If your email campaigns are landing in spam, the problem may not be your copy. It may be your email authentication. SPF, DKIM, and DMARC help inbox providers verify that your emails are legitimate. Without them, your campaigns are more likely to be filtered, rejected, or treated as suspicious.
Why Email Authentication Matters
Inbox providers want to protect users from spoofing, phishing, spam, and unwanted bulk email. Authentication helps them answer: is this email really allowed to come from this domain? For B2B teams, authentication affects inbox placement, sender reputation, domain protection, campaign performance, and compliance with sender requirements from Google and Yahoo.
What Is SPF?
SPF (Sender Policy Framework) is a DNS record that lists which servers or platforms are allowed to send email for your domain. If you use Google Workspace, HubSpot, Mailchimp, or another platform, that service may need to be included in your SPF record.
Important SPF rules: use only one SPF record per domain, include all legitimate sending services, remove old services, watch the 10 DNS lookup limit. SPF alone is not enough.
What Is DKIM?
DKIM (DomainKeys Identified Mail) adds a digital signature to outgoing email. Receiving servers check that signature to confirm the email was authorized and was not changed after sending. Most email platforms give you DKIM DNS records to add to your domain. Google recommends 2048-bit keys where supported.
What Is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM. It tells receiving servers what to do when messages fail authentication and gives domain owners reports about email activity.
Policy options: p=none (monitor only), p=quarantine (send failing messages to spam), p=reject (reject failing messages). Many companies start with p=none, review reports, then move toward stricter policies.
What Is Domain Alignment?
DMARC checks alignment — the visible From domain should align with the domain authenticated by SPF or DKIM. If your email says it is from sales@yourcompany.com, the authenticated sending domain should align with yourcompany.com.
Basic Setup Process
1. List every sending platform
Create a list of all services that send email from your domain: Google Workspace, HubSpot, sales engagement tools, marketing automation, support tools, billing tools, product notifications, transactional email providers. You cannot authenticate what you do not know exists.
2. Add SPF records carefully
Check your existing SPF record. Add approved senders without creating a second SPF record. One record, all legitimate senders included.
3. Enable DKIM for each platform
Log into each platform and follow its DKIM setup instructions. Add DNS records, wait for propagation, then verify inside the platform.
4. Publish a DMARC record
Start with monitoring: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com. Once you understand your legitimate sending sources, move toward stricter enforcement.
5. Test and monitor
Send test emails and check headers. Use DNS and authentication testing tools to confirm SPF, DKIM, and DMARC pass. Monitor reports and reputation — authentication is not a one-time task.
Common Mistakes
Creating multiple SPF records, forgetting old tools in SPF, using a platform without DKIM enabled, publishing DMARC before knowing all senders, moving to p=reject too early, using misaligned From domains, ignoring bounce and complaint rates.
FAQs
Do I need SPF, DKIM, and DMARC?
Yes. Google recommends all three, and bulk sender requirements from major inbox providers make authentication increasingly important for any serious email program.
What DMARC policy should I use first?
Start with p=none so you can monitor activity before enforcing quarantine or rejection. This lets you identify all legitimate senders first.
Can SPF, DKIM, and DMARC guarantee inbox placement?
No. They help authentication, but inbox placement also depends on reputation, engagement, complaints, bounces, content, and sending behavior.