SPF, DKIM, and DMARC Explained in Plain English (2026)
A client of mine sent 3,000 emails last March. Forty-seven replied. He thought that was bad copy. I looked at his domain and within 30 seconds found that he had no DMARC record, his SPF was pointing to a sending tool he stopped using in 2023, and his DKIM key had never been properly configured.
His emails were reaching inboxes. Some of them. The rest were going straight to spam, and Gmail was routing them there because his domain looked like it might be spoofed. It did not look spoofed because someone was pretending to be him. It looked spoofed because he had no proof that he was who he said he was.
That is the problem SPF, DKIM, and DMARC solve.
None of these are complicated once you understand what they actually do. Most of the confusion comes from guides that explain the technical implementation before explaining what each record is for. This guide does it the other way around.
Key Takeaways
- ✓SPF tells receiving mail servers which IP addresses are allowed to send email for your domain. Think of it as a guest list.
- ✓DKIM adds a cryptographic signature to every email you send. If the email gets altered in transit, the signature breaks and the receiving server knows.
- ✓DMARC tells receiving servers what to do when SPF or DKIM fails, and sends you reports so you can monitor who is sending email using your domain name.
- ✓All three records need to be configured for any of them to work properly. Having just SPF or just DKIM is meaningfully weaker than having all three.
- ✓Google and Yahoo made all three mandatory for bulk email senders in February 2024.
On This Page
- 1.What are SPF, DKIM, and DMARC?
- 2.Why email authentication matters
- 3.What is SPF?
- 4.What is DKIM?
- 5.What is DMARC?
- 6.SPF vs DKIM vs DMARC comparison
- 7.Why emails go to spam even when authentication is configured
- 8.How to check if SPF, DKIM, and DMARC are working
- 9.Common SPF, DKIM, and DMARC errors
- 10.Best practices for email deliverability in 2026
- 11.Quick answers
- 12.Frequently asked questions
What are SPF, DKIM, and DMARC?
SPF, DKIM, and DMARC are three DNS records that together prove your emails are genuinely from you. Without them, any mail server on the internet can claim to send email from your domain, and receiving servers have no technical way to know the difference.
Here is each one in one sentence:
- ❱SPF (Sender Policy Framework) is a list of the servers and IP addresses that are allowed to send email on behalf of your domain.
- ❱DKIM (DomainKeys Identified Mail) is a cryptographic signature applied to every email you send, which proves the email came from your domain and was not modified in transit.
- ❱DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a policy that tells receiving mail servers what to do when an email fails SPF or DKIM, and sends you reports about those failures.
The analogy that actually helps:
Imagine you run a restaurant and your head chef sends invoices to suppliers.
SPF is the approved list of phone numbers and email addresses your chef is allowed to send from. If an invoice comes from a number not on that list, the supplier gets suspicious.
DKIM is a wax seal on the envelope. If the envelope arrives with a broken seal, the supplier knows someone opened it.
DMARC is the policy your supplier follows when the seal is broken or the number is not on the list. Maybe they reject the invoice. Maybe they hold it for review. Maybe they just log it and tell you about it later.
You need all three because they protect against different things. SPF alone can be bypassed. DKIM alone does not tell you who sent the email. DMARC alone does nothing if SPF and DKIM are not configured first.
Why email authentication matters
Without SPF, DKIM, and DMARC configured on your domain, anyone can send email that appears to come from you. This is not theoretical. Domain spoofing is one of the most common techniques in phishing attacks, and the reason it works so often is that most domains have incomplete or missing authentication records.
The practical impact goes beyond security. Gmail, Outlook, Yahoo Mail, and every other major inbox provider use authentication records as a signal when deciding whether to deliver your email to the inbox or route it to spam. A domain with missing authentication records looks exactly like a spoofed domain to their filters. The result is the same: spam folder.
Here is how the four main threats break down:
| Threat | What Happens | Which Record Stops It |
|---|---|---|
| Domain spoofing | Attacker sends email "from" your domain | SPF + DMARC |
| Email tampering | Email modified in transit (links changed, content altered) | DKIM |
| Phishing via your brand | Fake emails impersonating your company reach customers | DMARC |
| Spam folder placement | Legitimate emails flagged as suspicious | All three together |
Google's February 2024 bulk sender requirements made DMARC mandatory for anyone sending 5,000 or more emails per day to Gmail addresses. Yahoo implemented the same requirements at the same time. For senders below that threshold, the absence of DMARC is still a visible red flag that depresses inbox placement.
