SPF, DKIM & DMARC Explained: The Complete Guide

May 2026 · 12 min read

Email authentication is the foundation of good email deliverability. Without proper SPF, DKIM, and DMARC configuration, your emails are far more likely to end up in spam — or be rejected entirely. In this guide, we'll explain each protocol, how they work together, and exactly how to set them up.

What Is SPF (Sender Policy Framework)?

SPF is a DNS-based authentication method that specifies which mail servers are authorised to send email on behalf of your domain. When a receiving server gets an email claiming to be from yourdomain.com, it checks the SPF record to verify the sending server is legitimate.

How SPF works

You publish an SPF record in your domain's DNS
The record lists all servers authorised to send as your domain
Receiving servers check the sending IP against your SPF record
If the IP matches, SPF passes; otherwise, it fails

Example SPF record

v=spf1 mx include:_spf.zeptomail.com.au -all

This record says: allow your MX servers and ZeptoMail's servers to send email; reject all others (-all).

What Is DKIM (DomainKeys Identified Mail)?

DKIM adds a cryptographic signature to every email you send. The receiving server uses a public key published in your DNS to verify the signature. This proves the email hasn't been tampered with in transit and genuinely originated from your domain.

How DKIM works

Your mail server signs each outgoing email with a private key
The signature is added as a DKIM-Signature header
You publish the corresponding public key in DNS as a TXT record
Receiving servers use the public key to verify the signature

Example DKIM DNS record

selector._domainkey.yourdomain.com  TXT  "v=DKIM1; k=rsa; p=MIIBIj..."

What Is DMARC (Domain-based Message Authentication, Reporting & Conformance)?

DMARC builds on SPF and DKIM by adding a policy layer. It tells receiving servers what to do when an email fails both SPF and DKIM checks — and provides a reporting mechanism so you can monitor authentication results.

DMARC policies

p=none — Monitor mode. Emails are delivered normally, but you receive reports
p=quarantine — Failed emails are placed in spam
p=reject — Failed emails are rejected entirely (strongest protection)

Example DMARC record

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com"

How SPF, DKIM & DMARC Work Together

These three protocols form a layered defence:

SPF verifies the sending server is authorised
DKIM verifies the email content hasn't been altered
DMARC tells receivers what to do when checks fail and enables monitoring

For maximum deliverability, you need all three configured correctly. Missing even one can significantly impact whether your emails reach the inbox.

Common Mistakes to Avoid

Multiple SPF records: You can only have one SPF record per domain. Multiple records will cause failures
Using ~all instead of -all: Softfail (~all) is weaker than hardfail (-all). Use hardfail for maximum protection
Missing DMARC: Without DMARC, there's no policy for handling failed checks. Always add a DMARC record
Wrong DKIM selector: Make sure your DKIM selector matches what your mail server is using
Not monitoring: Use DMARC reports to identify issues before they impact deliverability

Email authentication, configured automatically

Netcob sets up SPF, DKIM, and DMARC for your domain during onboarding. No manual DNS guesswork required.

Start Free Trial →