What are SPF, DKIM, and DMARC records?

Home / Everything About / Everything About Professional Emails / What are SPF, DKIM, and DMARC records?

Three TXT records sit in your DNS panel. Most business owners never open them. Yet those three settings decide whether your invoice lands in a client's inbox or gets flagged as suspicious.

SPF, DKIM, and DMARC records are the core authentication layer for business email. Together they tell receiving servers which mail is really from your domain and what to do with messages that fail the check. You may have seen them listed in DNS records for custom domain email. This chapter goes deeper on each one and why you need all three.

What are SPF, DKIM, and DMARC records?

These are DNS entries that verify outbound email from your domain. SPF lists approved sending servers. DKIM adds a cryptographic signature to each message. DMARC sets policy and reporting when the first two checks fail. Inbox providers weigh all three when they score your mail.

What each record does

1. SPF (Sender Policy Framework)

SPF is a TXT record that names the servers allowed to send mail for your domain. When a message arrives, the receiving server compares the sending IP to your SPF list. If the server is not listed, the message may fail authentication.

2. DKIM (DomainKeys Identified Mail)

DKIM attaches a digital signature to outgoing messages. Your host signs mail with a private key. A matching public key in your DNS lets receivers verify nothing changed in transit. DKIM helps even when mail is forwarded.

3. DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC tells receivers what to do when SPF or DKIM fails. It also sends reports showing who sends mail using your domain. Start in monitoring mode, then tighten policy once legitimate senders pass checks. This closes the loop on spoofing risks from what is email spoofing.

How to set up authentication records

Your email hosting provider supplies the exact values for each record. Copy them into your DNS panel where you manage your domain. Changes can take a few hours to propagate worldwide.

Include every service that sends on behalf of your domain in your SPF record. Missing a legitimate sender causes false failures. After setup, send test messages and confirm they pass. The connection steps in connect email to your website domain often happen in the same DNS session.

Authentication records are not optional extras for serious brands. They protect your domain, improve deliverability, and give you visibility into abuse. The next chapter on how email deliverability works shows how inbox providers use these signals.

Frequently asked questions

Do I need all three records or can I start with SPF only?

Can wrong authentication records stop my mail entirely?

How often should I update my SPF record?

What is the difference between SPF and DMARC?

Where do I add these records if my domain and email use different dashboards?

Will authentication records fix all deliverability problems?