SPF vs DKIM vs DMARC: What Each Record Does and Which One to Fix First
Understand SPF, DKIM, and DMARC in plain English, what each record does, how they work together, and which one to fix first based on your email problem.
SPF, DKIM, and DMARC are three of the most important email authentication records for a business domain.
They are related, but they do different jobs. SPF helps receiving servers check whether a sending server is allowed to send email for your domain. DKIM lets your email provider sign outgoing messages so receivers can verify them. DMARC tells receivers what to do when email claiming to be from your domain fails SPF or DKIM alignment.
The confusion usually starts when a DNS checker says `SPF missing`, `DKIM not found`, `DMARC missing`, or `DMARC fail` even though another record passes. The practical question is simple: which record should you fix first?
This guide explains the difference between SPF, DKIM, and DMARC, how they work together, and how to decide what to fix first based on the problem you are seeing.
On this page
Quick answer: SPF vs DKIM vs DMARC
| Record | Main job | Where it lives | What it helps with |
|---|---|---|---|
| SPF | Authorizes sending servers | TXT record at root domain | Helps receivers check whether a server is allowed to send for your domain |
| DKIM | Signs outgoing email | TXT or CNAME under selector._domainkey | Helps receivers verify that the message was signed by an authorized domain key |
| DMARC | Publishes domain policy | TXT record at _dmarc | Tells receivers how to treat messages that fail SPF/DKIM alignment |
- SPF = which servers may send.
- DKIM = whether this message was signed properly.
- DMARC = if authentication fails, what should the receiver do.
If you cannot receive email, check MX first. If you can send but emails land in spam or fail authentication, check SPF, DKIM, and DMARC.
For a broader troubleshooting path, start with the email DNS checker guide.
Which one should you fix first?
The right first fix depends on the symptom.
| Problem | First record to check | Why |
|---|---|---|
| You cannot receive email | MX, not SPF/DKIM/DMARC | MX controls incoming mail routing |
| Emails bounce when people send to you | MX and mailbox setup | SPF/DKIM/DMARC usually do not create inboxes |
| Sent emails go to spam | SPF, DKIM, DMARC | Authentication and reputation affect trust |
| SPF checker says duplicate SPF | SPF | A domain should not publish multiple SPF policies at the same hostname |
| DKIM checker says missing | DKIM selector and provider setup | DKIM is selector-based |
| DMARC checker says missing | DMARC | DMARC must exist at _dmarc |
| DMARC fails even though SPF passes | Alignment | SPF may pass for a domain that does not align with the visible From domain |
| DMARC fails even though DKIM passes | Alignment | DKIM may sign with a provider domain instead of your domain |
| Google/Microsoft setup says incomplete | Provider checklist | You may need MX, SPF, DKIM, DMARC, verification, and mailbox setup |
| Website works but email does not | Nameservers and MX first | Website records and email records are separate |
For most domains, the safe setup order is:
MX -> SPF -> DKIM -> DMARCBut the safe troubleshooting order depends on the symptom. If your website works but email does not, use the website works but email does not guide before editing authentication records.
SPF, DKIM, and DMARC are not the same thing
A common mistake is treating SPF, DKIM, and DMARC like three versions of the same record. They are not. They answer different questions.
| Question | Record that answers it |
|---|---|
| Where should incoming mail be delivered? | MX |
| Which servers are allowed to send for this domain? | SPF |
| Was this email signed by an authorized domain key? | DKIM |
| Did SPF or DKIM align with the visible From domain? | DMARC |
| What should happen to messages that fail authentication? | DMARC |
| Does this mailbox or alias exist? | Email provider admin, not DNS |
- SPF can pass while DKIM is missing.
- DKIM can pass while DMARC fails.
- DMARC can exist but still only monitor if the policy is
p=none. - MX can be perfect while outgoing email still lands in spam.
- Website DNS can be perfect while email DNS is broken.
If incoming email is the broken part, read the MX record checker guide first.
What is SPF?
SPF stands for Sender Policy Framework.
SPF is a DNS TXT record that lists the servers and services allowed to send email for your domain.
