If your business email keeps landing in spam, missing these three records is almost always the reason. They prove to the recipient that a message genuinely came from your domain.
Why they matter
The core email protocol has no authentication built in, which means anyone can send a message that appears to come from your address. SPF, DKIM and DMARC are the layers that close that hole. Without them, providers like Gmail and Outlook simply do not trust your mail.
SPF — who may send on my behalf
A TXT record on your root domain listing the authorised servers:
example.com. TXT "v=spf1 include:_spf.servernet.cloud ~all"
The key parts:
include:— authorises a provider's serversip4:— authorises a specific IP~all— everything else is treated as suspicious (softfail)-all— everything else is explicitly rejected (stricter)
Two common mistakes: first, only one SPF record is allowed — create two and both become invalid. Second, every sending service you use (newsletter platform, CRM) must be included in that single record.
DKIM — a digital signature on your mail
DKIM signs each outgoing message with a private key and publishes the public key in DNS. The recipient verifies the signature and confirms the content was not altered in transit.
selector._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=MIGfMA0..."
Your mail service generates the key value; you simply publish the record in DNS.
DMARC — what to do with suspicious mail
DMARC tells recipients what to do when SPF or DKIM fails, and asks them to send you reports:
_dmarc.example.com. TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"
The p value is your policy:
p=none— report only, take no actionp=quarantine— deliver to the spam folderp=reject— do not deliver at all
The right rollout order
Order matters here — jumping straight to the strictest policy can block your own legitimate mail:
- Publish SPF first and leave it a few days.
- Enable and test DKIM.
- Add DMARC with
p=noneand read the reports. - Once the reports confirm all your genuine senders authenticate correctly, move up to
quarantine, thenreject.
Verifying it worked
After publishing, send a test message to a Gmail address and open "show original". You should see PASS for both SPF and DKIM in the authentication section.
To review your domain's current records, use ServerNet's DNS lookup tool.