Where do I add or modify SPF, DKIM, and DMARC records?

SPF, DKIM, and DMARC are DNS records. They require configuration within your domain's DNS settings. You will typically access these settings through your domain registrar (e.g., GoDaddy , Cloudflare ) or your DNS hosting provider. Once the records are added, they typically take a few hours to propagate across the internet.

My SPF, DKIM, and DMARC are all passing, but my emails still go to spam. Why?

Yes, it is possible for your emails to still go to spam even with correct SPF, DKIM, and DMARC. This can happen due to poor sender reputation, high bounce rates, sending to unengaged recipients, content issues (e.g., spammy keywords, broken links), or being listed on a blocklist (or blacklist). Email deliverability is a holistic effort that goes beyond just authentication.

What does a DMARC policy of p=none mean?

A DMARC policy of p=none means that receiving mail servers should take no action on emails that fail DMARC authentication. Instead, they send aggregate reports back to the domain owner. This is the recommended starting point for DMARC implementation, as it allows you to monitor email traffic and identify legitimate and unauthorized senders without risking the delivery of your valid emails. Once you have a clear picture, you can consider stricter policies like p=quarantine or p=reject .

Are there free DMARC reporting or analysis tools available?

Yes, many free DMARC report analyzers exist, and some DMARC monitoring services offer free tiers for low-volume senders. These tools parse the XML reports sent by receiving servers into an understandable format, allowing you to see which emails are passing or failing authentication. These reports are crucial for identifying and troubleshooting authentication issues and unauthorized use of your domain.

Best free tools to check DMARC, SPF, and email setup. - Tools - Email deliverability - Knowledge base

Ensuring your emails reach the inbox and are not flagged as spam requires robust email authentication. SPF, DKIM, and DMARC are the foundational pillars of this authentication, verifying your sender identity and protecting your domain from spoofing and phishing attacks. Properly configuring these records is critical, but just as important is regularly checking their setup.

Without correct implementation, your legitimate emails could end up in spam folders, or worse, attackers could impersonate your domain, damaging your reputation and exposing your recipients to fraud. Fortunately, a variety of free tools exist to help you verify your email setup and ensure these crucial records are properly configured.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Understanding email authentication protocols

Before diving into the tools, it is helpful to understand what each of these email authentication protocols does.

SPF (Sender Policy Framework): This DNS TXT record specifies which mail servers are authorized to send email on behalf of your domain. It helps receiving servers verify that incoming mail from a domain comes from an IP address authorized by that domain's administrators.
DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to your outgoing emails, allowing the recipient's server to verify that the email was indeed sent by the domain it claims to be from and that it has not been tampered with in transit. This authentication uses cryptographic keys.
DMARC (Domain-based Message Authentication, Reporting, and Conformance): DMARC builds upon SPF and DKIM, providing a framework for email senders and receivers to improve email security. It tells receiving servers what to do with emails that fail SPF or DKIM authentication, and it provides reporting back to the sender on email authentication results. You can read a simple guide to DMARC, SPF, and DKIM for more in-depth information.

These three protocols work in conjunction to create a robust email authentication ecosystem, making it harder for unauthorized parties to send emails using your domain. Ensuring their proper configuration is a cornerstone of good email deliverability.

The importance of regular authentication checks

Regularly checking your DMARC, SPF, and DKIM records is not a one-time task. DNS changes, new email sending services, or even subtle misconfigurations can disrupt your email authentication. Free tools provide an easy way to quickly diagnose issues and ensure your records are always in order.

The major email providers, such as Google and Microsoft, increasingly rely on these authentication standards to filter out spam and protect their users. Failing to meet these standards can lead to your emails being rejected or sent straight to the junk folder, severely impacting your deliverability and communication effectiveness. Knowing why your emails are going to spam is the first step toward fixing it.

Best practices for email authentication checks

Regular schedule: Make checking your records a routine task, especially after any DNS changes or onboarding new email service providers.
Multiple tools: Different tools may highlight different aspects or provide unique insights into potential issues.
Review reports: For DMARC, actively review the aggregate reports (RUA) to monitor email traffic and identify unauthorized senders. We also have a dedicated guide on troubleshooting DMARC reports.

By incorporating these checks into your routine, you can proactively address issues and maintain a strong sending reputation. The goal is to keep your email streams healthy and ensure your messages reach their intended recipients.

Exploring free tools for record validation

Many excellent free tools are available online that can help you quickly verify your SPF, DKIM, and DMARC records. These tools typically work by querying your domain's DNS records and presenting the information in an easily digestible format, highlighting any errors or misconfigurations.

Checking your records

When you use a checker, it retrieves the current DNS records for your domain. For SPF, it looks for a TXT record starting with v=spf1. For DKIM, it checks for a TXT record containing your public key, typically at a subdomain like selector._domainkey.yourdomain.com. DMARC checkers also look for a TXT record at _dmarc.yourdomain.com.