For example, if your domain uses Google Workspace, your SPF record may authorize Google to send email.
A Google Workspace-only SPF record often looks like:
v=spf1 include:_spf.google.com ~allA Microsoft 365-only SPF record often looks like:
v=spf1 include:spf.protection.outlook.com -allDo not copy those blindly. Your correct SPF record depends on which services actually send email for your domain.
For SPF-specific cleanup, use the SPF record checker guide.
What SPF actually checks
SPF checks whether the sending server is allowed to send for the envelope sender domain.
That is not always the same as the visible From address that the recipient sees.
A user may see this visible From address:
From: Your Company <hello@example.com>But the technical return-path may be:
bounce@emailservice.comSPF may pass for emailservice.com, but that does not necessarily mean SPF aligns with example.com for DMARC.
Do not assume SPF pass always means DMARC pass. Alignment matters.
SPF record location
SPF is usually published as a TXT record at the root domain.
For example.com, the SPF record usually lives at example.com. In DNS dashboards, the host/name is usually @.
| Field | Value |
|---|---|
| Type | TXT |
| Name | @ |
| Content | v=spf1 include:_spf.google.com ~all |
If you send from a subdomain, that subdomain may need its own SPF record. For example, news.example.com may have a separate SPF record from example.com.
The biggest SPF mistake: duplicate SPF records
A domain should not have multiple SPF records at the same name.
Wrong:
v=spf1 include:_spf.google.com ~all
v=spf1 include:spf.protection.outlook.com -allThis does not mean both Google and Microsoft are safely authorized. It creates duplicate SPF records.
Correct if both providers genuinely send email for the domain:
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~allOnly include a provider if that provider actually sends email for your domain. Legitimate senders should be merged into one SPF record.
SPF strengths and weaknesses
| SPF strength | Explanation |
|---|---|
| Simple to understand | It lists allowed sending services |
| Useful for basic sender authorization | Receivers can check whether a sending server is permitted |
| Good for main email platforms | Google Workspace, Microsoft 365, and many providers document SPF setup |
| Helps DMARC when aligned | SPF can help DMARC pass if the authenticated domain aligns with the From domain |
| SPF weakness | Explanation |
|---|---|
| Can break during forwarding | Forwarded mail may come from a server not listed in SPF |
| Can be duplicated easily | Many users accidentally add multiple SPF records |
| Has lookup limits | Too many includes can break SPF evaluation |
| Does not sign message content | SPF does not prove the message body was unchanged |
| Does not always align with visible From | SPF can pass for a return-path domain that is not your visible From domain |
SPF is important, but it is not enough by itself.
What is DKIM?
DKIM stands for DomainKeys Identified Mail.
DKIM lets your email provider sign outgoing messages using a private key. Receiving mail servers then check a public key in DNS to verify the signature.
DKIM proves that the message was signed by a domain-authorized system and was not changed in a way that breaks the signature.
A DKIM record might look like this:
google._domainkey.example.comor:
selector1._domainkey.example.comThe exact DKIM record depends on your email provider. For selector-specific help, use the DKIM record checker guide.
What DKIM actually checks
DKIM checks a cryptographic signature in the email headers.
A DKIM-signed message contains a header similar to:
DKIM-Signature: v=1; d=example.com; s=google; ...Two parts are especially important:
| DKIM tag | Meaning |
|---|---|
d= | Signing domain |
s= | Selector |
If d=example.com and s=google, the receiver checks the DKIM record at:
google._domainkey.example.comThat is why DKIM is selector-based.
DKIM record location
DKIM records are usually published at:
selector._domainkey.example.comCommon examples include:
google._domainkey.example.com
selector1._domainkey.example.com
k1._domainkey.news.example.comIn Cloudflare, the Name field may be google._domainkey or selector1._domainkey because Cloudflare appends the root domain automatically.
Checking only the root domain is not enough for DKIM.
DKIM can be TXT or CNAME
Different providers use different DKIM record types.
| Provider style | Record type | Example |
|---|---|---|
| Google Workspace | Usually TXT | google._domainkey TXT generated in Google Admin |
| Microsoft 365 | Usually CNAME | selector1._domainkey and selector2._domainkey CNAME |
| Email marketing tools | Often CNAME | Provider-specific |
| Transactional email tools | TXT or CNAME | Provider-specific |
Do not guess. Use the exact DKIM record type and value given by your provider.
