Tutorial

SPF, DKIM, DMARC Explained: Stop Your Emails Going to Spam in 2026

Back to Blog
A modern alternative to cPanel, Plesk and CyberPanel — isolated, secure, AI-assisted.
Start free

Why Email Authentication Is No Longer Optional

SPF, DKIM, and DMARC are the three DNS-based standards that let a receiving mail server verify that an email claiming to be from your domain was actually sent by you. SPF checks which servers are allowed to send mail for your domain, DKIM cryptographically signs each message so it cannot be altered in transit, and DMARC tells receiving servers what to do when a message fails those checks — and where to send reports about it. Without all three configured correctly, a growing share of your outbound mail lands in spam or gets rejected outright.

This is not a theoretical concern. Since February 2024, Gmail and Yahoo have required SPF, DKIM, and a published DMARC record for any domain sending bulk mail to their users — and both providers have shown they will enforce it by silently dropping or spam-foldering non-compliant mail. If you run your own mail server, this guide covers exactly how each standard works and how to configure them correctly. If your DNS is hosted on Cloudflare and you want a click-by-click walkthrough instead, see Cloudflare Email DNS Setup: SPF, DKIM, and DMARC Made Simple.

Who This Guide Is For

This is written for anyone running a self-hosted mail server — Postfix, Exim, or a managed panel stack — who wants to understand what these DNS records actually do rather than copy-pasting a value they don't fully trust. We cover the mechanics of each standard, the DNS records themselves, alignment rules, and the mistakes that quietly break deliverability.


SPF (Sender Policy Framework) Explained

SPF is a DNS TXT record published on your domain that lists which mail servers are authorized to send email on its behalf. When a receiving server gets a message claiming to be from yourdomain.com, it looks up the SPF record for that domain and checks whether the connecting IP address is in the authorized list.

SPF Record Syntax

yourdomain.com.   TXT   "v=spf1 mx a ip4:203.0.113.10 include:_spf.google.com ~all"
MechanismMeaning
v=spf1Version tag — always the first term, required
mxAuthorize the domain's own MX record IPs
aAuthorize the domain's own A record IP
ip4:203.0.113.10Authorize a specific IPv4 address
ip6:2001:db8::1Authorize a specific IPv6 address
include:_spf.google.comAuthorize another domain's SPF record (third-party senders)
~allSoft fail — mark unauthorized senders as suspicious, do not reject
-allHard fail — reject unauthorized senders outright

Use -all once you're confident every legitimate sending source is listed. Starting with ~all during setup is safer — it lets you monitor DMARC reports before committing to a hard reject policy.

The 10-Lookup Limit

SPF evaluation is capped at 10 DNS lookups (each include, a, mx, ptr, or exists mechanism counts). Exceed it and the entire SPF check permanently fails — not just for the mechanism that pushed you over the limit. This is the single most common SPF misconfiguration: domains that stack includes for every marketing tool, CRM, and helpdesk they've ever used until the record silently stops validating.

# Check your lookup count with dig, then count manually:
dig TXT yourdomain.com +short

If you're close to the limit, flatten nested includes or remove services you no longer use.

Why SPF Alone Is Not Enough

SPF validates the envelope sender (the SMTP MAIL FROM address), not the visible "From" header the recipient sees. It also breaks completely when mail is forwarded, because the forwarding server's IP is what gets checked, not your original sending IP. This is exactly why DKIM and DMARC exist — SPF alone was never sufficient.


DKIM (DomainKeys Identified Mail) Explained

DKIM adds a cryptographic signature to every outgoing message. The sending server generates a public/private key pair, signs each email with the private key, and publishes the public key in DNS. The receiving server fetches the public key and verifies the signature — proving the message was sent by a server with access to the private key and that its content was not altered in transit.

How DKIM Signing Works

  1. A private/public key pair is generated (2048-bit RSA is the current standard)
  2. The public key is published as a DNS TXT record at selector._domainkey.yourdomain.com
  3. The sending mail server signs specific headers and the message body with the private key
  4. A DKIM-Signature header is added to the outgoing message
  5. The receiving server extracts the selector and domain from that header, fetches the public key, and verifies the signature

DKIM DNS Record

default._domainkey.yourdomain.com.   TXT   "v=DKIM1; k=rsa; p=MIGfMA0GCSq...(public key)...IDAQAB"

The selector (default in this example) lets you run multiple DKIM keys simultaneously — useful for key rotation without downtime, or when different sending services (your mail server, a marketing platform, a transactional email provider) each sign with their own key.

