Follow ZDNET: Add us as a preferred source on Google.
ZDNET key takeaways
- There are three DNS records that protect your domain and keep your emails out of junk.
- Running all three gives you complete coverage.
- They also protect your domain from being hijacked.
If you send a lot of work emails and keep getting radio silence, your emails are very likely ending up in someone’s spam folder.
There are a few reasons this could happen that don’t always have to do with the contents of your emails. Most commonly, your domain may not be authenticated, which gives receiving mail servers all the reason they need to quietly file your messages away in the spam folder.
Also: How a burner email can protect your inbox – setting one up one is easy and free
I’ve seen this catch people off guard more often than you’d expect, including teams with genuinely good email content. Thankfully, there’s an easy fix involving three DNS records called SPF, DKIM, and DMARC. Together, they prove to the internet that your emails are legitimate. They also protect your domain from being hijacked by cybercriminals so they can impersonate you in emails.
Gmail and Yahoo began enforcing these authentication requirements for bulk senders in Feb. 2024. Following this, Microsoft added the same requirements for Outlook.com, Hotmail, and Live.com in May 2025. If you haven’t set these up yet, they are no longer optional.
What SPF, DKIM, and DMARC actually do
Each of the three protocols addresses a different weak point in email authentication. SPF verifies that the server sending your email is authorized to do so. DKIM adds a cryptographic signature to your outgoing messages, confirming they haven’t been altered in transit.
DMARC ties the two together by publishing a policy that tells receiving servers what to do when either check fails, and routes authentication reports back to you.
You genuinely need all three. SPF alone can’t stop someone from forging the “From” address your recipient sees in their inbox. DKIM alone won’t catch an email sent from an unauthorized server. Only when you run all three do you get complete coverage against both deliverability problems and domain spoofing.
1. SPF: Authorize the servers that send on your behalf
SPF (Sender Policy Framework) is a DNS TXT record that lists every IP address and mail server authorized to send email on behalf of your domain. When a recipient’s mail server receives a message claiming to be from you, it checks that record against the sending server’s IP. If the IP isn’t on the list, the message fails.
Also: Here’s my favorite email trick for cleaning up inbox clutter – automatically
Setting it up means logging in to your domain registrar (GoDaddy, Cloudflare, Namecheap, etc.) and adding a TXT record at the root of your domain. Here’s how that works:
-
First get your SPF value from your email service. Google Workspace, Microsoft 365, and most platforms provide the exact record value you need to copy-paste on their domain authentication page. For Google Workspace, it goes like this: v=spf1 include:_spf.google.com ~all.
-
If you send emails through multiple services, you should stack them in the same record, e.g. v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all.
-
Log into the platform where you manage your domain’s DNS records. This could be GoDaddy, Cloudflare, Namecheap, Route 53, etc. Create a new TXT record on your DNS page, set the host to @ (your root domain), and paste the SPF value from the earlier step.
It’s as easy as that! Note that your domain can have only one SPF TXT record, with no more than 10 DNS lookups. Creating a second SPF record instead of editing the first will break both. So keep your authorized senders list lean.
2. DKIM: Add a tamper-proof signature to every email
DKIM (DomainKeys Identified Mail) uses public-key cryptography to sign your outgoing messages. Your mail server attaches a signature using a private key it holds, so recipients can verify it against a matching public key you’ve published in your DNS. If the email was modified at any point between your server and the recipient’s inbox, that signature check fails.
Also: This simple email trick saves me from annoying marketing spam (and it’s free to do)
Google Workspace, Microsoft 365, and most major email platforms like SendGrid will generate a DKIM key pair for you. Your job is to copy the public key they provide and paste it into your domain’s DNS settings as a new TXT record.
While the exact setup steps depend on your email provider and domain registrar, here’s a general overview of what you need to do.