The Verizon Data Breach Investigations Report consistently finds phishing involved in roughly 36% of data breaches. Most of those phishing emails work because the sending domain lacks proper DMARC enforcement.
What is SPF?
SPF (Sender Policy Framework) is a DNS record that lists every server and IP address that is authorized to send email using your domain name. When an email arrives at a receiving mail server claiming to be from your domain, the server checks your SPF record. If the sending IP is on your approved list, SPF passes. If not, it fails.
SPF is the first line of defense against someone sending email that appears to come from your domain without your permission.
How SPF records work
An SPF record is a TXT record in your domain's DNS settings. It looks like this:
v=spf1 include:_spf.google.com include:sendgrid.net ~allBreaking this down:
- ❱
v=spf1tells the receiving server this is an SPF record - ❱
include:_spf.google.comauthorizes Google Workspace to send on your behalf - ❱
include:sendgrid.netauthorizes SendGrid to send on your behalf - ❱
~allmeans "soft fail" - emails from any other source should be treated with suspicion but not outright blocked
The ~all qualifier is the cautious option. -all is the strict version (reject anything not on the list). Most senders use ~all initially to avoid accidentally blocking legitimate emails during setup.
The most common SPF mistakes
Having more than one SPF record
You can only have one SPF record per domain. If you have two, both fail. This is the single most frequent SPF error and it usually happens when someone adds a new sending tool without checking whether an SPF record already exists.
Too many DNS lookups
SPF allows a maximum of 10 DNS lookups per check. Each include: statement counts as a lookup. If you use multiple email tools (Google Workspace, SendGrid, HubSpot, Mailchimp), you can hit this limit and break SPF for your entire domain.
Not updating SPF when changing email providers
If you switch from one email platform to another but forget to update your SPF record, the new platform's emails will fail SPF because its servers are not on your approved list.
SPF setup checklist
- ✓Only one SPF record exists in your DNS (check for duplicates)
- ✓All current sending sources are included (Google Workspace, your newsletter tool, your CRM, etc.)
- ✓The record has fewer than 10 DNS lookups
- ✓The ~all or -all qualifier is present at the end
- ✓Record has been verified with an SPF checker after any changes
What is DKIM?
DKIM (DomainKeys Identified Mail) is a cryptographic signature applied to every email you send. The signature proves two things: the email genuinely came from a server authorized by your domain, and the email was not modified after it was sent.
SPF tells receiving servers which IP addresses can send for your domain. DKIM goes further: it proves the actual content of the email is intact and untampered.
How DKIM works
DKIM uses a public/private key pair:
Your mail server holds a private key. When you send an email, your server uses this key to generate a unique cryptographic signature based on the content of the email.
The public key is published in your DNS as a TXT record. Anyone can look it up.
When the receiving mail server gets your email, it looks up your public key in DNS and uses it to verify the signature. If the signature matches, the email passed through untampered. If it does not match, something changed the email between your server and theirs.
Think of it like a fingerprint. The private key creates the fingerprint. The public key lets anyone verify it belongs to you. Changing even one character in the email body invalidates the fingerprint entirely.
A DKIM signature in an email header looks like this:
DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; s=selector1;
h=from:to:subject:date; bh=BASE64_HASH; b=BASE64_SIGNATUREThe d= field is your domain. The s= field is the selector, which points to the specific DKIM key record in your DNS.
Why DKIM matters beyond authentication
DKIM has one property SPF does not: it survives email forwarding. When an email is forwarded, the sending IP changes, which means SPF fails. But DKIM is attached to the message itself, not the server, so the signature remains valid even after forwarding. This is why DKIM is a stronger authentication signal than SPF alone.
DKIM setup checklist
- ✓DKIM key published in DNS for each sending domain
- ✓DKIM key length is at least 2048 bits (1024-bit keys are considered weak)
- ✓Selector name matches what your email provider expects
- ✓DKIM verified with a checker tool after setup
- ✓DKIM records updated when changing email providers
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the policy layer that ties SPF and DKIM together. It tells receiving mail servers what to do when an email claims to come from your domain but fails SPF or DKIM checks. It also gives you visibility: you receive reports about emails that pass or fail on your domain, which is how you find out if someone is spoofing you.
