If you have ever had a customer tell you your email ended up in their spam folder, or if you have noticed replies dropping off without explanation, there is a good chance your email authentication records are either missing or misconfigured.
SPF, DKIM, and DMARC are three DNS records that tell receiving mail servers — Gmail, Outlook, and every other provider — that your emails are legitimate. Get them right and your emails land in inboxes. Get them wrong and they land in spam, or do not arrive at all.
This is not an exotic technical problem. Poorly configured email authentication is one of the most common issues we see. It affects businesses of all sizes and is almost always fixable.
Here is what each record does, why it matters, and what to check.
SPF — Sender Policy Framework
SPF is the first line of defence. It is a DNS record that lists which mail servers are authorised to send email on behalf of your domain.
When someone receives an email from you, their mail server checks your SPF record and asks: did this email come from a server I trust? If the answer is yes, the email passes the SPF check. If the answer is no — or if there is no SPF record at all — the email is more likely to be treated as suspicious.
A missing or incorrect SPF record is one of the most common reasons legitimate business emails end up in spam.
What a basic SPF record looks like:
v=spf1 include:yourmailprovider.com ~allThe ~all at the end is a “soft fail” — emails from unauthorised servers are marked as suspicious but not automatically rejected. ~all is the standard recommendation for most setups.
DKIM — DomainKeys Identified Mail
DKIM adds a digital signature to your outgoing emails. Think of it as a wax seal on a letter — the recipient can verify the seal is genuine and that the contents have not been tampered with in transit.
When you send an email, your mail server attaches a cryptographic signature generated using a private key. The receiving server then checks a corresponding public key published in your DNS records to verify the signature matches.
If the signature checks out, the email is confirmed as genuinely from your domain and unaltered. If there is no DKIM signature, or the signature does not match, receiving servers treat the email with more suspicion.
DKIM is particularly important for email deliverability because it builds a reputation for your domain over time. Mail servers track whether emails from your domain consistently pass DKIM checks — and that history affects where your emails land.
DMARC — Domain-based Message Authentication, Reporting and Conformance
DMARC sits on top of SPF and DKIM. It tells receiving mail servers what to do when an email fails those checks — and it gives you visibility into what is happening.
A DMARC record has three possible policies:
- None — monitor only, take no action on failures. Good starting point for a new setup.
- Quarantine — emails that fail checks go to the spam folder.
- Reject — emails that fail checks are not delivered at all.
DMARC also enables reporting. You can receive regular reports showing which emails are passing and failing authentication, which is useful for identifying misconfigured systems or spoofing attempts — where someone is pretending to send email from your domain.
Without a DMARC record, you have no visibility and no control over what happens when your email fails authentication checks.
A basic DMARC record:
v=DMARC1; p=none; rua=mailto:reports@yourdomain.co.ukStart with p=none to get reporting data before moving to quarantine or reject.
Why all three matter together
SPF, DKIM, and DMARC work as a system. SPF confirms the sending server is authorised. DKIM confirms the message is genuine and unaltered. DMARC tells the receiving server what to do if either check fails — and reports back to you.
Having SPF but not DKIM leaves a gap. Having both but no DMARC means you have no policy and no visibility. All three working together gives your emails the best possible chance of landing in the inbox and protects your domain from being used to send spam by someone else.
How to check your current setup
The quickest way to check your SPF, DKIM, and DMARC records is to use a free tool like MXToolbox or Mail Tester. Enter your domain and you will get a clear report showing what is present, what is missing, and what is misconfigured.
Common issues to look for:
- No SPF record — add one via your DNS provider
- Multiple SPF records — you can only have one, merge them into a single record
- SPF includes too many lookups — SPF has a limit of ten DNS lookups, exceeding it causes failures
- No DKIM record — usually needs to be set up through your mail provider
- No DMARC record — add one starting with
p=noneand a reporting address
A note on shared hosting
If your website and email are on cheap shared hosting, there is an additional risk. Shared hosting environments mean your domain shares server resources with potentially hundreds of other sites. If another site on the same server gets used for spam, it can affect the reputation of all domains on that IP — including yours — regardless of whether your own records are correctly configured.
This is one of the less obvious reasons why hosting quality matters for email deliverability, not just website performance.
Getting it sorted
If you are not sure whether your SPF, DKIM, and DMARC records are correctly configured, it is worth checking. Misconfigured email authentication is one of those problems that sits quietly in the background costing you credibility and missed conversations until someone points it out.
If you need help reviewing or fixing your email setup, get in touch and we can take a look.
1418 provides hosting and business email support for businesses in Cumbria, including email authentication setup and deliverability fixes.