Google Workspace commonly uses TXT DKIM generated in Google Admin. Microsoft 365 custom-domain DKIM uses CNAME selectors.
DKIM strengths and weaknesses
| DKIM strength | Explanation |
|---|---|
| Stronger than SPF during forwarding | DKIM can survive forwarding if the message is not modified |
| Supports DMARC alignment | DKIM can help DMARC pass when the signing domain aligns with the visible From domain |
| Verifies message integrity | The signature can fail if signed parts of the message are modified |
| Allows multiple senders | Different platforms can use different DKIM selectors |
| DKIM weakness | Explanation |
|---|---|
| Selector-based | You need the correct selector to check it |
| DNS can be confusing | Some providers use TXT, others use CNAME |
| Provider must enable signing | DNS record existing does not mean messages are signed |
| Can fail if message is modified | Footers, disclaimers, and forwarding systems can break signatures |
| One DKIM record does not cover all senders | Each sending platform may need its own domain authentication |
Do not assume DKIM pass always means DMARC pass. Alignment still matters.
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance.
DMARC tells receiving mail servers what to do when a message claiming to be from your domain fails authentication and alignment checks.
DMARC depends on SPF and DKIM.
A basic DMARC record looks like:
v=DMARC1; p=none;It is published at:
_dmarc.example.comIn many DNS dashboards, the Name field is _dmarc.
For policy rollout details, use the DMARC record checker guide.
DMARC policy levels
DMARC has three common policy levels:
| Policy | Meaning | Practical use |
|---|---|---|
p=none | Monitor only | Best starting point when setting up DMARC |
p=quarantine | Ask receivers to treat failing mail as suspicious | Use after SPF/DKIM are working |
p=reject | Ask receivers to reject failing mail | Use only after testing all legitimate senders |
A safe rollout usually looks like:
p=none -> p=quarantine -> p=rejectDo not jump straight to p=reject if you are unsure whether all legitimate senders are authenticated.
What DMARC actually checks
DMARC checks whether SPF or DKIM passes and aligns with the visible From domain.
The visible From domain is what users see in the email client.
From: Your Company <hello@example.com>The visible From domain is example.com.
For DMARC to pass, the message usually needs either SPF pass with alignment or DKIM pass with alignment. It does not always need both.
Having both SPF and DKIM correctly configured is better, but either one can satisfy DMARC if it aligns.
DMARC alignment explained simply
Alignment means the authenticated domain matches or is related to the visible From domain.
DKIM alignment example
Good:
Visible From: hello@example.com
DKIM signing domain: example.comProblem:
Visible From: hello@example.com
DKIM signing domain: emailservice.comDKIM may pass for emailservice.com, but it may not help example.com pass DMARC.
SPF alignment example
Good:
Visible From: hello@example.com
Return-path: bounce@example.comProblem:
Visible From: hello@example.com
Return-path: bounce.thirdpartyservice.comSPF may pass for thirdpartyservice.com, but it may not align with example.com. This is why third-party email platforms often ask you to authenticate your domain.
DMARC strengths and weaknesses
| DMARC strength | Explanation |
|---|---|
| Connects SPF and DKIM to visible From domain | This matters because users trust the visible From address |
| Allows policy enforcement | You can move from monitoring to quarantine or reject |
| Helps protect against spoofing | Unauthorized messages claiming to be from your domain can be handled more strictly |
| Supports reporting | Aggregate reports can show who is sending mail for your domain |
| DMARC weakness | Explanation |
|---|---|
| Depends on SPF/DKIM | DMARC does not work properly if SPF and DKIM are not configured |
| Can break legitimate email if too strict too early | p=reject can cause problems if senders are not authenticated |
| Reports can be technical | Raw DMARC reports are not easy for beginners |
| Alignment can confuse users | SPF or DKIM can pass but DMARC can still fail |
DMARC is powerful, but it should be rolled out carefully.
