SME Software Help

Email Marketing

SPF, DKIM, and DMARC explained: a plain English guide for small businesses and SMEs

SPF, DKIM, and DMARC are three DNS records that prove your emails are genuinely from you. Here is what each one does, why it matters, and how to check you have them in place.

Email Marketing By SME Software Help

What is email authentication?

We see this all the time - your new email marketing platform told you to set up SPF and DKIM before your first send. Or your emails started landing in spam and someone mentioned DMARC may be the cause. Either way, you are now staring at a DNS panel wondering what any of it means.

Email authentication is the foundation of email security for any domain: a set of DNS records that prove to receiving mail servers that your emails genuinely came from you. Without them, anyone can send an email pretending to be from your business. Inbox providers know this, so they treat unauthenticated mail with suspicion, and increasingly with outright rejection.

Think of it like sending a physical letter - your domain is your business letterhead and return address. SPF is an approved-couriers list you register with the post office: only these delivery companies are authorised to carry letters with our address on them. DKIM is a wax seal on the envelope: the recipient can verify the seal is genuine and the letter has not been tampered with in transit. DMARC is your standing instruction to the post office: if a letter arrives claiming to be from us but fails either check, here is what to do with it.

Contents

A quick word before we start: this post contains an unreasonable number of acronyms. SPF. DKIM. DMARC. DNS. TXT. The people who named these things were apparently not thinking about the business owners who would one day have to implement them! We are sorry. To make up for it, we have woven a running analogy about sending physical letters through every section, because it turns out email authentication maps surprisingly well onto things the post office has been doing for centuries.

Why does email authentication matter for your business?

Without authentication, three things are working against you. First, your domain can be spoofed: someone can send emails pretending to be from your business, whether to defraud your customers or damage your reputation. Second, Google, Yahoo, and Outlook increasingly filter unauthenticated mail directly to spam or reject it before delivery. Third, marketing emails sent from platforms like Transpond or Mailchimp will underperform if DKIM is not linked to your sending domain, because the email appears to come from the platform’s infrastructure rather than yours.

Authentication is one of five core factors covered in our guide to email deliverability for small businesses and SMEs. This post goes deeper on the technical side of that single factor.

The good news is that you only set this up once per domain, and your email platform will give you the exact records to add.

What is SPF (Sender Policy Framework)?

Going back to the post office: imagine you file a list of approved couriers with Royal Mail. You specify that only Courier A and Courier B are authorised to deliver letters on your behalf. When any letter arrives claiming to be from your business, the receiving post office checks whether the delivery van belongs to one of your approved couriers. If the courier is not on the list, something is off. The letter might genuinely be yours sent via an unregistered service, or it might be a forgery. Either way, it gets flagged.

In practice, SPF (Sender Policy Framework) is a TXT record in your domain’s DNS. It lists the mail servers that are allowed to send email on your behalf. Your email service provider (ESP) will give you the exact value to add, usually something like include:servers.youresp.com. Once it is in your DNS, receiving servers can verify that an email claiming to be from your domain actually came from an authorised source.

If you send from multiple platforms (for example, transactional emails from one tool and marketing campaigns from another), each platform needs to be included within the same SPF record - as you cannot have more than one SPF record per domain.

What is DKIM (DomainKeys Identified Mail)?

The ‘wax seal’ in our analogy, representing DKIM, is worth dwelling on for a moment. When you seal a letter with your own signet ring, the recipient can look at the seal and verify it is yours. More usefully, if someone opened the envelope in transit and swapped out the letter, the seal would be broken or missing by the time it arrived. That broken seal tells the recipient something happened to this before it reached you. DKIM does exactly the same job: your sending platform adds a unique digital signature to every outgoing email. If the email was tampered with at any point between leaving your platform and arriving in an inbox, the signature will not match and the email should not be trusted.

DKIM works using a public and private key pair. Your ESP (Email Service Provider) holds the private key and uses it to sign each outgoing message. You add the corresponding public key to your DNS as a TXT or CNAME record. The recipient’s server runs the check automatically on arrival, to check the email is legitimate.

When setting DKIM up, your ESP will provide one or two DNS records to add. It is a one-time setup step per platform, and most providers include a verification button so you can confirm it’s working before you send.

What does DMARC do?

SPF and DKIM tell the post office how to recognise your legitimate mail. DMARC tells them what to do when something fails.

Going back to the analogy: DMARC is your standing instruction card, filed at the post office. If a letter arrives with your return address but fails the courier check or the seal check, do you want the post office to flag it and send you a report, hold it in a back room, or refuse delivery entirely? Without an instruction on file, the post office does whatever it likes with suspicious mail, and you never hear about it. DMARC gives you control over that decision, and crucially, it keeps you informed even when your initial policy is set to “do nothing, just tell me what is happening.”

DMARC is a TXT record added at _dmarc.yourdomain.com

It has three policy levels:

PolicyWhat happensWhen to use it
p=noneNothing. You receive reports only.Start here. Safe while getting set up.
p=quarantineFailing mail goes to the spam folder.Once you have confirmed legitimate mail passes.
p=rejectFailing mail is refused entirely.Once everything is correctly configured.

DMARC also sends aggregate reports to an email address you specify. These reports show which servers are sending mail using your domain, which is useful for spotting whether someone is spoofing you before they do serious damage.

How do SPF, DKIM, and DMARC work together?

SPF, DKIM, and DMARC are designed to work as a stack. DMARC only takes effect when either SPF or DKIM passes, and the domain in those checks must align with the “From” address your recipient actually sees. This alignment requirement is what prevents bad actors from passing SPF on their own infrastructure while spoofing your From address.

To close the analogy: SPF checks the courier, DKIM checks the seal, and DMARC decides what happens when either fails. All three together form a complete authentication stack for your business email. SPF alone is partial protection, and DKIM alone is partial protection. DMARC without the other two has nothing to act on.

We configured the full authentication stack as part of a deliverability overhaul for a wealth management firm: no SPF, DKIM, or DMARC records were in place, marketing emails were landing in spam, and correcting authentication was the first and most impactful step. You can read more about how we fixed this firm’s email deliverability.

How do you check if SPF, DKIM, and DMARC are set up?

Two free tools cover most of what you need here.

MXToolbox has a free ‘SuperTool’ that checks SPF, DKIM, and DMARC records against your domain. Enter your domain name, run each lookup, and look for red errors. A green result means the record exists and is valid.

Google Postmaster Tools gives ongoing data on your sender reputation and authentication pass rates for mail sent to Gmail addresses. It is worth setting up if a significant portion of your contacts use Gmail.

If MXToolbox returns a red result on any of the three records, take the error message to your DNS provider or to your ESP’s support documentation. Both will have step-by-step guides.

TL;DR

  • SPF is a DNS record listing which mail servers are authorised to send on behalf of your domain. Your ESP gives you the value to add.
  • DKIM is a cryptographic signature added to each outgoing email and verified against a public key in your DNS. Also provided by your ESP.
  • DMARC is a policy record telling receiving servers what to do when SPF or DKIM fails. It also sends you reports on who is using your domain.
  • Providers often recommend starting DMARC with p=none, review the reports (if there are any) for a few weeks, then move to p=quarantine.
  • Use MXToolbox to check your current status. A red result on any of the three means action is needed.
  • Your ESP (Email Service Provider) almost certainly has a step-by-step guide for their platform specifically.

Not sure your email platform is set up correctly?

If your emails are landing in spam or you have never checked whether SPF, DKIM, and DMARC are in place, we can audit your domain configuration and walk you through what needs to change.

Discuss your email setup
Back to all posts