SPF, DKIM & DMARC Explained (Plain-English Guide for Business Email)

If your business emails land in spam — or get rejected — the usual culprit is missing email authentication. SPF, DKIM, and DMARC are three DNS records that prove your mail is genuine. Here is what each does, in plain English.

8 min read · Updated June 2026

Why authentication matters

Mailbox providers like Gmail and Outlook receive enormous amounts of spam and spoofing. To decide what is trustworthy, they check whether a message is authenticated. Domains without SPF, DKIM, and DMARC are far more likely to be filtered to spam or blocked — and since 2024, Gmail and Yahoo require authentication for bulk senders.

SPF — who can send for your domain

SPF (Sender Policy Framework) is a TXT record listing the servers allowed to send email for your domain. When a receiver gets your mail, it checks that it came from an approved server.

A typical record looks like: v=spf1 mx ip4:203.0.113.10 -all. The -all at the end means "reject anything not listed."

DKIM — a tamper-proof signature

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every message using a private key, which receivers verify against a public key published in your DNS. It proves the message really came from your domain and was not altered in transit.

DKIM is published as a TXT record at a selector, e.g. mail._domainkey.yourcompany.com.

DMARC — your policy and reports

DMARC ties SPF and DKIM together. It tells receivers what to do when a message fails (do nothing, quarantine to spam, or reject) and where to send reports.

Start gentle and tighten over time: p=none to monitor, then p=quarantine, then p=reject once you are confident. Example: v=DMARC1; p=quarantine; rua=mailto:postmaster@yourcompany.com.

Setting all three up the easy way

Getting the syntax exactly right by hand is error-prone. A guided setup that generates your DKIM key, gives you the precise SPF and DMARC values, and verifies each record live removes the guesswork. HavitoMail does this automatically per domain so your mail is authenticated from day one.

Frequently asked questions

Do I need all three of SPF, DKIM, and DMARC?

Yes. SPF and DKIM each cover part of the picture, and DMARC ties them together and is now expected by Gmail and Yahoo. Using all three gives the best deliverability and anti-spoofing protection.

Why are my emails going to spam?

The most common reasons are missing or misconfigured SPF/DKIM/DMARC, a brand-new domain with no reputation, or spam-trigger content. Fixing authentication is the first and biggest step.

What DMARC policy should I start with?

Start with p=none to monitor without affecting delivery, review the reports, then move to p=quarantine and finally p=reject as you confirm all legitimate mail passes.

Ready to set up professional email?

Get @yourcompany.com email with a guided DNS wizard. Free to start.

Start Free
Related: How to set up business email · How to add MX records · Email hosting · Why HavitoMail