SPF, DKIM and DMARC: what you need for email on your own domain

You send emails from info@yourbusiness.com — professional. But if clients aren’t receiving your emails, or they keep ending up in spam, the most likely cause is that SPF, DKIM or DMARC isn’t set up correctly. Here’s what those three terms mean and what you minimally need.

Why emails end up in spam

A receiving email server doesn’t automatically know whether you’re really the owner of yourbusiness.com. Anyone can technically send an email with that sender address — that’s called spoofing. SPF, DKIM and DMARC are three DNS records that prove you’re the legitimate sender.

Without those records, your email scores lower on trustworthiness. With strict mail providers (Gmail, Outlook, large companies) it goes straight to spam or gets rejected.

SPF — who is allowed to send email?

SPF (Sender Policy Framework) is a list of servers allowed to send email on behalf of your domain.

You set it as a TXT record in your DNS. It looks like this:

v=spf1 include:_spf.google.com ~all

This says: “Only Google servers may send email from my domain.” The ~all at the end means other senders get marked as suspicious (but not outright rejected — that’s what DMARC does).

What you need: the SPF record from your email provider. Google Workspace, Zoho, Microsoft 365 — they each provide their own SPF instructions.

DKIM — is the email authentic?

DKIM (DomainKeys Identified Mail) adds a digital signature to every email you send. The receiving server can verify that signature via a public key in your DNS.

Without DKIM, the recipient doesn’t know whether your email was tampered with in transit.

Your DKIM record looks like this (simplified):

default._domainkey.yourbusiness.com  TXT  "v=DKIM1; k=rsa; p=MIGfMA0..."

You get the exact key from your email provider. You don’t need to generate it yourself — just insert it into your DNS.

DMARC — what happens on failure?

DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and determines what should happen if an email passes neither check.

A simple DMARC record:

_dmarc.yourbusiness.com  TXT  "v=DMARC1; p=none; rua=mailto:info@yourbusiness.com"

• p=none: emails are not rejected, you just receive reports. Good to start with.
• p=quarantine: suspicious emails go to spam.
• p=reject: suspicious emails are fully rejected. Maximum security, but only set this once you’re sure your own emails pass correctly.

Start with p=none and move to p=quarantine or p=reject once you’ve confirmed your own emails are going through cleanly.

The minimum configuration

For business email on your own domain you minimally need:

1. SPF — from your email provider
2. DKIM — from your email provider
3. DMARC — create yourself, start with p=none

Without these three records you risk business emails not arriving, especially to recipients using Gmail or Microsoft 365.

How to check if everything is correct

Use a free tool like MXToolbox or Mail Tester. Enter your domain and you’ll immediately see what’s missing or wrong.

When do you need help?

Setting up these records is technical but not complicated if you know what you’re doing. Problems I often see:

• Two SPF records at the same time (not allowed — merge everything into one record)
• DKIM key copied incorrectly (one wrong character is enough to fail)
• DMARC record with a syntax error

If your emails consistently land in spam or get rejected, I fix this in a single session. I check your DNS records, set everything up correctly and verify the result.

Don’t have a business email address yet? Read first how to create a professional email address on your own domain.