DMARC is what makes SPF and DKIM actionable. Without DMARC, receiving servers know an email failed authentication but have no instruction from you about what to do next. With DMARC, you control the outcome.
The three DMARC policy options
p=noneMonitor only
The receiving server takes no action on authentication failures. Emails that fail SPF or DKIM are still delivered normally. The only thing p=none does is generate reports that get sent to your DMARC reporting address.
When to use it: At the beginning of your DMARC implementation. You are watching the reports to understand your email traffic before you start enforcing anything.
p=quarantineSend to spam
Emails that fail DMARC checks are sent to the spam or junk folder rather than the inbox. They are not rejected outright, but they are treated with suspicion.
When to use it: After reviewing your p=none reports and confirming that legitimate email is passing authentication. This is the minimum policy that Google and Yahoo require for bulk senders.
p=rejectBlock entirely
Emails that fail DMARC checks are rejected entirely. The receiving server refuses to accept them and they are not delivered at all.
When to use it: When you have confirmed that all your legitimate sending sources are authenticated properly and you want maximum protection against spoofing.
What DMARC alignment means
DMARC requires alignment, which means the “From” domain in your email must match the domain in your SPF or DKIM record. This is what prevents attackers from using a legitimate SPF record from one domain to send email appearing to be from another. Strict alignment requires an exact match. Relaxed alignment (the default) allows subdomain matches. For most senders, relaxed alignment is the right setting.
What a DMARC record looks like
v=DMARC1; p=quarantine; rua=mailto:reports@yourdomain.com; pct=100- ❱
v=DMARC1identifies this as a DMARC record - ❱
p=quarantineis the policy - ❱
rua=is the email address to receive aggregate reports - ❱
pct=100means apply this policy to 100% of failing emails (you can set this lower during testing)
Use the Vortenza DMARC Record Generator to build a valid DMARC record for your domain without manually writing the syntax.
DMARC setup checklist
- ✓SPF and DKIM are both configured and passing before adding DMARC
- ✓DMARC record published as a TXT record at _dmarc.yourdomain.com
- ✓Policy starts at p=none with a reporting address configured
- ✓Reports monitored weekly while at p=none
- ✓Policy upgraded to p=quarantine after confirming all legitimate email passes
- ✓Policy upgraded to p=reject once fully confident in authentication setup
- ✓pct= value set to 100 when ready for full enforcement
SPF vs DKIM vs DMARC
| Technology | Purpose | Protects Against | Required 2026 | Difficulty | Deliverability Impact |
|---|---|---|---|---|---|
| SPF | Lists authorized sending IPs | IP spoofing, unauthorized servers | Yes | Low | High |
| DKIM | Cryptographic email signature | Email tampering in transit | Yes | Medium | High |
| DMARC | Policy for auth failures + reporting | Domain spoofing, phishing | Yes (bulk senders) | Medium | Very high |
| BIMI | Brand logo display in inbox | Brand impersonation (visual) | No (optional) | High | Moderate (open rate) |
The impact column matters. SPF and DKIM each meaningfully improve deliverability on their own. But DMARC is the record that moves inbox placement the most because it signals to Gmail, Outlook, and Yahoo Mail that you are actively managing your domain's authentication. A domain with p=reject has demonstrably better inbox placement than one with p=none, all else being equal.
BIMI is worth knowing about: it is a newer standard that lets you display your brand logo next to authenticated emails in supporting inboxes. Gmail, Yahoo Mail, and Apple Mail support it. It requires a DMARC policy at p=quarantine or p=reject, plus a Verified Mark Certificate. It does not directly improve spam filter scores but it builds visual trust with recipients, which affects open rates.
Why emails go to spam even when authentication is configured
Authentication is necessary but not sufficient. This is the thing most guides miss.
Passing SPF, DKIM, and DMARC proves your emails are genuinely from you. It does not prove your emails are wanted. Gmail and Outlook use authentication as a baseline check, but they also weigh dozens of other signals when deciding where to place your email.
The direct answer: An email can have perfect authentication and still land in spam because of poor sender reputation, high complaint rates, low engagement history, sending to invalid addresses, or patterns associated with unsolicited mail.
