Blog · Email Infrastructure
June 5, 2025 · 6 min read
SPF, DKIM, and DMARC are the three authentication standards that email receiving servers use to decide whether an incoming email is legitimate. Misconfigure any one of them and your emails land in spam or get rejected outright. Configure all three correctly and your emails have the best possible technical foundation for inbox placement.
Most non-technical founders and sales leaders understand these are important but cannot explain why. Here is the plain-English version — enough to set them up correctly and understand what to check when deliverability problems arise.
SPF (Sender Policy Framework) is a DNS record on your domain that lists which mail servers are authorised to send email from that domain. When a receiving server gets an email from your domain, it checks the SPF record to confirm the sending server is on the approved list. If it is not, the email fails SPF and is more likely to be marked as spam.
For cold email, SPF typically needs to include your email provider's servers — Google Workspace, Microsoft 365, or your sending tool. Your provider gives you the exact SPF record to add. The common mistake is having an SPF record that does not include all the servers actually sending from your domain, causing some emails to fail the check.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. The signature is generated using a private key held by your mail server and can be verified by anyone with your public key, which is published in your DNS. Receiving servers use this to verify that the email actually came from who it says it came from and has not been altered in transit.
DKIM setup involves generating a key pair and adding the public key to your DNS as a TXT record. Your email provider handles key generation — you just need to add the record they give you. Without DKIM, your emails lack a fundamental authenticity signal.
DMARC (Domain-based Message Authentication, Reporting and Conformance) is a policy that tells receiving servers what to do when an email fails SPF or DKIM checks: do nothing, quarantine it (send to spam), or reject it entirely. It also allows you to receive reports about emails being sent from your domain, which surfaces fraud and misconfiguration.
Start with a DMARC policy of "none" while you audit your sending setup. Once you are confident everything that should be passing SPF and DKIM is passing, upgrade to "quarantine" and eventually "reject." Running DMARC at "reject" tells the world that you take email security seriously and makes your domain harder to spoof.