Reading a DKIM-Signature Header

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=yourdomain.com; s=default; t=1718000000;
  bh=base64hash...; h=From:To:Subject:Date;
  b=base64signature...
TagMeaning
d=Signing domain — must align with the From header for DMARC
s=Selector — points to the DNS record with the public key
bh=Hash of the message body
h=List of headers that were signed
b=The actual signature, base64-encoded

Unlike SPF, DKIM survives most forwarding scenarios, because the signature travels with the message content rather than depending on the connecting IP address. This is why DKIM alignment matters so much more than SPF alignment for DMARC pass rates in practice.


DMARC Explained

DMARC ties SPF and DKIM together and tells receiving servers what to do when a message fails both. Without a DMARC record, a domain has no enforceable policy — SPF and DKIM can pass or fail, but nothing instructs the receiving server how to react, and no reports are generated so you have no visibility into who is sending mail as your domain.

DMARC Record Syntax

_dmarc.yourdomain.com.   TXT   "v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100; aspf=r; adkim=r"
TagMeaning
v=DMARC1Version tag, required
p=Policy: none (monitor only), quarantine (send to spam), reject (bounce)
rua=Where to send aggregate (daily summary) reports
ruf=Where to send forensic (per-message failure) reports
pct=Percentage of failing mail the policy applies to — useful for gradual rollout
aspf=SPF alignment mode: r (relaxed) or s (strict)
adkim=DKIM alignment mode: r (relaxed) or s (strict)

The Rollout Path Everyone Should Follow

  1. Start with p=none — collects aggregate reports without affecting delivery. Run this for at least two weeks.
  2. Review the rua reports — identify every legitimate source sending mail as your domain, including transactional email services and marketing platforms you may have forgotten about.
  3. Move to p=quarantine; pct=25 — start enforcing gradually.
  4. Increase pct in stages — 25 to 50 to 100 over several weeks, watching for legitimate mail getting caught.
  5. Finish at p=reject — the strongest policy, telling receivers to bounce anything that fails alignment.

Jumping straight to p=reject without reviewing reports first is the most common way legitimate mail — including your own — starts silently disappearing.


Alignment: Where Most DIY Setups Fail

DMARC does not just check whether SPF and DKIM pass in isolation — it checks whether the domain in the visible From header aligns with the domain that passed SPF or DKIM.

  • SPF alignment — the domain in the SMTP envelope MAIL FROM must match (or be a subdomain of) the visible From header domain
  • DKIM alignment — the d= value in the DKIM signature must match (or be a subdomain of) the visible From header domain

A message only needs one of the two to align and pass for DMARC to pass overall. This is exactly why DKIM matters so much for forwarded mail and third-party senders: SPF alignment breaks under forwarding, but a correctly configured DKIM signature travels with the message and still aligns at the destination.

Relaxed alignment (r) allows subdomain matches — mail.yourdomain.com aligns with yourdomain.com. Strict alignment (s) requires an exact match. Most domains should use relaxed alignment unless they have a specific reason for stricter enforcement.


Why Gmail and Yahoo Require All Three

Since February 2024, both Gmail and Yahoo enforce sender requirements for any domain sending bulk mail (roughly 5,000+ messages per day to their users, though the practical threshold for spam-folder treatment is lower):

  • Valid SPF or DKIM authentication — but publishing both is strongly recommended
  • A published DMARC record at p=none or stricter
  • SPF and DKIM alignment with the visible From domain
  • A spam complaint rate kept under 0.3% and a clean record on major DNS blacklists (DNSBL)
  • One-click unsubscribe support for marketing and bulk mail (List-Unsubscribe header)

Domains without a DMARC record are increasingly treated as higher-risk by spam filters, independent of whether they send bulk volume — the absence of a policy is itself a signal. Reverse DNS matters just as much here; see PTR Record and Reverse DNS for why mail servers need a matching PTR record. For any domain that sends transactional mail (password resets, invoices, notifications), configuring all three records correctly is no longer a best practice. It is the baseline for reliable inbox delivery.


Testing Your Configuration

Before trusting your setup, verify each record resolves correctly and that outgoing mail actually carries valid signatures.