Here is how authentication problems differ from reputation problems:
| Problem Type | Symptoms | Fix |
|---|---|---|
| Missing SPF | High spam placement across all providers | Add SPF record to DNS |
| Missing DKIM | Emails fail forwarding, lower trust score | Configure DKIM with your email provider |
| Missing DMARC | Domain vulnerable to spoofing, lower Gmail trust | Add DMARC record starting at p=none |
| Poor sender reputation | Consistent spam placement even with auth passing | Reduce volume, clean list, improve engagement |
| High complaint rate | Sudden drop in inbox placement | Stop sending to disengaged segments immediately |
| Sending to bad lists | High bounce rate, spam trap hits | Validate and clean list before sending |
| Cold domain | Spam placement immediately at volume | Warm domain over 4-6 weeks from low volume |
| Low engagement | Gradual decline in inbox placement | Remove unengaged contacts from active sends |
Authentication is the floor. Reputation is the ceiling. You need both.
The Vortenza Email Spam Score Checker catches content-level issues in your emails alongside authentication problems, which gives you a more complete picture of why a specific email is landing in spam.
How to check if SPF, DKIM, and DMARC are working
The fastest way to check all three records at once is the Vortenza SPF DKIM DMARC Checker. Enter your domain name and it checks all three DNS records in real time, gives you a color-coded result for each, and shows you exactly what needs fixing in plain English.
What to verify for SPF:
- ✓The record exists and is the only SPF record on your domain
- ✓All current email sending sources are included
- ✓The record has 10 or fewer DNS lookups
- ✓The all qualifier is present at the end
What to verify for DKIM:
- ✓A DKIM key exists in DNS for your domain
- ✓The key length is 2048 bits or greater
- ✓The selector matches what your email provider is using
- ✓A test email signed with DKIM passes verification
What to verify for DMARC:
- ✓A DMARC record exists at _dmarc.yourdomain.com
- ✓The policy is set to at least p=quarantine (for Google/Yahoo compliance)
- ✓A valid reporting email address is configured
- ✓You are actually reviewing the reports that arrive
Beyond the DNS checker, Google Postmaster Tools shows your sender reputation and authentication pass rates specifically for Gmail delivery. Set it up if you send any significant volume to Gmail. It is free and the data it provides is more useful than any third-party tool.
Common SPF, DKIM, and DMARC errors
Most authentication failures are caused by a small set of recurring mistakes.
| Error | Cause | Fix |
|---|---|---|
| SPF PermError | Multiple SPF records on the same domain, or syntax error | Delete duplicate records, keep exactly one. Validate syntax. |
| SPF TempError | DNS lookup failed temporarily | Usually resolves itself. Check DNS provider status. |
| SPF too many lookups | More than 10 DNS lookups in the SPF chain | Flatten SPF record by replacing include: with explicit IPs, or use SPF flattening service |
| SPF SoftFail (~all) | Sending from IP not listed in SPF | Add the sending IP or service to your SPF record |
| SPF HardFail (-all) | Sending from IP not listed in SPF with strict policy | Same fix; review whether -all is the right choice before restoring strict mode |
| DKIM Fail | Private key mismatch, email modified in transit, or wrong selector | Regenerate DKIM key pair with your email provider, republish public key in DNS |
| DKIM None | No DKIM signature found | DKIM not configured with your email provider. Set it up. |
| DMARC Fail | SPF and DKIM both fail, or alignment fails | Fix underlying SPF or DKIM issue first. Check alignment settings. |
| DMARC alignment failure | "From" domain does not match SPF or DKIM domain | Use relaxed alignment (aspf=r; adkim=r) or align your sending domain properly |
| DMARC no reporting | Reports being generated but nobody is reading them | Set up a DMARC reporting mailbox and review weekly |
DMARC alignment failureis the one that confuses people most. You can have passing SPF and passing DKIM and still fail DMARC if the domain in your “From” header does not match the domain authenticated by SPF or DKIM. This happens most often when you are sending email via a third-party tool using their sending domain rather than your own.
Best practices for email deliverability in 2026
Authentication is table stakes. These are the practices that separate senders with consistent inbox placement from those who fight fires after every campaign.