Example SPF record

v=spf1 include:_spf.google.com ~all

Common tool types

DNS record checkers: These tools allow you to input your domain and instantly retrieve your SPF, DKIM, and DMARC TXT records, validating their syntax and content. You can verify your DMARC, DKIM, and SPF setup with several such tools.
Email testing services: Some services provide a unique email address to send a test message to, then analyze its headers for authentication passes, spam scores, and other deliverability factors. aboutmy.email and wombatmail.com/tools/ are examples of these.
DMARC report analyzers: While many are paid, some offer free tiers or trials to help parse DMARC XML reports into human-readable formats. These tools are invaluable for understanding your email ecosystem. We also have a dedicated guide on the best DMARC monitoring tools.

Some widely used free tools for checking your email setup include learndmarc.com, redsift.com/tools/investigate, and mailchecker.net. Each offers a slightly different interface and depth of analysis, making it beneficial to consult a few to get a comprehensive picture of your setup.

Decoding the results and next steps

Once you run a check, the tool will provide feedback on your SPF, DKIM, and DMARC records. It is important to understand what the results mean and how to act on them. Look for clear indications of 'pass' or 'fail' for each record.

Interpreting common results

SPF pass: Indicates your sending IP is authorized. Check for PermError if the record is too complex (more than 10 DNS lookups). Sometimes emails can still fail at Microsoft due to SPF DNS timeouts.
DKIM pass: Means your digital signature is valid. If it fails, check your DKIM selector and public key for errors.
DMARC pass: Both SPF and DKIM are aligned and authenticated. A p=none policy allows you to collect reports without affecting email delivery, which is ideal for initial monitoring. After monitoring, you can look into transitioning your DMARC policy.
No record found: This means the record is missing from your DNS. You will need to add the appropriate TXT entry via your domain registrar or DNS hosting provider.

If a tool indicates a failure or warning, investigate the specific error message. Common issues include typos in records, incorrect syntax, or too many include mechanisms in SPF that lead to PermError failures. Refer to the documentation provided by your email service provider or the authentication protocol specifications for guidance on corrections.

Remember that DNS changes can take time to propagate globally (up to 48 hours), so re-check after a reasonable interval if you have just made adjustments.

Beyond authentication: holistic email health

While SPF, DKIM, and DMARC are crucial, a comprehensive email setup involves more than just these three protocols. You also need to consider your IP and domain reputation. Falling onto a blocklist (or blacklist) can severely impact your deliverability, regardless of your authentication setup.

Monitoring your domain's presence on major email blocklists (sometimes called blacklists) is essential. There are free tools to check if your sender IP is blacklisted, and it is a good practice to use them periodically. An in-depth guide to email blocklists can provide more context on their function and impact.

Maintaining a clean sending reputation also involves managing bounce rates, avoiding spam traps, and sending relevant content to engaged subscribers. While free tools for authentication checks are a great starting point, a truly robust email deliverability strategy involves continuous monitoring and adherence to best practices across all these areas. You can also run a comprehensive email deliverability test to catch more subtle issues.

Views from the trenches

Best practices

Always test your email authentication records after any DNS changes.

Use multiple free tools to get varied insights into your SPF, DKIM, and DMARC setup.

Regularly review your DMARC reports to identify potential spoofing attempts or misconfigurations.

Ensure your SPF record does not exceed the 10-DNS-lookup limit to avoid PermErrors.

Keep your email lists clean to minimize bounces and maintain a good sender reputation.

Common pitfalls

Forgetting to update SPF records when adding new email sending services.

Having multiple SPF TXT records on a single domain, which is not allowed and causes failures.

Not implementing DMARC after SPF and DKIM, leaving your domain vulnerable to spoofing.

Setting a DMARC policy to reject too early without proper monitoring and analysis.

Ignoring DMARC aggregate reports, missing critical insights into email authentication failures.

Expert tips

Consider generating a DMARC record with a 'p=none' policy initially to gather data before enforcing stricter policies.

Use DNS lookup tools to verify SPF and DKIM record presence and syntax immediately after publishing them.

Implement BIMI (Brand Indicators for Message Identification) once DMARC is enforced to display your logo in inboxes.

A solid email authentication setup (SPF, DKIM, DMARC) is the first line of defense against phishing and spoofing.

Don't overlook email content and recipient engagement; these also significantly impact deliverability.

Expert view

Expert from Email Geeks says that learndmarc.com is a very effective tool for checking DMARC records.

2024-05-15 - Email Geeks

Marketer view

Marketer from Email Geeks says that redsift.com/tools/investigate is also a useful option for comprehensive email authentication checks.

2024-05-15 - Email Geeks

Maintaining a strong email presence

Email authentication is a non-negotiable aspect of modern email deliverability and security. Free tools for checking SPF, DKIM, and DMARC provide accessible and effective ways to ensure your domain is properly configured and protected against impersonation.

By regularly utilizing these resources and understanding their output, you can maintain a healthy email ecosystem, improve your sender reputation, and ultimately ensure your messages consistently reach the inbox. Proactive checks are key to preventing deliverability issues and safeguarding your brand's integrity.