How I got my business emails through spam filters with SPF, DKIM, and DMARC

Kerry Wan/ZDNET

Follow ZDNET: Add america arsenic a preferred source on Google.

ZDNET cardinal takeaways

• There are 3 DNS records that support your domain and support your emails retired of junk.
• Running each 3 gives you implicit coverage. 
• They besides support your domain from being hijacked.

If you nonstop a batch of enactment emails and support getting vigor silence, your emails are precise apt ending up successful someone's spam folder. 

There are a fewer reasons this could hap that don't ever person to bash with the contents of your emails. Most commonly, your domain whitethorn not beryllium authenticated, which gives receiving message servers each the crushed they request to softly record your messages distant successful the spam folder. 

Also: How a burner email tin support your inbox - mounting 1 up 1 is casual and free

I've seen this drawback radical disconnected defender much often than you'd expect, including teams with genuinely bully email content. Thankfully, there's an casual hole involving 3 DNS records called SPF, DKIM, and DMARC. Together, they beryllium to the net that your emails are legitimate. They besides support your domain from being hijacked by cybercriminals truthful they tin impersonate you successful emails.

Gmail and Yahoo began enforcing these authentication requirements for bulk senders successful Feb. 2024. Following this, Microsoft added the aforesaid requirements for Outlook.com, Hotmail, and Live.com successful May 2025. If you haven't acceptable these up yet, they are nary longer optional.

What SPF, DKIM, and DMARC really do

Each of the 3 protocols addresses a antithetic anemic constituent successful email authentication. SPF verifies that the server sending your email is authorized to bash so. DKIM adds a cryptographic signature to your outgoing messages, confirming they haven't been altered successful transit. 

DMARC ties the 2 unneurotic by publishing a argumentation that tells receiving servers what to bash erstwhile either cheque fails, and routes authentication reports backmost to you.

You genuinely request each three. SPF unsocial can't halt idiosyncratic from forging the "From" code your recipient sees successful their inbox. DKIM unsocial won't drawback an email sent from an unauthorized server. Only erstwhile you tally each 3 bash you get implicit sum against some deliverability problems and domain spoofing.

1. SPF: Authorize the servers that nonstop connected your behalf

Screenshot by Ritoban Mukherjee/ZDNET

SPF (Sender Policy Framework) is simply a DNS TXT grounds that lists each IP code and message server authorized to nonstop email connected behalf of your domain. When a recipient's message server receives a connection claiming to beryllium from you, it checks that grounds against the sending server's IP. If the IP isn't connected the list, the connection fails.

Also: Here's my favourite email instrumentality for cleaning up inbox clutter - automatically

Setting it up means logging successful to your domain registrar (GoDaddy, Cloudflare, Namecheap, etc.) and adding a TXT grounds astatine the basal of your domain. Here's however that works: 

1. First get your SPF worth from your email service. Google Workspace, Microsoft 365, and astir platforms supply the nonstop grounds worth you request to copy-paste connected their domain authentication page. For Google Workspace, it goes similar this: v=spf1 include:_spf.google.com ~all. 

2. If you nonstop emails done aggregate services, you should stack them successful the aforesaid record, e.g.  v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all. 

3. Log into the level wherever you negociate your domain's DNS records. This could beryllium GoDaddy, Cloudflare, Namecheap, Route 53, etc. Create a caller TXT grounds connected your DNS page, acceptable the big to @ (your basal domain), and paste the SPF worth from the earlier step.

It's arsenic casual arsenic that! Note that your domain tin person lone 1 SPF TXT record, with nary much than 10 DNS lookups. Creating a 2nd SPF grounds alternatively of editing the archetypal volition interruption both. So support your authorized senders database lean. 

2. DKIM: Add a tamper-proof signature to each email

Screenshot by Ritoban Mukherjee/ZDNET

DKIM (DomainKeys Identified Mail) uses public-key cryptography to motion your outgoing messages. Your message server attaches a signature utilizing a backstage cardinal it holds, truthful recipients tin verify it against a matching nationalist cardinal you've published successful your DNS. If the email was modified astatine immoderate constituent betwixt your server and the recipient's inbox, that signature cheque fails.

Also: This elemental email instrumentality saves maine from annoying selling spam (and it's escaped to do)

Google Workspace, Microsoft 365, and astir large email platforms similar SendGrid volition make a DKIM cardinal brace for you. Your occupation is to transcript the nationalist cardinal they supply and paste it into your domain's DNS settings arsenic a caller TXT record. 

While the nonstop setup steps beryllium connected your email supplier and domain registrar, here's a wide overview of what you request to do. 