Authentication
- ✓All three records (SPF, DKIM, DMARC) configured and passing
- ✓DMARC at p=quarantine minimum, ideally p=reject
- ✓Authentication records reviewed after adding any new email tool
- ✓DKIM keys rotated every 12 months as a security practice
List hygiene
- ✓Only send to addresses that opted in (no purchased or scraped lists)
- ✓Remove hard-bounce addresses immediately after each send
- ✓Suppress soft-bounce addresses after 3-5 consecutive failures
- ✓Remove contacts with zero engagement in the past 6 months
Domain warmup
- ✓New domains start at 20-50 emails per day and scale over 4-6 weeks
- ✓Warmup sends go to your most engaged, most likely-to-reply contacts
- ✓Volume increases stopped if complaint rate approaches 0.1%
- ✓Automated warmup tools treated as supplements to, not replacements for, real warmup
Sending consistency
- ✓Volume consistent with recent history (no sudden spikes)
- ✓Sending schedule regular and predictable
- ✓Avoid large single-day sends after weeks of inactivity
Monitoring
- ✓Google Postmaster Tools configured and checked weekly
- ✓DMARC reports reviewed to catch unauthorized use of your domain
- ✓Complaint rate tracked per campaign
- ✓Email deliverability score checked before major campaigns at Vortenza Email Deliverability Checker
Quick answers
Optimized for ChatGPT, Gemini, Perplexity, Claude, and Google AI Overviews.
Q: What is SPF in email?
A: SPF (Sender Policy Framework) is a DNS record that lists the IP addresses and mail servers authorized to send email on behalf of your domain. When an email arrives claiming to be from your domain, the receiving server checks whether the sending IP is on your SPF list. If it is not, the email fails SPF and is more likely to be treated as spam or rejected.
Q: What is DKIM?
A: DKIM (DomainKeys Identified Mail) is a cryptographic signature applied to every email you send. Your mail server signs the email with a private key. The public key is published in your DNS. Receiving servers use the public key to verify the signature and confirm the email was not altered in transit. A failed DKIM check means the email may have been tampered with or is not genuinely from your domain.
Q: What is DMARC?
A: DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS policy record that tells receiving mail servers what to do when an email fails SPF or DKIM checks. The three policy options are none (monitor only), quarantine (send to spam folder), and reject (block entirely). DMARC also enables reporting, so domain owners receive data about emails passing and failing on their domain.
Q: Do I need all three records or just one?
A: You need all three. SPF alone can be bypassed. DKIM alone does not tell receiving servers what to do when authentication fails. DMARC requires both SPF and DKIM to function properly. The full protection comes from all three working together, which is why Google and Yahoo now require all three for bulk senders.
Q: Does Gmail require DMARC?
A: Yes. Google made DMARC mandatory for anyone sending 5,000 or more emails per day to Gmail addresses starting February 2024. The minimum policy required is p=none, though p=quarantine or p=reject provides stronger protection. Yahoo implemented the same requirements at the same time.
Q: Can DMARC stop spam?
A: DMARC prevents domain spoofing, which stops a specific type of spam where an attacker sends emails appearing to come from your domain. It does not stop all spam. Spam sent from the attacker's own domain with valid authentication passes DMARC. DMARC primarily protects your domain from being used in phishing attacks against others.
Q: What is DMARC alignment?
A: DMARC alignment means the "From" domain in your email must match the domain authenticated by SPF or DKIM. This prevents attackers from using a legitimate SPF record from one domain to send email appearing to come from another. Relaxed alignment (the default) allows subdomain matches. Strict alignment requires an exact match.
Q: What does p=none mean in DMARC?
A: p=none is the monitoring-only DMARC policy. Emails that fail authentication are still delivered normally. The only effect of p=none is that you receive DMARC reports showing which emails are passing and failing. Most email security guidance recommends starting at p=none to understand your traffic before moving to p=quarantine or p=reject.
Q: What is the difference between SPF and DKIM?
A: SPF controls which servers can send email for your domain (IP-level authorization). DKIM signs the content of the email itself (message-level verification). SPF can fail after forwarding because the sending IP changes. DKIM survives forwarding because the signature is attached to the message, not the sending server. Both are needed because they protect against different failure modes.
Q: Why is my email failing DMARC even though SPF passes?
A: DMARC requires alignment, meaning the domain in your "From" header must match the domain that passed SPF or DKIM. If you are sending via a third-party platform using their domain for SPF but your domain in the "From" header, SPF passes but DMARC alignment fails. The fix is to either configure your own domain for SPF on that platform or ensure DKIM is passing with your domain.
