Features

SPF, DKIM & DMARC: Fix Your Email Deliverability in 10 Minutes

·8 min read

Since February 2024, Gmail and Yahoo require senders to authenticate their emails with SPF, DKIM, and DMARC. Without proper configuration, your emails — including transactional ones like password resets and invoices — will land in spam or be rejected entirely. Here's how to fix it in 10 minutes.

What Are SPF, DKIM, and DMARC?

RecordWhat It DoesAnalogy
SPFLists which servers are allowed to send email for your domainA guest list for your mailbox
DKIMAdds a digital signature to verify the email wasn't tampered withA wax seal on a letter
DMARCTells receivers what to do if SPF or DKIM fails, and where to send reportsInstructions for the bouncer

Step 1: Configure SPF

SPF is a DNS TXT record that lists authorized sending servers. Add this to your domain's DNS:

example.com  TXT  "v=spf1 ip4:YOUR_SERVER_IP include:_spf.google.com ~all"

Key rules:

  • Only one SPF record per domain (multiple records = failure)
  • Use include: for third-party senders (Google Workspace, Mailchimp, SendGrid)
  • Use ~all (softfail) during testing, switch to -all (hardfail) in production
  • Maximum 10 DNS lookups — too many include: statements will break SPF

Common SPF for Popular Services

ServiceSPF Include
Google Workspaceinclude:_spf.google.com
Microsoft 365include:spf.protection.outlook.com
Mailchimpinclude:servers.mcsv.net
SendGridinclude:sendgrid.net
Amazon SESinclude:amazonses.com

Step 2: Set Up DKIM

DKIM adds a cryptographic signature to your outgoing emails. The receiving server verifies this signature using a public key published in your DNS.

DKIM requires two things:

  1. A private key on your mail server that signs outgoing emails
  2. A DNS TXT record with the public key that receivers use to verify

The DNS record looks like:

mail._domainkey.example.com  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBg...your_public_key..."

If you use a hosted email service (Google Workspace, Microsoft 365), they provide the DKIM keys — you just need to add the DNS records.

Step 3: Enable DMARC

DMARC tells receiving servers what to do when SPF or DKIM checks fail:

_dmarc.example.com  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100"

DMARC policies:

PolicyActionWhen to Use
p=noneMonitor only, no actionStart here — collect reports first
p=quarantineSend to spamAfter verifying SPF/DKIM work
p=rejectBlock the email entirelyFull protection once confident

Recommended approach: Start with p=none for 2 weeks to monitor reports, then move to p=quarantine, and finally p=reject.

Step 4: Verify Your Configuration

After setting up all three records, verify them:

  • Run a PrivacyChecker scan — our Email Deliverability module grades your SPF, DKIM, and DMARC (A-F)
  • Send a test email to a Gmail account and check the headers for "PASS" status
  • Use dig TXT example.com to verify DNS records are published

Gmail and Yahoo Requirements (2024+)

Since February 2024, bulk senders (5,000+ emails/day) must:

  • Authenticate with SPF and DKIM
  • Have a DMARC policy published (even p=none)
  • Include one-click unsubscribe (List-Unsubscribe header)
  • Keep spam complaint rates below 0.3%
  • Use TLS encryption for email transmission

Even small senders benefit from proper authentication — it improves deliverability for everyone.

Troubleshooting

ProblemLikely CauseFix
SPF failsMissing include: for a sending serviceAdd the service's SPF include
DKIM failsDNS record not propagated or key mismatchWait 24-48h for propagation, verify key
DMARC failsSPF and DKIM both failing, or domain alignment issueFix SPF/DKIM first, check alignment
Emails still in spamIP reputation, content issues, or missing PTR recordCheck IP blacklists, improve content

Your Email Grade

PrivacyChecker grades your email authentication setup from A to F and provides specific fix recommendations. A properly configured domain should achieve at least a B grade. Most websites we scan start at D or F — fixing SPF, DKIM, and DMARC typically takes under 10 minutes and has an immediate impact.

Check your website now — free

Run a complete privacy audit in under 60 seconds. Get your score, find issues, and learn how to fix them.

Start Free Audit

Explore More Resources

🔍
Free Privacy ScannerAudit any website in 60s
⚖️
GDPR Fines Database€5.88B+ in penalties tracked
📖
Privacy Glossary100+ terms explained
🌍
GDPR by Country30+ country guides
⚙️
Consent Mode v2Setup & compliance guide
📝
All Articles80+ privacy & compliance guides

Related Articles

Features

Cookie Consent Banners: Is a Cookie Banner Mandatory? Complete GDPR Guide

Everything you need to know about cookie consent: is a cookie banner mandatory, what cookies to declare, requirements by country, and common mistakes to avoid.

Features

Dark Patterns: How to Detect and Remove Deceptive UX from Your Site

Dark patterns are now regulated. Learn what counts as deceptive design, how regulators are cracking down, and how to audit your UX for compliance.

Features

Security Headers Explained: Protect Your Website in 5 Steps

CSP, HSTS, X-Frame-Options, and more — learn what security headers your website needs and how to implement them to prevent attacks.

Features

Third-Party Scripts: The Hidden Security Risk on Your Website

External JavaScript can be hijacked. Learn about supply chain attacks like Polyfill.io, how to audit your dependencies, and how to protect your visitors.

Regulations

Cookie Banner Requirements by Country: Complete 2026 Map

Country-by-country guide to cookie consent requirements. Covers opt-in vs. opt-out models, enforcement status, and local variations for 30+ countries including all EU member states, UK, US, Brazil, Canada, and Asia-Pacific.

Regulations

EU AI Act: Does Your Website Use AI? Here's What to Check

The 2024 EU AI Act regulates AI chatbots, analytics, and personalization on websites. Learn your obligations and how to assess compliance.