SPF, DKIM and DMARC — keeping mail out of spam

The three records that prove your mail really is yours — without them, your messages land in spam.

6 min Updated 18 Jul 2026

If your business email keeps landing in spam, missing these three records is almost always the reason. They prove to the recipient that a message genuinely came from your domain.

Why they matter

The core email protocol has no authentication built in, which means anyone can send a message that appears to come from your address. SPF, DKIM and DMARC are the layers that close that hole. Without them, providers like Gmail and Outlook simply do not trust your mail.

SPF — who may send on my behalf

A TXT record on your root domain listing the authorised servers:

example.com.    TXT    "v=spf1 include:_spf.servernet.cloud ~all"

The key parts:

  • include: — authorises a provider's servers
  • ip4: — authorises a specific IP
  • ~all — everything else is treated as suspicious (softfail)
  • -all — everything else is explicitly rejected (stricter)

Two common mistakes: first, only one SPF record is allowed — create two and both become invalid. Second, every sending service you use (newsletter platform, CRM) must be included in that single record.

DKIM — a digital signature on your mail

DKIM signs each outgoing message with a private key and publishes the public key in DNS. The recipient verifies the signature and confirms the content was not altered in transit.

selector._domainkey.example.com.    TXT    "v=DKIM1; k=rsa; p=MIGfMA0..."

Your mail service generates the key value; you simply publish the record in DNS.

DMARC — what to do with suspicious mail

DMARC tells recipients what to do when SPF or DKIM fails, and asks them to send you reports:

_dmarc.example.com.    TXT    "v=DMARC1; p=none; rua=mailto:dmarc@example.com"

The p value is your policy:

  • p=none — report only, take no action
  • p=quarantine — deliver to the spam folder
  • p=reject — do not deliver at all

The right rollout order

Order matters here — jumping straight to the strictest policy can block your own legitimate mail:

  1. Publish SPF first and leave it a few days.
  2. Enable and test DKIM.
  3. Add DMARC with p=none and read the reports.
  4. Once the reports confirm all your genuine senders authenticate correctly, move up to quarantine, then reject.

Verifying it worked

After publishing, send a test message to a Gmail address and open "show original". You should see PASS for both SPF and DKIM in the authentication section.

To review your domain's current records, use ServerNet's DNS lookup tool.

Was this page helpful?