Q: How long does it take for DNS changes to propagate?
A: DNS changes typically propagate within 15 minutes to a few hours, though some DNS providers or resolvers can take up to 48 hours. For most SPF, DKIM, and DMARC changes, you can verify propagation within 30-60 minutes using a real-time DNS checker.
Q: What is BIMI and does it require DMARC?
A: BIMI (Brand Indicators for Message Identification) displays your brand logo next to authenticated emails in supporting inboxes including Gmail, Yahoo Mail, and Apple Mail. It requires a DMARC policy of at least p=quarantine plus a published logo in SVG format. Full Gmail BIMI with a verified logo requires a Verified Mark Certificate from an authorized provider.
Q: What is a DKIM selector?
A: A DKIM selector is a name that identifies which DKIM public key to look up in DNS when verifying a signature. It appears in the DKIM-Signature header as s=selector_name. Using different selectors lets you rotate DKIM keys or use different keys for different sending services without breaking existing signatures.
Q: Can I have more than one SPF record?
A: No. You can only have one SPF record per domain. If you have two SPF records, SPF fails entirely because receiving servers cannot determine which one to use. If you need to authorize multiple sending sources, combine them all into a single SPF record using multiple include: statements.
Q: What is email spoofing?
A: Email spoofing is when an attacker sends an email with a forged "From" address, making it appear to come from a legitimate domain they do not control. SPF, DKIM, and DMARC together prevent spoofing by making it technically verifiable whether an email genuinely came from the claimed domain. Without these records, any mail server can impersonate any domain.
Frequently asked questions
What is the difference between SPF, DKIM, and DMARC?+
SPF, DKIM, and DMARC work at different layers of email authentication. SPF verifies that the server sending the email is authorized to send for your domain. DKIM verifies that the email content has not been changed since it was sent. DMARC tells receiving servers what to do when either of those checks fails, and provides reports so you can monitor your domain. All three are needed because each covers a different vulnerability. SPF stops unauthorized senders. DKIM stops tampering. DMARC enforces consequences and gives you visibility.
Do I need all three records if I only send a small volume of email?+
Yes. Volume is not the deciding factor. Even if you send 100 emails per day, your domain can be spoofed by someone else sending millions of phishing emails using your domain name. The damage to your reputation happens regardless of your own sending volume. DMARC enforcement protects your domain from being used in attacks you have no part in. Low-volume senders who have DMARC p=reject configured are protected. Those without DMARC are exposed.
Why is my SPF failing even though I configured it correctly?+
The most common reasons are: you have more than one SPF record on your domain (only one is allowed), you exceeded the 10 DNS lookup limit by including too many sending services, your SPF record does not include the sending server your email tool actually uses, or your email platform recently changed its IP ranges without notifying you. Check your SPF record at the Vortenza SPF DKIM DMARC Checker, verify you have only one record, and count your DNS lookups.
What happens if I set DMARC to p=reject too quickly?+
If you move to p=reject before confirming that all your legitimate email passes SPF and DKIM with proper alignment, you will block your own emails. Common scenarios include a marketing tool that uses its own domain for SPF, a transactional email service not yet configured with DKIM, or a third-party app that sends notifications from your domain without authentication. Start at p=none, monitor reports for 2-4 weeks, move to p=quarantine, monitor again, then move to p=reject when you are confident all legitimate email passes.
How do I know if someone is spoofing my domain?+
DMARC reports tell you. When DMARC is configured with a reporting email address, you receive aggregate reports showing every email that claims to come from your domain, whether it passed or failed authentication, and where it was sent from. If you see failures coming from IP addresses you do not recognize, someone may be attempting to spoof your domain. Review DMARC reports weekly. Many domain owners are surprised to find spoofing attempts they had no idea were happening.
Does DKIM work with email forwarding?+
DKIM signatures survive forwarding more often than SPF, but not always. Simple forwarding (like a personal alias) preserves the DKIM signature. Email list forwarding or services that modify the email content (adding footers, changing subjects) break the DKIM signature because the content changes after signing. This is one reason DMARC with relaxed alignment is more forgiving in forwarding scenarios than DMARC with strict alignment.