SPF vs DKIM vs DMARC comparison table
| Feature | SPF | DKIM | DMARC |
|---|---|---|---|
| Main purpose | Authorize sending servers | Sign outgoing messages | Enforce policy based on SPF/DKIM alignment |
| DNS record type | TXT | TXT or CNAME | TXT |
| Common DNS location | Root domain @ | selector._domainkey | _dmarc |
| Checks server authorization | Yes | No | Uses SPF result |
| Checks message signature | No | Yes | Uses DKIM result |
| Checks visible From alignment | No, not by itself | No, not by itself | Yes |
| Helps protect against spoofing | Partly | Partly | Stronger when enforced |
| Can fail during forwarding | Yes, often | Less often, unless message modified | Depends on SPF/DKIM alignment |
| Can have multiple records? | Usually no, one SPF at root | Yes, multiple selectors are normal | Usually one DMARC record |
| Best starting action | Create one clean SPF record | Enable provider DKIM | Start with p=none if unsure |
SPF, DKIM, and DMARC setup order
For a new business domain, a sensible setup order is:
- MX - make sure incoming email routes to the right provider.
- SPF - authorize the main sending provider.
- DKIM - enable signing for the main sending provider.
- DMARC - publish a monitoring policy.
- Third-party senders - authenticate CRMs, newsletter tools, forms, and transactional senders.
- DMARC enforcement - move gradually toward
quarantineorreject.
A basic safe DMARC starting point is:
v=DMARC1; p=none;Do not enforce strict DMARC until you know your legitimate senders are passing SPF or DKIM alignment.
Which one matters most?
If you cannot receive email
SPF, DKIM, and DMARC are not the first place to look. Check nameservers, MX records, mailbox or alias setup, provider verification, and provider activation.
Read the MX record checker guide if receiving is broken.
If your sent emails go to spam
Check SPF, DKIM, DMARC, third-party sender authentication, domain reputation, email content, and sending volume.
Authentication helps, but it does not guarantee inbox placement by itself.
If DMARC fails
Check whether SPF passed, whether DKIM passed, whether SPF aligned with the visible From domain, whether DKIM aligned with the visible From domain, whether the sender is a third-party platform, and whether DMARC is valid at _dmarc.
DMARC failure is often an alignment issue, not just a missing DNS record.
If SPF fails
Check whether SPF exists, whether there is only one SPF record, whether SPF includes the real sending provider, whether old providers were removed too early, whether the SPF record is too long, and whether forwarding is involved.
If DKIM fails
Check whether DKIM is enabled in the provider admin, whether the selector is correct, whether the DNS record type is TXT or CNAME as required, whether the public key or CNAME target was copied correctly, whether DNS propagated, and whether the message was modified after signing.
The email DNS propagation guide can help when records were recently changed but still look wrong.
Common scanner result combinations
| Result combination | What it usually means | What to do |
|---|---|---|
| SPF pass, DKIM pass, DMARC pass | At least one aligned authentication method passed DMARC | Still check reputation, content, volume, bounces, and complaints |
| SPF pass, DKIM fail, DMARC pass | SPF likely passed and aligned | Fix DKIM because it improves reliability, especially during forwarding |
| SPF fail, DKIM pass, DMARC pass | DKIM likely passed and aligned | Fix SPF because it is part of a clean email DNS setup |
| SPF pass, DKIM pass, DMARC fail | Alignment is probably the issue | Authenticate your domain inside the sending platform and retest |
| SPF fail, DKIM fail, DMARC fail | The domain has serious outbound authentication issues | Identify the sender, fix SPF, enable DKIM, and add or fix DMARC |
| SPF neutral or softfail, DKIM pass, DMARC pass | DKIM may be carrying DMARC alignment | Review SPF before changing ~all to -all |
| DMARC none | Could mean no DMARC record or a p=none policy | Distinguish missing DMARC from monitoring-only DMARC |
Passing SPF, DKIM, and DMARC does not guarantee inbox placement. Reputation, content, volume, bounces, and complaints also matter.
