Corco Labs CorcoLabs

Email Deliverability: SPF, DKIM & DMARC

email spf dkim dmarc deliverability
Email Deliverability: SPF, DKIM & DMARC

You send an email. Will it reach the inbox, land in spam, or disappear entirely? Email deliverability depends on many factors, but authentication is foundational.

SPF, DKIM, and DMARC are the three pillars of email authentication. Without them, your emails are more likely to be marked as spam—or worse, someone could send emails pretending to be you.

The Problem: Email Spoofing

Email’s original design has no verification. Anyone can claim to send “from” any address. Spammers and phishers exploit this constantly:

From: [email protected]
Subject: Urgent wire transfer needed

Without authentication, receiving servers can’t verify this actually came from your company. SPF, DKIM, and DMARC fix this.

SPF: Who Can Send on Your Behalf

SPF (Sender Policy Framework) is a DNS record listing authorized senders for your domain.

How SPF Works

  1. You publish an SPF record in DNS
  2. Receiving server checks if the sending IP is in that list
  3. If not authorized, the email fails SPF

SPF Record Syntax

v=spf1 include:_spf.google.com include:sendgrid.net -all

Breaking this down:

  • v=spf1 - Version identifier
  • include:_spf.google.com - Authorize Google Workspace IPs
  • include:sendgrid.net - Authorize SendGrid IPs
  • -all - Reject all other senders (hard fail)

SPF Mechanisms

MechanismPurpose
include:domainInclude another domain’s SPF
ip4:1.2.3.4Authorize specific IPv4
ip6:2001:db8::1Authorize specific IPv6
aAuthorize domain’s A record IPs
mxAuthorize domain’s mail servers

SPF Qualifiers

QualifierMeaningResult
+ (default)PassAccept
-Hard failReject
~Soft failMark suspicious
?NeutralNo policy

Use ~all during testing, -all for production.

DKIM: Cryptographic Signatures

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails.

How DKIM Works

  1. Your mail server signs each email with a private key
  2. The signature is added as a header
  3. The public key is published in DNS
  4. Receiving servers verify the signature

DKIM DNS Record

google._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=MIIBIj..."
  • google._domainkey - Selector + _domainkey
  • v=DKIM1 - Version
  • k=rsa - Key type
  • p=MIIBIj... - Public key (base64 encoded)

DKIM Benefits

  • Proves email wasn’t modified in transit
  • Links email to your domain cryptographically
  • Survives forwarding (unlike SPF)

Most email providers (Google, Microsoft, SendGrid) handle DKIM signing automatically—you just add the DNS record they provide.

DMARC: The Policy Layer

DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together with a policy.

How DMARC Works

  1. Email arrives claiming to be from your domain
  2. Receiving server checks SPF and DKIM
  3. DMARC verifies “alignment” (domains match)
  4. Policy determines what happens to failures

DMARC Record Syntax

_dmarc.example.com. TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]"
  • v=DMARC1 - Version
  • p=quarantine - Policy for failures
  • rua=mailto:... - Where to send aggregate reports

DMARC Policies

PolicyAction
noneMonitor only, don’t reject
quarantineSend to spam
rejectBlock entirely

Start with none to monitor, then move to quarantine or reject once you’re confident legitimate email passes.

DMARC Alignment

DMARC requires “alignment”—the From domain must match SPF or DKIM domains:

  • SPF alignment: Return-Path domain matches From domain
  • DKIM alignment: DKIM d= domain matches From domain

If neither aligns, DMARC fails even if SPF and DKIM individually pass.

The Complete Picture

For an email to pass all authentication:

  1. SPF: Sending IP is authorized for the domain
  2. DKIM: Signature is valid and verifiable
  3. DMARC: SPF or DKIM passes with proper alignment

All three work together. SPF alone can be defeated by forwarding. DKIM alone doesn’t set policy. DMARC needs both to be meaningful.

Implementation Steps

1. Audit Current State

Check what you have now. Our Email Deliverability Checker shows:

  • Existing SPF record (if any)
  • DKIM selectors detected
  • DMARC policy
  • MX record configuration
  • Blacklist status

2. Set Up SPF

List all services that send email as your domain:

  • Your email provider (Google, Microsoft)
  • Marketing tools (Mailchimp, HubSpot)
  • Transactional email (SendGrid, Postmark)
  • Your own servers

Create the record:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

3. Configure DKIM

Each sending service provides DKIM keys:

  1. Generate keys in their dashboard
  2. Add the TXT record they provide
  3. Enable signing in their settings

Repeat for each service that sends as your domain.

4. Add DMARC

Start with monitoring:

v=DMARC1; p=none; rua=mailto:[email protected]

Review reports for a few weeks. Once you’re confident legitimate email passes, upgrade to quarantine or reject.

Common Issues

SPF Too Long

SPF has a 10 DNS lookup limit. Too many include: statements fail.

Solutions:

  • Consolidate providers
  • Use IP ranges instead of includes where possible
  • SPF flattening services (with caveats)

Missing DKIM for Some Services

Each service needs its own DKIM setup. If one is missing, those emails fail DKIM (though they may pass SPF).

Forwarded Email Fails

When emails are forwarded, SPF fails (new sender IP). DKIM usually survives. This is why DMARC allows passing with just DKIM alignment.

Strict vs Relaxed Alignment

DMARC alignment can be:

  • strict: Exact domain match required
  • relaxed: Subdomains allowed (default)

Relaxed is usually fine and more forgiving for legitimate email.

Monitoring

DMARC Reports

Aggregate reports (sent to rua address) show:

  • Who’s sending as your domain
  • Pass/fail rates
  • Authentication results

Use a DMARC report analyzer to make sense of the XML.

Check Regularly

Email configuration can break when:

  • Providers change IP ranges
  • New tools are added without authentication
  • DNS records accidentally deleted

Check periodically with our Email Deliverability Checker.

Impact on Deliverability

Major providers (Google, Microsoft) increasingly require authentication:

  • Gmail requires SPF or DKIM for all senders
  • Bulk senders (5000+ daily) need DMARC with p=quarantine or p=reject
  • Missing authentication = higher spam likelihood

Authentication is no longer optional for serious email delivery.

Take Action

  1. Check your current setup with Email Deliverability Checker
  2. Verify SPF includes all your sending services
  3. Confirm DKIM is configured for each sender
  4. Start DMARC monitoring if not already in place

For help with email configuration or deliverability issues, reach out.