Since February 2024, Gmail and Yahoo require every bulk sender to authenticate with all three of SPF, DKIM, and DMARC. Get them right and your mail flows to inbox. Get any one of them wrong and you might as well not be sending. This is the setup guide every operator should bookmark.
Quick primer
- SPF says which servers are allowed to send mail for your domain.
- DKIM cryptographically signs each message so receivers can verify the content was not tampered with in transit.
- DMARC tells receivers what to do when SPF or DKIM fails (quarantine, reject, or just report).
Step 1: Set up SPF
Add a TXT record on the root of your domain. The value lists every service that sends on your behalf.
v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org ~allAdjust the includes for your actual senders. The ~all at the end means "soft fail anything else"; once you are confident, change to -all for hard fail.
Gotcha: SPF has a maximum of 10 DNS lookups per record. If you have many senders, you will trip this limit and your SPF starts failing silently. Use an SPF flattening tool or consolidate senders.
Step 2: Set up DKIM
DKIM uses a public/private key pair. The private key signs every outbound message; the public key lives in DNS as a TXT record so receivers can verify the signature.
Most ESPs generate the keys for you. In SendGrid, Mailgun, Postmark, Amazon SES, etc., the dashboard tells you exactly which TXT record to add to your DNS.
The selector is part of the record name. Typical format:
selector1._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."
Gotcha: 2048-bit keys generate strings longer than 255 characters. DNS TXT records need to be split into 255-character chunks. Most DNS providers handle this automatically, but if you copy-paste blindly into a raw zone file you will break authentication.
Step 3: Set up DMARC
DMARC sits on top of SPF and DKIM. Add a TXT record at _dmarc.yourdomain.com:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100The p= tag is the policy:
p=none: monitor only. Use this for the first month while you collect reports and find any missing senders.p=quarantine: failing mail goes to spam.p=reject: failing mail is rejected entirely. Strongest protection.
Recommendation: start at p=none for 30 days, review reports, fix any misconfigured senders, then move to p=quarantine, then eventually p=reject.
How to verify your setup
Send a test email to check-auth@verifier.port25.com from your sending tool. The bot replies with a full breakdown of SPF, DKIM, and DMARC status. Free, instant.
For ongoing monitoring, point your rua reports at a service like Postmark DMARC Digests (free) or Dmarcian (paid, more polished). You will get a daily summary of who is sending as your domain and which mail passed or failed.
The most common breakage
- Forgetting to update SPF when you add a new ESP. Switching from Mailchimp to Klaviyo? Add Klaviyo's include to SPF the same day.
- Subdomain misconfiguration. Mail from
news.yourdomain.comneeds its own SPF/DKIM unless your DMARC hassp=set properly. - DKIM keys longer than 1024 bits split incorrectly. Always verify with a checker tool.
- DMARC
p=rejecttoo aggressively. Move from none to quarantine to reject over months, not days.
FAQ
Do I need all three?
Yes, since Gmail and Yahoo's 2024 update. Sending more than ~5,000 messages per day without all three guarantees spam folder routing.
Can a verifier check my SPF/DKIM/DMARC for me?
MailoClean focuses on verifying the recipient side (does this address exist), not your outbound authentication. For auth checks use Google Postmaster Tools or a DMARC monitoring service.
Pair it with list hygiene
Authentication only takes you to the inbox door. List hygiene gets you across the threshold. Clean your list while your DNS propagates.