SPF, DKIM, DMARC: The Right Way to Authenticate Your Email Domain

Most email senders have SPF, DKIM, and DMARC configured — and most of them have it wrong. Here's what actually matters.

The One Rule That Changed Everything

For years, people said: "You only need SPF or DKIM to pass DMARC." That was true — until Gmail and Yahoo tightened their requirements in 2024. Now, both SPF and DKIM must align with your From domain.

If only one aligns, your DMARC might show "pass" on Postmaster Tools, but Gmail's spam filter is paying attention to the gap. That gap is costing you open rate.

SPF: Who Can Send On Your Behalf

SPF (Sender Policy Framework) is a DNS record that lists which servers are authorized to send email using your domain. If your ESP (Klaviyo, SendGrid, Mailchimp) sends from their own IPs, those IPs need to be in your SPF record.

Common mistake: Having too many SPF lookups (max 10). Every "include" counts. If you're using 3+ ESPs, you're probably over the limit and SPF silently fails.

DKIM: Prove the Email Wasn't Tampered With

DKIM adds a cryptographic signature to every email. The receiving server checks this signature against a public key in your DNS. If it matches, the email is authentic.

What "alignment" means for DKIM: The d= domain in the DKIM signature must match the domain in your From header. If Klaviyo signs with d=klaviyomail.com but your From address is @yourbrand.com — that's misaligned.

DMARC: The Traffic Cop

DMARC is a DNS record in the format v=DMARC1; p=none; that tells receiving servers what to do when SPF or DKIM fail:

p=none — report but don't block (monitoring only)
p=quarantine — send to spam if authentication fails
p=reject — block the email entirely

Most brands run p=none. It's safe, but it provides zero protection. Nike uses p=none. Shein uses p=quarantine. Banks use p=reject. Where you should be depends on your sending profile and risk tolerance.

Why "100% DMARC Compliant" on Postmaster Means Nothing

Google Postmaster Tools shows DMARC pass rate — but here's the catch: if SPF passes or DKIM passes, DMARC shows "passed." You could have SPF misaligned, DKIM misaligned, but because one of them technically passed, you see a green checkmark.

The only way to know if both align: Parse your DMARC aggregate reports (the XML files sent to your rua= address). These tell you exactly which sending sources passed SPF and DKIM separately.

The Subdomain Strategy

If your main domain has reputation issues (e.g., from unauthenticated Shopify/Shopline transactional emails), use a dedicated subdomain for marketing emails: mail.yourbrand.com or email.yourbrand.com. This isolates the sending reputation from your main domain — so a marketing email problem doesn't tank your transactional deliverability.

Quick Self-Check: Is Your Domain Auth Broken?

Go to MXToolbox and check your SPF, DKIM, and DMARC records
Open Google Postmaster Tools — look at the DMARC graph
If DMARC is anything less than ~100% for 7+ consecutive days, you have an auth problem
Parse your DMARC XML reports to find which senders are failing

Don't want to dig through XML reports and DNS records? We diagnose and fix it for $49 →