Understanding SPF, DKIM, and DMARC

Last updated: May 4, 2026

SPF, DKIM, and DMARC are three DNS records that work together to authenticate your emails and protect your domain from being used fraudulently. All three must be correctly configured for strong deliverability.

If you're using Stamina's DFY setup, these records are configured automatically. This article explains what each one does and why it matters.

SPF — Sender Policy Framework

SPF specifies which mail servers are authorized to send email on behalf of your domain. When an email arrives, the receiving server checks your domain's SPF record to verify the sending server is on the approved list.

If SPF fails: The email may be rejected or marked as spam by the receiving server.

Example SPF record:

v=spf1 include:_spf.google.com ~all

This record tells receiving servers that Google's mail servers are authorized to send email for your domain. The ~all at the end means emails from unlisted servers are flagged as suspicious (softfail) rather than rejected outright.

DKIM — DomainKeys Identified Mail

DKIM adds a cryptographic signature to every outgoing email. The receiving server retrieves your public key from DNS and uses it to verify the signature — confirming the email came from you and wasn't altered in transit.

If DKIM fails: Emails may be treated as potentially tampered with, increasing spam filter risk.

DKIM is set up by generating a key pair in Google Admin Console (or your email provider) and publishing the public key as a DNS TXT record on your domain.

DMARC — Domain-based Message Authentication, Reporting & Conformance

DMARC builds on top of SPF and DKIM. It tells receiving servers what to do when an email fails authentication, and sends you aggregate reports on authentication results for your domain.

DMARC policies:

  • p=none — Monitor only. No action taken on failing emails. Good for initial setup while you verify records are working.

  • p=quarantine — Failing emails go to spam. Recommended once SPF and DKIM are confirmed.

  • p=reject — Failing emails are rejected entirely. Use only when you're confident in your authentication setup.

Example DMARC record:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

Checking your records

Use MXToolbox to verify that all three records are published correctly and resolving as expected. Check each domain separately.