SPF vs DKIM vs DMARC for Google Workspace
For Google Workspace, a clean setup usually includes:
| Record | Typical setup |
|---|---|
| MX | Google Workspace MX record |
| SPF | v=spf1 include:_spf.google.com ~all if Google is the only sender |
| DKIM | Google-generated TXT record, often at google._domainkey |
| DMARC | TXT record at _dmarc, starting with p=none if unsure |
- Google SPF is added in DNS, not generated in Google Admin.
- Google DKIM should be generated in Google Admin.
- DKIM must be started or activated after DNS is published.
- DMARC should be added after SPF and/or DKIM are working.
- Third-party senders need separate authentication.
Read the Google Workspace and Cloudflare guide for a Google + Cloudflare checklist.
SPF vs DKIM vs DMARC for Microsoft 365
For Microsoft 365, a clean setup usually includes:
| Record | Typical setup |
|---|---|
| MX | Microsoft-provided <domain-key>.mail.protection.outlook.com |
| SPF | v=spf1 include:spf.protection.outlook.com -all if Microsoft is the only sender |
| DKIM | Two Microsoft-provided CNAME records, usually selector1._domainkey and selector2._domainkey |
| DMARC | TXT record at _dmarc, starting with p=none if unsure |
- Microsoft MX is domain-specific.
- Microsoft DKIM values are tenant/domain-specific.
- Microsoft 365 custom-domain DKIM uses CNAME records, not TXT records.
- DKIM CNAME records should be DNS-only in Cloudflare.
- Third-party senders may need separate SPF/DKIM setup.
Read the Microsoft 365 and Cloudflare guide for a Microsoft + Cloudflare checklist.
SPF, DKIM, and DMARC for third-party senders
Many businesses send email from more than one place.
- Google Workspace
- Microsoft 365
- Website contact forms
- CRMs
- Email marketing tools
- Helpdesk systems
- Ecommerce platforms
- Booking platforms
- Invoicing tools
- Transactional email providers
- Cold email tools
Important rule
One DKIM record for Google Workspace does not authenticate your newsletter platform. One Microsoft SPF record does not automatically authenticate your website form. One DMARC record does not magically fix every sender.
You need to identify every platform that sends email using your domain and authenticate each one properly.
Example: normal mailbox plus newsletter tool
| Purpose | Provider |
|---|---|
| Normal email | Google Workspace |
| Newsletter | Mailchimp or similar |
| DNS | Cloudflare |
You may need:
| Record | Why |
|---|---|
| Google MX | Receive normal email |
| Google SPF include | Authorize Google sending |
| Google DKIM | Sign normal Google Workspace email |
| Newsletter DKIM records | Sign newsletter messages |
| Newsletter SPF or return-path setup | Help SPF alignment if provider requires it |
| DMARC | Apply domain-level policy |
If Google emails pass authentication but newsletters fail DMARC, the newsletter platform may not be authenticated with your domain.
Example: Microsoft 365 plus website contact form
| Purpose | Provider |
|---|---|
| Normal email | Microsoft 365 |
| Website | WordPress |
| Contact form sending | SMTP/transactional email provider |
You may need:
| Record | Why |
|---|---|
| Microsoft MX | Receive normal email |
| Microsoft SPF include | Authorize Microsoft 365 sending |
| Microsoft DKIM CNAMEs | Sign Microsoft 365 messages |
| Transactional provider DKIM | Sign contact form messages |
| Transactional provider SPF or return-path | Help sender authorization and alignment |
| DMARC | Policy for your visible From domain |
If Microsoft emails pass but contact form emails fail, the contact form sender probably needs separate authentication.
Common misconceptions
| Misconception | Reality |
|---|---|
| My MX records are correct, so SPF/DKIM/DMARC must be correct. | MX controls incoming email routing. SPF, DKIM, and DMARC control outgoing authentication and policy. |
| My website works, so email DNS must be correct. | Website DNS and email DNS are separate. |
| SPF pass means DMARC pass. | SPF must pass and align with the visible From domain to help DMARC pass. |
| DKIM pass means DMARC pass. | DKIM must pass and align with the visible From domain to help DMARC pass. |
| DMARC replaces SPF and DKIM. | DMARC depends on SPF and DKIM. |
I should start with p=reject for best security. | Start with p=none if you are unsure, then move to quarantine and reject after testing. |
| I need only one DKIM record. | A domain can have multiple DKIM records under different selectors. |
| I can add multiple SPF records like DKIM. | SPF should usually have one record at the same domain name. DKIM can have multiple selector records. |
Safe rollout checklist
- Confirm active nameservers.