# Check the SPF record
dig TXT yourdomain.com +short

# Check the DKIM record (replace 'default' with your actual selector)
dig TXT default._domainkey.yourdomain.com +short

# Check the DMARC record
dig TXT _dmarc.yourdomain.com +short

Send a test message to an address you control on a major provider (Gmail is convenient for this) and inspect the full headers. Look for spf=pass, dkim=pass, and dmarc=pass in the Authentication-Results header that the receiving server adds. If any of the three fail, the header will tell you exactly which check failed and why — mismatched domain, missing record, or an invalid signature.


Common Configuration Mistakes

MistakeEffectFix
Multiple SPF records for one domainSPF becomes invalid — only one TXT record with v=spf1 is allowed per domainMerge all sources into a single SPF record with multiple include mechanisms
Exceeding the 10-lookup SPF limitSPF fails permanently for the entire recordFlatten nested includes, remove unused third-party senders
DKIM selector typo in DNSSignature verification fails silentlyConfirm the selector in the DKIM-Signature header matches the DNS record name exactly
Jumping straight to p=rejectLegitimate mail from forgotten services gets bouncedRoll out gradually: none to quarantine to reject, reviewing reports at each stage
No DMARC record at allNo visibility into spoofing attempts, weaker sender reputationPublish at minimum a p=none record with an rua address
Forwarding mail without DKIMSPF breaks on forward, no DKIM means DMARC fails entirelyEnsure the original message keeps its DKIM signature intact through the forward

How Panelica Automates Email Authentication

Panelica's built-in mail stack (Postfix and Dovecot) generates and manages all three records automatically for every domain you add. When a domain is created, Panelica generates a 2048-bit DKIM key pair, publishes the DKIM DNS record with a unique selector, builds an SPF record scoped to the server's actual sending IP, and can generate a DMARC record with a policy you choose from the panel.

  • Automatic DKIM key generation — a unique key pair is created per domain, with the public key published to DNS without manual copy-pasting
  • SPF record generation — scoped to the server's mail-sending IP, avoiding the "multiple SPF records" mistake from manually merging entries
  • DMARC policy management — set the policy (none, quarantine, reject) and reporting address directly from the panel's email section
  • DNS integration — records are published automatically through Panelica's built-in BIND DNS or synced through Cloudflare if that's your DNS provider

For anyone who has spent an afternoon debugging why a DKIM selector doesn't match or why SPF silently fails past 10 lookups, having these records generated and kept in sync automatically removes an entire category of deliverability incidents.


Frequently Asked Questions

Do I need SPF, DKIM, and DMARC, or is one enough?

Technically DMARC only requires one of SPF or DKIM to pass and align. In practice, publish all three. SPF alone breaks on forwarding, DKIM alone gives no enforcement policy or visibility, and DMARC without SPF or DKIM underneath has nothing to evaluate.

Will a wrong SPF or DKIM record get my email rejected immediately?

It depends on your DMARC policy. With p=none, failures are only reported, not acted on. With p=quarantine or p=reject, a misconfigured record can send legitimate mail to spam or cause outright rejection — which is exactly why the gradual rollout path matters.

Why does my email still land in spam even though SPF, DKIM, and DMARC all pass?

Authentication passing proves the message is legitimately from your domain — it does not guarantee inbox placement. Sender reputation, IP warm-up status, content patterns, and recipient engagement all factor into spam filtering independently of authentication results. For a complete troubleshooting walkthrough, see Why Are My Emails Going to Spam?

Can I use a subdomain for sending instead of my main domain?

Yes, and it's a common pattern for transactional or bulk mail (for example mail.yourdomain.com). Each subdomain needs its own DKIM selector and can have its own DMARC policy, which also isolates your main domain's reputation from bulk-sending activity.


Conclusion

SPF, DKIM, and DMARC each solve a different part of the same problem: proving a message actually came from your domain. SPF authorizes sending servers, DKIM cryptographically signs message content, and DMARC ties both together with an enforceable policy and reporting. None of the three is a substitute for the others.

Configure them in that order, verify with dig and real test messages before tightening policy, and roll out DMARC enforcement gradually. Get this right once and it keeps working — until you add a new sending service and forget to update the SPF record, which is exactly what the DMARC aggregate reports are there to catch.

Security-first hosting panel

Run your servers on a modern panel.

Panelica is a modern, security-first hosting panel — isolated services, built-in Docker and AI-assisted management, with one-click migration from any panel.

Zero-downtime migration Fully isolated services Cancel anytime
Share:
No monthly renewals.