SPF, DKIM, DMARC: the three records that get your email delivered

If business email keeps landing in spam — or worse, gets blocked entirely — these three DNS records are almost always why. Here's what each does and how to set them up.

SPF, DKIM, DMARC: the three records that get your email delivered

If business email from your domain keeps landing in spam — or worse, gets blocked outright — the cause is almost always missing or misconfigured DNS records. Three of them: SPF, DKIM, and DMARC. Here's what each one does and how to set them up correctly.

The 30-second version

  • SPF tells receiving mail servers which servers are allowed to send mail for your domain.
  • DKIM cryptographically signs each outgoing message so the recipient can verify the message wasn't forged or tampered with.
  • DMARC tells receiving servers what to do if SPF or DKIM fail — and lets you collect reports on attempted spoofing.

With all three correctly set up, your mail consistently lands in inboxes. Without them, you're rolling the dice on every send.

SPF (Sender Policy Framework)

SPF is a single TXT record in your domain's DNS that lists the IP addresses or hostnames authorized to send mail on your behalf. For a typical small business sending through Google Workspace, it'd be:

v=spf1 include:_spf.google.com ~all

Translation: "Servers in _spf.google.com can send for me; anything else, soft-fail."

If you also send transactional mail through SendGrid or Mailchimp, you include them too:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Common SPF mistakes: using +all (allows everyone — never do this), exceeding 10 DNS lookups in nested includes (SPF spec limit), forgetting to include a new mail provider after switching.

DKIM (DomainKeys Identified Mail)

DKIM uses public-key cryptography. Your mail server signs each outgoing message with a private key; the public key is published in your DNS as a TXT record. The recipient pulls your public key from DNS and verifies the signature.

You don't manually create the keys — your mail provider generates them and gives you the TXT record to paste. Google Workspace, Microsoft 365, and Modusdom Mailbox all walk you through this in their admin UI.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC ties SPF and DKIM together and gives you a way to tell receivers: "If a message claiming to be from my domain fails SPF or DKIM, here's what to do."

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100

The p= tag is the policy:

  • none — monitor only; receivers send you reports but don't block anything. Good for the first 30 days.
  • quarantine — send failing messages to spam.
  • reject — bounce failing messages outright. The strongest setting; use only after you've confirmed SPF and DKIM are clean.

How Modusdom sets this up for you

When you register a domain with Modusdom and add our Mailbox service:

  1. We provision the mailbox at OpenSRS Hosted Email.
  2. We automatically write the SPF record into your DNS zone.
  3. We automatically generate DKIM keys and publish the TXT records.
  4. We add a starter DMARC record (p=none) so you begin receiving reports.

You don't touch DNS. You don't paste anything. Mail just works.

How to verify your setup is correct

Send a test email to mail-tester.com — they give you a score and break down which authentication methods passed. Aim for 9/10 or higher.

You can also dig the records yourself with command-line tools:

dig TXT yourdomain.com           # SPF lives here
dig TXT _dmarc.yourdomain.com    # DMARC
dig TXT selector._domainkey.yourdomain.com   # DKIM (selector varies by provider)

Was this article helpful?

Build your business on a domain you actually own.

Search every ending in real time, get business email that lands in the inbox, and never get surprised at renewal — flat pricing, free WHOIS privacy, and a real human who answers.

No upsells at checkout · Free WHOIS privacy · Same price every year · Transfer out free, anytime

Find a domain See flat pricing