out, ~all is the right place to begin.

How to check your SPF: Go to MXToolbox.com, enter your domain, run an SPF lookup. It'll show your current record and flag any issues.

DKIM: The Digital Signature

DKIM stands for DomainKeys Identified Mail. It adds a digital signature to every outgoing email that the receiving server can verify.

Here's how it works: when your email server sends a message, it signs the email with a private key that only your server knows. The receiving server looks up your public key (stored in your DNS records) and verifies the signature matches. If it does, the email hasn't been tampered with and really came from your server.

For cold outreach, DKIM matters because inbox providers give more weight to properly signed emails. Gmail treats DKIM as a significant trust signal. Unsigned emails aren't automatically spam — but they get more scrutiny.

If you're using Google Workspace, DKIM is enabled in the admin console under Gmail → Authenticate email. You generate a key there, add it to your DNS records, and you're done.

A DKIM DNS record looks like this:

google._domainkey.yourdomain.com  TXT  "v=DKIM1; k=rsa; p=MIGf..."

The long string is your public key. It doesn't need to be human-readable — the math handles that part.

DMARC: The Policy Layer

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It's the policy that connects SPF and DKIM.

DMARC answers one question: "What should you do when an email fails SPF or DKIM checks?"

Three options:

• p=none — Do nothing, just send reports
• p=quarantine — Move failed emails to the spam folder
• p=reject — Block failed emails entirely

For cold email, start with p=none. This lets you monitor what's failing without blocking your own emails if something is misconfigured. After 30 days of reviewing reports, move to p=quarantine or p=reject.

A basic DMARC record looks like this:

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com"

The rua part is the email address where DMARC aggregate reports go. These reports tell you which emails are passing and failing authentication. Valuable data once you start scaling.

How to Check Your Current Setup Right Now

Before you change anything, check what you have. Here's the fastest way:

1. Go to MXToolbox.com
2. Run SPF Lookup → paste your domain
3. Run DKIM Lookup → paste selector._domainkey.yourdomain.com (where "google" is the selector for Google Workspace)
4. Run DMARC Lookup → paste _dmarc.yourdomain.com

If any return errors or "no record found," you're missing authentication. That's likely part of why your cold emails go to spam.

A faster test: send an email from your domain to a Gmail account, then open the original message. In Gmail, click the three dots → "Show original." Look for these lines:

Authentication-Results:
  spf=pass
  dkim=pass
  dmarc=pass

If any say "fail" or "neutral," you have a gap to fix.

Setting Them Up: Step-by-Step

For Google Workspace users:

1. SPF: In your DNS provider (GoDaddy, Cloudflare, Namecheap), add a TXT record for your root domain with value: v=spf1 include:_spf.google.com ~all
2. DKIM: Go to Google Workspace Admin → Gmail → Authenticate email → Generate new record. Copy the DNS record it gives you and add it as a TXT record in your DNS provider.
3. DMARC: Add a TXT record for _dmarc.yourdomain.com with value: v=DMARC1; p=none; rua=mailto:your@email.com

DNS changes take effect within 30 minutes to a few hours depending on your provider.

For Microsoft 365 users:

The process is similar. SPF for Microsoft uses include:spf.protection.outlook.com. DKIM is configured in the Microsoft 365 Defender portal. Microsoft's own documentation walks through both step by step.

For custom SMTP or third-party sending tools:

Check with your sending provider. Tools like Mailgun and SendGrid provide their own DKIM keys — you add them as TXT records in your DNS. The process is the same: get the key from your provider, paste it into your DNS, verify it passes.

Does This Actually Improve Deliverability?

Yes, and the impact is measurable.

Research from Validity (formerly Return Path) shows domains with properly configured SPF, DKIM, and DMARC see 10–15% higher inbox placement rates compared to domains without them. On a campaign of 500 emails, that's 50–75 more people actually seeing your message.

And Google made DMARC a requirement for bulk senders in 2024. If you're sending more than 5,000 emails per day to Gmail accounts, DMARC is mandatory. For smaller senders, it's still strongly recommended.

Beyond deliverability, authentication protects your domain reputation. If someone tries to send phishing emails pretending to be from your domain, a DMARC policy with p=reject stops it. Your business name stays clean.

Do This Before Your Next Campaign

Before you send another cold email campaign, run this 15-minute authentication check:

1. Check your SPF record at MXToolbox — fix any errors
2. Verify DKIM is enabled and the DNS record exists
3. Add a DMARC record with p=none if you don't have one yet
4. Send a test email to a Gmail account and check that all three pass in the original headers

That's it. Fifteen minutes of DNS work that meaningfully improves how many of your cold emails reach the inbox.

Most contractors skip this step entirely. They wonder why their open rates are low, increase volume, and make the problem worse. The fix is always the same: set up authentication first, then send.

Get the infrastructure right and the results follow.