Email Deliverability Guide:
SPF, DKIM, DMARC Explained

Your emails are going to spam. Here's exactly why — and how to fix it with three DNS records that take 10 minutes to set up.

Get Business Email More Articles
📅 July 16, 2026 ⏱️ 10 min read 📧 Email Infrastructure

20% of legitimate business emails never reach the inbox. They're filtered to spam, blocked entirely, or silently dropped. The reason? Missing or misconfigured email authentication records: SPF, DKIM, and DMARC.

If you're sending email from a custom domain (anything@yourbusiness.com), you need all three. Without them, Gmail, Outlook, and Yahoo assume your emails might be spoofed — and they're right to be cautious. Email spoofing accounts for billions of malicious messages daily.

The Problem: Why Your Emails Go to Spam

Email was designed in 1982. The original SMTP protocol had no authentication — anyone could send email claiming to be from any address. Spam and phishing exploited this for decades. SPF, DKIM, and DMARC were added later as a layered defense:

ProtocolWhat It DoesAdded
SPFLists authorized sending IPs2006
DKIMCryptographic signature per email2007
DMARCPolicy for SPF/DKIM failures2012

As of 2024, Google and Yahoo require all bulk senders to have SPF, DKIM, and DMARC configured. No exceptions. If you send more than 5,000 emails per day, you must comply or your emails will be rejected outright.

SPF (Sender Policy Framework)

SPF is a DNS TXT record that tells the world which IP addresses are allowed to send email from your domain. Think of it as a guest list for your email server.

How SPF Works

  1. Your DNS has an SPF record listing authorized IPs
  2. When you send an email, the receiving server checks your DNS
  3. If your server's IP is on the list → pass. If not → fail

SPF Record Example

v=spf1 ip4:178.156.211.159 include:_spf.google.com ~all

Breaking this down:

Use ~all (soft fail) when setting up SPF for the first time. Once you've confirmed everything works for a few weeks, switch to -all (hard fail) for maximum protection.

Common SPF Mistakes

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every email you send. The receiving server uses your public key (published in DNS) to verify the signature. This proves the email wasn't modified in transit and came from an authorized server.

How DKIM Works

  1. Your mail server generates a private/public key pair
  2. The public key is published as a DNS TXT record
  3. When sending, the server signs the email with the private key
  4. The receiver fetches your public key from DNS and verifies the signature

DKIM DNS Record Example

default._domainkey.yourdomain.com.  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3..."

The default part is the selector — you can have multiple DKIM keys for different sending services. The p= value is your base64-encoded public key.

How to Set Up DKIM

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC is the policy layer. It tells receiving servers what to do when SPF and/or DKIM fail. Without DMARC, failed authentication is silently ignored. With DMARC, you control the outcome.

DMARC Record Example

_dmarc.yourdomain.com.  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100;"

Breaking this down:

The DMARC Rollout Strategy

  1. Week 1-2: p=none — Monitor only. Collect reports, see what's failing.
  2. Week 3-4: p=quarantine; pct=25 — Quarantine 25% of failures.
  3. Week 5-6: p=quarantine; pct=100 — Quarantine all failures.
  4. Week 7+: p=reject; pct=100 — Reject all failures. Full protection.
DMARC reports are XML files sent daily to your rua address. Use a free tool like dmarcian or Postmark's DMARC analyzer to parse them.

Additional Deliverability Factors

Reverse DNS (PTR Record)

Your mail server's IP must have a reverse DNS record that matches its hostname. If your server says mail.yourdomain.com but the PTR resolves to something else, many providers will reject your email.

Email Content Best Practices

Sender Reputation

Your domain and IP have reputation scores with Gmail, Outlook, and Yahoo. Factors include:

TyTe Hosting Email: Authentication Included

Every TyTe Hosting email account comes with SPF, DKIM, and DMARC pre-configured. We also provide:

Ready to switch? See our Business Email Hosting page or check city-specific pages like business email in Orlando.

What is email deliverability?

Email deliverability is the ability to successfully land emails in the recipient's inbox rather than the spam folder. It depends on sender reputation, authentication records (SPF, DKIM, DMARC), content quality, and infrastructure.

What is SPF in email?

SPF (Sender Policy Framework) is a DNS TXT record that lists which IP addresses and servers are authorized to send email on behalf of your domain. Receiving servers check SPF to verify the sender is legitimate.

What is DKIM in email?

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your emails that proves the message was not modified in transit and was sent by an authorized server.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together and tells receiving servers what to do if both checks fail: reject, quarantine, or take no action.

How long does it take for SPF/DKIM/DMARC to take effect?

DNS changes typically propagate within 4-24 hours. Once propagated, email providers immediately start checking your records for authentication.

Get Authenticated Business Email

SPF, DKIM, DMARC — all pre-configured. 50 mailboxes for $69.99/month. No per-user pricing.

Get Business Email →