1. Google Workspace, Microsoft 365, SendGrid, Mailchimp, and different email work providers volition make a DKIM grounds for you if you navigate to their domain authentication settings page. For example, if you usage Google Workspace, this is located wrong Apps > Google Workspace > Gmail successful Google Admin Console. Click to make a caller grounds and transcript these values first. 

2. Next, navigate to your domain registrar's DNS settings leafage and make a caller TXT grounds similar you did erstwhile mounting up SPIF earlier. Note that immoderate providers whitethorn besides necessitate you to adhd this arsenic a CNAME grounds alternatively of a TXT record, truthful notation to your email provider's documentation. 

3. Paste successful the big sanction and grounds worth you got from your email supplier into the caller DNS record. Make definite determination are nary typos due to the fact that this tin impact domain security.

4. Now, instrumentality to your email provider's authentication settings. This is wherever you alteration DKIM signing for your domain. In Google Workspace, this is done by revisiting the "Authenticate email" leafage successful the Admin Console and clicking "Start authentication." Remember that you should bash this aft 24-48 hours since DNS records instrumentality a portion to propagate crossed your domain. 

DKIM is particularly utile for forwarded messages. Forwarding often breaks SPF due to the fact that the IP code changes, but the DKIM signature typically survives intact. That means a forwarded email tin inactive walk authentication erstwhile SPF unsocial would person failed. 

3. DMARC: Set the rules for what happens erstwhile authentication fails

Screenshot by Ritoban Mukherjee/ZDNET

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the argumentation furniture that makes SPF and DKIM enforceable. Without it, a receiving server that detects a failed cheque has nary instructions connected what to bash next, and you person nary visibility into what's failing oregon why. Here's however to get it up and running:

1. Start by creating a dedicated inbox for DMARC reports first, similar reports@yourdomain.com. 

2. Most email providers connection a DMARC generator successful their dashboard, but you tin besides usage a third-party work similar MXToolbox oregon DMARCLY. 

3. Add a caller TXT record. The big sanction should work _dmarc. Paste successful the grounds worth straight from your DMARC generator. 

4. Keep an oculus retired for immoderate nonaccomplishment reports successful your dedicated inbox for 2-4 weeks. This volition uncover immoderate issues with the mailbox that request to beryllium addressed for amended deliverability.

Also: I tested NordVPN's escaped scam checker with existent phishing emails - here's however it fared

Like the different two, DMARC is simply a TXT record, added this clip to _dmarc.yourdomain.com. A elemental starting grounds looks similar this: v=DMARC1; p=none; rua=mailto:reports@yourdomain.com. The p=none mounting means receiving servers won't instrumentality immoderate enactment connected failing messages, but volition nonstop you aggregate reports astatine the code you specify. Those reports amusement which services are sending connected your behalf and whether they're passing authentication.

Once you've reviewed a fewer weeks of reports and confirmed your morganatic message is passing cleanly, you tin tighten the policy. Move to p=quarantine to way failing messages to spam, past yet to p=reject to artifact them entirely. 

Jumping consecutive to p=reject earlier reviewing your reports is astir apt the astir communal implementation mistake I see, and it ends up blocking your ain selling oregon transactional emails.

Why you can't conscionable prime one

Each protocol has a spread that the others fill. SPF checks the sending server but not the "From" code that recipients really see, truthful an attacker tin walk SPF portion inactive impersonating your domain. DKIM verifies connection integrity but doesn't cheque whether the signing domain matches the disposable sender. 

DMARC enforces alignment among each these elements and applies your chosen argumentation erstwhile thing is retired of alignment.

The combined deliverability upside is measurable. According to Validity's 2025 Email Benchmark Report, decently authenticated domains spot inbox placement rates astir 60 percent points higher than unauthenticated ones. For anyone moving acold outreach campaigns oregon bulk newsletters, that spread is the quality betwixt a run that produces results and 1 that disappears entirely.

How to verify your records are working

DNS changes typically instrumentality anyplace from 15 minutes to 48 hours to propagate worldwide. Once that model passes, escaped tools tin archer you instantly whether everything is configured correctly. MX Toolbox has abstracted checkers for SPF, DKIM, and DMARC. You tin besides nonstop a trial email to check@dmarcly.com, which replies with a afloat authentication study for your domain.

Also: Best email hosting services 2026: Expert tested and reviewed

Your DMARC aggregate reports are the astir invaluable ongoing signal. Within a time oregon 2 of publishing your DMARC record, reports volition commencement arriving astatine the code you specified. They amusement each server sending email nether your domain and whether each 1 is passing oregon failing authentication. Reading them regularly is the champion mode to drawback misconfigurations early, earlier they impact your deliverability oregon let your domain to beryllium abused successful phishing campaigns.