- Confirm where DNS is managed.
- Check MX records.
- Confirm mailboxes and aliases exist.
- Add one clean SPF record.
- Include only legitimate senders in SPF.
- Enable DKIM for the main email provider.
- Add DKIM for third-party senders.
- Add DMARC at
_dmarc. - Start DMARC with
p=noneif unsure. - Send test emails from each platform.
- Check SPF, DKIM, and DMARC results.
- Fix alignment issues.
- Move to
p=quarantineonly after testing. - Move to
p=rejectonly when confident.
Troubleshooting order by symptom
Symptom: I cannot receive email
- Nameservers
- MX records
- Old MX records
- Mailbox or alias
- Provider verification
- Provider activation
SPF, DKIM, and DMARC are not the first fix for receiving failures.
Symptom: My sent email goes to spam
- SPF
- DKIM
- DMARC
- Third-party sender authentication
- Domain age and reputation
- Email content
- Sending volume
Authentication is necessary, but not always sufficient.
Symptom: My domain can be spoofed
- SPF exists and is clean.
- DKIM is enabled.
- DMARC exists.
- DMARC policy is not only monitoring forever.
- Legitimate senders pass before enforcement.
- Move gradually toward
quarantineorreject.
DMARC enforcement is the major step for stronger spoofing protection.
What not to do
- Do not change website A/CNAME records when the problem is email authentication.
- Do not create multiple SPF records.
- Do not guess DKIM selectors.
- Do not create Microsoft DKIM as TXT records.
- Do not assume DKIM exists just because SPF exists.
- Do not add DMARC at the root domain.
- Do not start with
p=rejectbefore testing senders. - Do not assume passing SPF/DKIM guarantees inbox placement.
- Do not forget third-party platforms.
- Do not remove old sender records during an active migration without checking.
- Do not ignore alignment when diagnosing DMARC.
- Do not fix DMARC before understanding SPF and DKIM.
Final recommendation
SPF, DKIM, and DMARC work best together.
A good setup should have:
- One clean SPF record
- DKIM enabled for each real sending platform
- DMARC published at
_dmarc - A safe DMARC rollout path
- Test emails from every important sender
- Authentication results checked in real message headers
The simplest mental model is:
SPF = allowed senders
DKIM = signed messages
DMARC = policy and alignmentFix MX first if email is not being received. Fix SPF and DKIM first if outgoing authentication is weak. Add DMARC carefully, starting with monitoring if unsure, then move toward enforcement only after legitimate mail passes.
Run an SPF, DKIM, and DMARC check
Use Domain Email Doctor to scan your domain's public email DNS records before changing anything.
The scan can help show whether SPF is missing or duplicated, whether DKIM may be missing, whether DMARC exists, and whether MX or nameserver issues are actually the first problem to solve.
Do not guess. Check the records first, then fix the record that matches the symptom.
Quick checklist
- Receiving failures are checked with nameservers, MX, and mailbox setup first.
- SPF exists as one clean TXT record at the correct hostname.
- Legitimate senders are merged into one SPF record instead of duplicate SPF records.
- DKIM is checked by selector, usually at
selector._domainkey.example.com. - Google Workspace DKIM values come from Google Admin.
- Microsoft 365 DKIM uses provider-supplied CNAME selectors.
- DMARC is published at
_dmarc. - DMARC starts with
p=noneif the sender list is not fully tested. - SPF and DKIM alignment are checked before assuming DMARC should pass.
- Third-party senders are authenticated separately.
- Passing SPF, DKIM, and DMARC is not treated as a guarantee of inbox placement.
- DNS propagation is considered after recent SPF, DKIM, or DMARC changes.