These three records confuse almost everyone. Here’s the short version: SPF says who can send, DKIM proves the message wasn’t tampered with, and DMARC ties them together and tells receivers what to do when something fails. You need all three.
SPF — “which servers may send for me?”
SPF is a TXT record at your root domain listing the servers and services allowed to send mail as your domain. Example:
v=spf1 include:_spf.google.com include:sendgrid.net -all
- Publish exactly one SPF record (multiple records is a hard error).
- End it with
-all(hard fail) or~all(soft fail). - Stay under 10 DNS lookups — too many
include:entries breaks SPF.
DKIM — “was this message altered?”
DKIM adds a cryptographic signature to each message; receivers fetch your public key from DNS
to verify it. The key lives at selector._domainkey.yourdomain.com, where the selector is
given by your email provider (e.g. google, selector1, k1).
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3...
If p= is empty, the key is revoked. The checker probes common selectors for you.
DMARC — “what should happen on failure?”
DMARC sits at _dmarc.yourdomain.com and does two things: it requires that SPF or DKIM
align with your From domain, and it tells receivers your policy.
v=DMARC1; p=quarantine; rua=mailto:you@yourdomain.com
p=none— monitor only (start here)p=quarantine— send failures to spamp=reject— block failures (strongest)rua=— where to send aggregate reports
Build a correct one with the DMARC generator.
How they work together
A receiver checks SPF and DKIM, then asks DMARC whether either passed and aligned with
the visible From domain. If not, it applies your DMARC policy. Publish all three, start DMARC
at p=none, read your reports, then tighten to reject.
Run your domain through the free checker to see where you stand right now.