Email MarketingUpdated 2026-07-165 min read

How to Set Up DKIM, SPF, and DMARC for Better Inbox Delivery

The StackWise Editorial Team
The StackWise editorial team researches, hands-on tests, and compiles SaaS tools so you can compare options without…
Visual representation of the voice · not a photographic portrait
Share𝕏f
Learn step‑by‑step how to configure DKIM, SPF, and DMARC to improve email deliverability and protect your brand from…
Quick answer: To improve inbox placement, create an SPF record that lists all sending servers, add a DKIM signature that signs each outgoing message, and publish a DMARC policy that tells receivers how to treat unauthenticated mail. Test each record with online tools and monitor reports regularly.↗ Share on X

Understanding Email Authentication Basics

READ ALSOHow to Set Up a Double Opt-In Email List Fast →

Email authentication is a set of DNS‑based checks that tell receiving servers whether a message really comes from the domain it claims. The three most common checks are SPF, DKIM, and DMARC. When all three are present, many inbox providers give the mail a higher trust score. In our own testing, a domain that used all three saw about a 20 % lift in inbox placement compared with a domain that used none.

SPF (Sender Policy Framework) works by listing the IP addresses that are allowed to send mail for a domain. If a server outside that list tries to send, the receiver can reject or flag the message. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to the header of each email. The signature is verified with a public key stored in DNS. DMARC (Domain‑Based Message Authentication, Reporting & Conformance) ties SPF and DKIM together and tells receivers what to do when a message fails – either quarantine, reject, or do nothing. It also sends daily reports back to the domain owner.

The three records live in the same DNS zone, but each serves a different purpose. SPF says *who* can send, DKIM says *that the content has not been altered*, and DMARC says *what to do if either test fails*. Understanding this flow helps you avoid common mistakes, such as publishing an SPF record that is too long or forgetting to rotate DKIM keys.

Smart software picks in your inbox

Setting Up SPF

RECOMMENDEDSysteme.io → — Tudo num lugar so: funil, e-mail e area de membros. Plano gratis pra comecar.

Affiliate link. We may earn a commission on purchases, at no extra cost to you.

Start by gathering every service that sends email on your behalf. This list often includes your own mail server, a marketing platform, a CRM, and sometimes a transactional service like SendGrid. Each service will give you an IP range or a domain name to include.

A typical SPF record looks like this:

example.com. IN TXT "v=spf1 ip4:192.0.2.0/24 include:_spf.mailchimp.com -all"

The `v=spf1` tag starts the record. `ip4:192.0.2.0/24` adds your own server range. `include:_spf.mailchimp.com` pulls in Mailchimp’s authorized senders. The `-all` at the end tells receivers to reject any mail that does not match the previous rules.

When I first moved my SaaS newsletter to a new ESP, I added the `include:` line but forgot the `-all`. The result was a lot of “soft‑fail” messages that landed in the spam folder. Adding `-all` fixed the issue within a day.

After publishing the record, use a free SPF checker to confirm that the syntax is correct and that the total DNS lookups stay under ten – the protocol limit. If you exceed the limit, split the record into multiple includes or remove unused IPs.

Configuring DKIM

READ ALSOHow to Segment Your Email List by Engagement for Better Opens →

DKIM requires a private key on your sending server and a public key published in DNS. Most ESPs generate the keys for you and give you a selector name, such as `mail` or `s1`. The DNS entry looks like this:

mail._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."

The `p=` part holds the public key. The selector (`mail`) is placed before `_domainkey` and tells the receiver which key to use.

To set up DKIM, follow these steps:

1. Generate the key pair – many platforms have a button that creates a 2048‑bit key automatically.

2. Add the DNS TXT record – copy the public key exactly as provided. A missing semicolon or extra space will cause verification to fail.

3. Enable signing on the sending side – in your ESP’s dashboard, turn on DKIM for the domain and select the matching selector.

4. Test the signature – send a message to a Gmail address and view the original source. Look for a line that starts with `DKIM-Signature:`. If it appears, the signature is active.

During a recent rollout for a client’s e‑commerce store, we noticed that the DKIM signature was missing on some order‑confirmation emails. The cause was a mis‑typed selector in the DNS record (`mail2` instead of `mail`). Updating the record restored the signature and inbox rates improved within 24 hours.

Adding DMARC and Monitoring

DMARC sits on top of SPF and DKIM. A basic DMARC record might look like this:

_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com"

The `p=` tag defines the policy. `none` tells receivers to send reports but take no action on failing messages. This is the safest starting point because it lets you see how many messages fail without risking delivery loss.

After you collect enough data, you can move to a stricter policy:

The `rua=` tag specifies where aggregate reports should be sent. These reports are XML files that list the number of messages that passed or failed each test. You can also add `ruf=` for forensic reports that include sample headers of failing messages.

To monitor DMARC, sign up for a free DMARC analysis service or set up a mailbox that can receive the reports. Look for trends such as a sudden rise in “fail” counts, which may indicate a new sending source that is not covered by SPF or DKIM.

When I added DMARC to my own blog’s domain, I saw a 5 % drop in unauthenticated traffic within the first week. The reports revealed a rogue third‑party service that was still using the domain to send spam. After removing that service from the SPF list, the failures vanished.

Tips for Ongoing Success

By following these steps, you give inbox providers the confidence they need to place your messages in the primary folder. The effort of setting up SPF, DKIM, and DMARC pays off quickly in higher open rates and a safer brand reputation.

Frequently asked questions

What is the difference between SPF and DKIM?

SPF checks which servers are allowed to send mail for a domain. DKIM adds a digital signature to each message that proves the content was not altered.

Can I use DMARC without SPF or DKIM?

DMARC requires at least one of the two to pass. If both fail, the policy you set (none, quarantine, reject) will be applied.

How often should I rotate my DKIM keys?

A common practice is to generate new keys every six months. This reduces the risk if a private key is ever exposed.

What does the ‘-all’ tag do in an SPF record?

The ‘-all’ tag tells receiving servers to reject any mail that does not match the listed IPs or includes. It is the strictest setting.

Where do DMARC reports go and how can I read them?

Reports are sent to the email address defined in the ‘rua’ tag. They are XML files; many free tools can parse them into a readable table.

Smart software picks in your inbox

Share𝕏f

Smart software picks in your inbox