-
Google Workspace, Microsoft 365, SendGrid, Mailchimp, and other email service providers will generate a DKIM record for you if you navigate to their domain authentication settings page. For example, if you use Google Workspace, this is located within Apps > Google Workspace > Gmail in Google Admin Console. Click to generate a new record and copy these values first.
-
Next, navigate to your domain registrar’s DNS settings page and create a new TXT record like you did when setting up SPIF earlier. Note that some providers may also require you to add this as a CNAME record instead of a TXT record, so refer to your email provider’s documentation.
-
Paste in the host name and record value you got from your email provider into the new DNS record. Make sure there are no typos because this can affect domain security.
-
Now, return to your email provider’s authentication settings. This is where you enable DKIM signing for your domain. In Google Workspace, this is done by revisiting the “Authenticate email” page in the Admin Console and clicking “Start authentication.” Remember that you should do this after 24-48 hours since DNS records take a while to propagate across your domain.
DKIM is especially useful for forwarded messages. Forwarding often breaks SPF because the IP address changes, but the DKIM signature typically survives intact. That means a forwarded email can still pass authentication when SPF alone would have failed.
3. DMARC: Set the rules for what happens when authentication fails
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the policy layer that makes SPF and DKIM enforceable. Without it, a receiving server that detects a failed check has no instructions on what to do next, and you have no visibility into what’s failing or why. Here’s how to get it up and running:
-
Start by creating a dedicated inbox for DMARC reports first, like reports@yourdomain.com.
-
Most email providers offer a DMARC generator in their dashboard, but you can also use a third-party service like MXToolbox or DMARCLY.
-
Add a new TXT record. The host name should read _dmarc. Paste in the record value directly from your DMARC generator.
-
Keep an eye out for any failure reports in your dedicated inbox for 2-4 weeks. This will reveal any issues with the mailbox that need to be addressed for better deliverability.
Also: I tested NordVPN’s free scam checker with real phishing emails – here’s how it fared
Like the other two, DMARC is a TXT record, added this time to _dmarc.yourdomain.com. A simple starting record looks like this: v=DMARC1; p=none; rua=mailto:reports@yourdomain.com. The p=none setting means receiving servers won’t take any action on failing messages, but will send you aggregate reports at the address you specify. Those reports show which services are sending on your behalf and whether they’re passing authentication.
Once you’ve reviewed a few weeks of reports and confirmed your legitimate mail is passing cleanly, you can tighten the policy. Move to p=quarantine to route failing messages to spam, then eventually to p=reject to block them entirely.
Jumping straight to p=reject before reviewing your reports is probably the most common implementation mistake I see, and it ends up blocking your own marketing or transactional emails.
Why you can’t just pick one
Each protocol has a gap that the others fill. SPF checks the sending server but not the “From” address that recipients actually see, so an attacker can pass SPF while still impersonating your domain. DKIM verifies message integrity but doesn’t check whether the signing domain matches the visible sender.
DMARC enforces alignment among all these elements and applies your chosen policy when something is out of alignment.
The combined deliverability upside is measurable. According to Validity’s 2025 Email Benchmark Report, properly authenticated domains see inbox placement rates roughly 60 percentage points higher than unauthenticated ones. For anyone running cold outreach campaigns or bulk newsletters, that gap is the difference between a campaign that produces results and one that disappears entirely.
How to verify your records are working
DNS changes typically take anywhere from 15 minutes to 48 hours to propagate worldwide. Once that window passes, free tools can tell you immediately whether everything is configured correctly. MX Toolbox has separate checkers for SPF, DKIM, and DMARC. You can also send a test email to check@dmarcly.com, which replies with a full authentication report for your domain.
Also: Best email hosting services 2026: Expert tested and reviewed
Your DMARC aggregate reports are the most valuable ongoing signal. Within a day or two of publishing your DMARC record, reports will start arriving at the address you specified. They show every server sending email under your domain and whether each one is passing or failing authentication. Reading them regularly is the best way to catch misconfigurations early, before they affect your deliverability or allow your domain to be abused in phishing campaigns.
