SPF vs DKIM vs DMARC: Differences, Setup, and Why They Matter

You've set up your professional email domain, everything looks good, and then... your emails land in spam. What gives?

The answer is usually missing email authentication. SPF, DKIM, and DMARC are the three pillars that prove your emails are legit — not phishing attempts or spam.

In this guide, we'll explain the difference between SPF, DKIM, and DMARC in plain English, show how they work together, and walk through how to set them up.

SPF vs DKIM vs DMARC: Quick Comparison

If you only remember one thing, remember this: SPF checks the sender, DKIM checks the signature, and DMARC ties them together with policy and reporting.

The Problem: Email Forgery is Too Easy

Here's the dirty secret about email: anyone can claim to be anyone.

The SMTP protocol (the system that sends email) was designed in the 1980s, long before spam and phishing were concerns. It's like the postal service accepting any return address without checking if it's real.

That's why email authentication exists — to prove you actually own the domain you're sending from.

SPF: Who's Allowed to Send?

What SPF Does

SPF (Sender Policy Framework) is a DNS record that lists which mail servers are authorized to send email on behalf of your domain.

Think of it as a bouncer's list. If an email claims to be from @yourdomain.com but comes from a server not on the list, receiving servers can reject it or mark it as suspicious.

How SPF Works

1. You publish an SPF record in your DNS
2. When someone sends an email from your domain, the receiving server checks your SPF record
3. If the sending server's IP is on your approved list, the email passes SPF
4. If not, it fails — and might get marked as spam

SPF Record Example

Translation:

• v=spf1 — This is an SPF record (version 1)
• include:_spf.google.com — Google's mail servers are allowed to send for this domain
• include:spf.forward.com — Forward's servers are allowed to send
• ~all — Everything else is a soft fail (suspicious but not rejected)

How to Set Up SPF

1. Log into your domain registrar (Namecheap, Cloudflare, etc.)
2. Go to DNS settings
3. Add a TXT record:
   • Name: @ (or leave blank for root domain)
   • Type: TXT
   • Value: v=spf1 include:_spf.youremailprovider.com ~all
4. Save and wait for DNS propagation (1-24 hours)

DKIM: Proving Emails Haven't Been Tampered With

What DKIM Does

DKIM (DomainKeys Identified Mail) adds a digital signature to your emails. It's like a tamper-proof seal that proves the email wasn't modified in transit.

How DKIM Works

1. Your email server adds an encrypted signature to outgoing emails
2. You publish the public key in your DNS
3. Receiving servers use that public key to verify the signature
4. If the signature is valid, the email hasn't been tampered with

DKIM Record Example

Translation:

• default._domainkey — DKIM records use a selector (in this case, "default")
• v=DKIM1 — DKIM version 1
• k=rsa — Uses RSA encryption
• p=... — Your public key (very long string)

How to Set Up DKIM

1. Your email provider (Gmail, Outlook, Forward, etc.) will generate a DKIM key pair
2. They'll give you a DNS record to publish (usually looks like the example above)
3. Add it as a TXT record in your DNS
4. Your email provider will start signing outgoing emails automatically

DMARC: The Policy Enforcer

What DMARC Does

DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving servers what to do when SPF or DKIM checks fail.

It's the final layer that ties everything together and gives you visibility into who's sending email on your behalf (or trying to impersonate you).

How DMARC Works

1. You publish a DMARC policy in your DNS
2. When an email fails SPF or DKIM, the receiving server checks your DMARC policy
3. Your policy tells them: "Quarantine it" (spam folder), "Reject it" (bounce), or "Monitor it" (let it through but report it)
4. You get reports about failed authentication attempts

DMARC Record Example

Translation:

• v=DMARC1 — DMARC version 1
• p=quarantine — Put failed emails in spam (options: none, quarantine, reject)
• rua=mailto:dmarc@yourdomain.com — Send aggregate reports here
• pct=100 — Apply policy to 100% of emails

How to Set Up DMARC

1. Make sure SPF and DKIM are already set up (DMARC requires at least one)
2. Add a TXT record:
   • Name: _dmarc
   • Type: TXT
   • Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
3. Start with p=none to monitor without blocking
4. After a week or two, upgrade to p=quarantine or p=reject

Why All Three Matter

Think of email authentication as a three-part security system:

• SPF verifies the sender's server
• DKIM verifies the email content
• DMARC tells servers what to do when verification fails

You need all three for maximum deliverability. Here's what happens without them:

• No SPF: Your emails might get marked as spam or rejected
• No DKIM: Email providers trust you less, especially for bulk sending
• No DMARC: You can't control what happens to failed emails, and you won't know if someone's spoofing your domain

Common Mistakes to Avoid

1. Multiple SPF Records

DNS only allows one SPF record. Combine multiple email providers in a single record:

2. Forgetting to Update DNS After Changing Email Providers

Switched from Gmail to Outlook? Update your SPF and DKIM records, or your emails will fail authentication.

3. Using -all Instead of ~all in SPF

Use ~all (soft fail) unless you're 100% sure your setup is perfect. -all (hard fail) will cause legitimate emails to bounce if something's misconfigured.

4. Setting DMARC to p=reject Too Soon

Start with p=none, monitor reports, fix issues, then escalate to p=quarantine, and finally p=reject.

How to Check Your Setup

Use these free tools to verify your email authentication:

• MXToolbox: mxtoolbox.com/SuperTool — Check SPF, DKIM, DMARC all at once
• Google Admin Toolbox: toolbox.googleapps.com/apps/checkmx — Google's official checker
• Mail-Tester: mail-tester.com — Send a test email and get a deliverability score

Gmail and Yahoo Requirements

Modern inbox providers are stricter than they used to be. Gmail and Yahoo expect bulk senders to have proper authentication in place.

• SPF or DKIM must pass for the mail you send
• DMARC should be configured so your domain has a clear policy
• Alignment matters — the authenticated domain should match the domain visible to recipients

If your setup is incomplete, your messages are more likely to land in spam or get rejected outright. If you're already troubleshooting that problem, read our email deliverability guide and our breakdown of the forwarding mistakes that push mail into spam.

Real-World Example: Setting Up All Three for Forward

Here's a complete setup for a domain using Forward + Gmail:

1. SPF Record

2. DKIM Record (from Gmail)

3. DMARC Record

That's it. Three DNS records, and you're fully authenticated. If you still haven't chosen your setup, see how to get a free custom domain email address or compare Forward vs Google Workspace before you decide.

FAQ

Do I need all three (SPF, DKIM, DMARC)?

Technically, no. But for best deliverability and security, yes. Major email providers (Gmail, Outlook, Yahoo) strongly prefer all three.

How long does DNS propagation take?

Usually 15 minutes to 2 hours. Worst case: 24 hours. Use dig or nslookup to check if records are live.

Can I use Forward without setting these up?

Yes, but your deliverability will suffer. Set up at least SPF and DKIM for best results.

What's the difference between -all and ~all in SPF?

• ~all (soft fail) — Suspicious but not rejected
• -all (hard fail) — Reject immediately

Use ~all unless you're an email expert.

The Bottom Line

Email authentication isn't optional anymore. Gmail and Yahoo now require proper authentication for bulk senders, and domains without SPF, DKIM, and DMARC are more likely to struggle with spam placement.

Set them up once, monitor them when you change providers, and you'll give your domain a much better chance of staying out of the spam folder.