How often should I rotate DKIM keys?+
Security best practices recommend rotating DKIM keys every 6-12 months. The process involves generating a new key pair, publishing the new public key in DNS under a different selector name, configuring your mail server to sign with the new private key, and removing the old public key from DNS after confirming the new key is working. Key rotation limits the exposure window if a private key is ever compromised.
My DMARC reports are full of failures. Is that normal?+
It depends on what is failing. If you see failures from IP addresses you recognize (your own email platforms), it means those services are not fully authenticated and you need to fix their SPF or DKIM configuration. If you see failures from IP addresses you do not recognize, someone may be attempting to spoof your domain. In either case, failures in DMARC reports are signals that something needs attention. The goal is to get all your own legitimate sending to show as passing, then move to p=reject to stop everything else.
Can I use a third-party service for DMARC reports?+
Yes, and for high-volume senders it is worth considering. Raw DMARC reports arrive as XML files which are difficult to read directly. Services like Dmarcian, Valimail, and Postmark's DMARC reporting tool parse these reports into readable dashboards. For most small senders, reviewing the XML files with a basic parser or a free DMARC report reader is sufficient. The important thing is that someone is actually reading the reports.
Does SPF have a character limit?+
SPF records have a 255-character limit per TXT string in DNS, though most DNS providers allow longer records by chaining multiple strings. The practical limit you are more likely to hit is the 10 DNS lookup limit. When your SPF record includes too many include: references to other domains, each one counts as a lookup. Exceeding 10 lookups causes an SPF PermError, which means SPF fails for all email from your domain. If you are approaching this limit, SPF flattening tools can help.
What is the difference between DMARC p=quarantine and p=reject?+
With p=quarantine, emails that fail DMARC checks are accepted by the receiving server but placed in the spam or junk folder rather than the inbox. With p=reject, failing emails are refused by the receiving server and never delivered. Quarantine is useful when you are not fully confident all your legitimate email is passing, since it gives you a safety margin. Reject is the appropriate final state once you have confirmed your authentication is complete. Both policies satisfy Google and Yahoo's 2024 bulk sender requirements.
How long does it take to set up SPF, DKIM, and DMARC?+
For a simple setup with one email provider like Google Workspace or Microsoft 365, the technical configuration typically takes 30-60 minutes. SPF is usually already partially set up by your email provider during domain verification. DKIM requires generating keys and publishing them in DNS, which most providers walk you through. DMARC requires creating a TXT record, which takes about 5 minutes once you know what to put in it. The longer part is the monitoring phase after adding DMARC: plan 2-4 weeks at p=none reviewing reports before moving to enforcement.
Final thoughts
SPF, DKIM, and DMARC are not complicated. They feel complicated because most guides explain the syntax before explaining the purpose. Once you understand that SPF is an approved sender list, DKIM is a tamper-proof seal, and DMARC is a policy for what to do when those checks fail, the rest falls into place.
The practical sequence for most people:
- 1.Check what you currently have configured at Vortenza SPF DKIM DMARC Checker. Takes 10 seconds.
- 2.Fix any missing or broken records. SPF first, then DKIM, then DMARC.
- 3.Start DMARC at p=none and review the reports for 2-4 weeks.
- 4.Move to p=quarantine once your legitimate email is passing cleanly.
- 5.Move to p=reject when you are confident the setup is complete.
Then check it again when you add any new email tool, because every new sending service needs to be included in your SPF record and configured with DKIM.
About this guide
Published by the Vortenza Editorial Team. Authentication requirements referenced from Google's Gmail Sender Guidelines (updated February 2024), Yahoo Mail Sender Requirements (updated February 2024), RFC 7208 (SPF), RFC 6376 (DKIM), and RFC 7489 (DMARC). Verizon DBIR phishing statistic from the 2024 Data Breach Investigations Report.
Tools used in this guide
SPF DKIM DMARC Checker
Check all three authentication records for any domain with color-coded results and plain-English fix instructions. Free, no signup.
DMARC Record Generator
Build a valid DMARC TXT record for your domain. Select your policy, enter your reporting email, and copy the finished record. Free.
Email Spam Score Checker
Test your email subject and body for spam trigger words, formatting issues, and authentication problems before sending.
Email Deliverability Checker
Get a 0-100 deliverability score for your domain based on DNS authentication setup.