How to Stop Your Emails from Going to Spam: SPF, DKIM & DMARC Setup (2025)

A practical guide to email authentication protocols that ensure your emails reach the inbox, not spam, written by Peter Ogundairo.

Why Email Authentication Is Important

If you’ve ever wondered why your carefully crafted messages end up in spam folders, the answer often comes down to email authentication. Think of email authentication as digital checklists that prove your emails are legitimate business communications, not spam or phishing attempts.

Without proper authentication, your emails appear suspicious to email providers like Gmail and Yahoo. Since they can’t verify they’re legitimate, they default to protecting their users by blocking or filtering your messages into spam.

The good news is that fixing this is straightforward once you understand the 3 main authentication methods and how to set them up. These are SPF, DKIM, and DMARC, and I’ll show you how to approach them practically.

Key Players You Need to Understand

Before diving into setup, you need to understand who controls your email delivery and how they affect whether your messages reach inboxes.

1. Internet Service Providers (ISPs)

ISPs like Gmail, Yahoo, and Outlook receive and filter your emails. Gmail handles the most email volume and maintains the strictest filtering systems, with multiple tabs that can prevent emails from reaching the primary inbox.

2. Email Service Providers (ESPs)

ESPs like MailerLite, Mailchimp, and ActiveCampaign actually send your emails for you. Your ESP choice matters because their reputation directly affects how ISPs treat your messages.

How SPF, DKIM, and DMARC Actually Work

Email authentication involves proving your email identity through three technical settings that work together as verification steps:

SPF (Sender Policy Framework)

This is a setting in your DNS (GoDaddy, Namecheap, etc) that lists which email service providers (ESPs) you’ve authorized to send emails on your behalf. For example, when someone receives an email from p*****@techwriteable.com, their ESP first checks our published list to see if it actually came from one of our approved providers.

If the email came from MailerLite (which is on our authorized list), it passes. If it came from some random server pretending to be us, it fails. Without an SPF setting, you haven’t told email providers who’s allowed to send for you, which opens the door to spammers using your domain and hurts your deliverability.

DKIM (DomainKeys Identified Mail)

This setting adds a digital signature to prove your emails are authentic and haven’t been tampered with in transit. When you set up DKIM, your ESP creates two matching keys: a private key (which they keep secret) and a public key (which you add to your DNS settings at GoDaddy, Namecheap, etc).

Every time you send an email, your ESP automatically signs it with the private key. When someone receives your email, their email provider uses the public key from your DNS to verify the signature. If the signature checks out, they know the email truly came from your domain and wasn’t altered in transit.

Without DKIM, email providers can’t verify that your emails are genuine, so they’re more likely to treat them as suspicious.

DMARC (Domain-based Message Authentication, Reporting and Conformance) 

This final setting tells email providers what to do with emails that fail SPF or DKIM checks. You add this setting to your DNS (GoDaddy, Namecheap, etc) with instructions like “if someone sends a fake email pretending to be from my domain, either block it completely or send it to spam.”

DMARC also acts like a security monitor, sending you weekly reports that show all the emails sent using your domain name. This includes both your legitimate emails from your ESP and any attempts by scammers to impersonate you. Without DMARC, you have no say in how suspicious emails are handled and no way to know if someone is trying to fake emails from your domain.

In summary, when you send an email, receiving email providers like Gmail run through this three-step verification. First, they check if your ESP is authorized to send for your domain (SPF), then they verify the digital signature is authentic (DKIM), and finally, they follow your policy for handling any failures (DMARC).

If all three checks pass, your email goes straight to the inbox. If any step fails, the email gets treated according to the instructions you’ve set up.

​​These technical setups can seem overwhelming, but they’re crucial for email success. If you’d rather have an expert handle the configuration, book a call with Peter to get your authentication properly set up.

Getting Started on Your Email Authentication Setup

Now that you understand how these authentication methods work, let’s walk through the actual setup process for each one.

SPF: Creating your authorized sender list

Setting up SPF involves three straightforward steps:

Step 1: Access your DNS management by logging into your domain provider’s DNS management area. This might be Cloudflare, Namecheap, GoDaddy, or wherever you registered your domain.

Screenshot of namecheap dashboard

Step 2: Create Your SPF Record by adding a new TXT record with these settings:

• Name/Host: @ (represents your root domain)
• Value: Your SPF record that includes all email services you use

Example SPF record:

“v=spf1 include:_spf.google.com include:_spf.mlsend.com ~all”

This example authorizes Google Workspace and MailerLite to send emails for your domain.

Step 3: Save and wait for the record to propagate across the internet, which usually takes a few minutes to a few hours.

It is important that you include all the email services you use. If you send emails through Gmail and MailerLite for instance, but only include Gmail in your SPF record, your MailerLite emails will fail authentication.

DKIM: Adding digital signatures

DKIM setup is handled through your email service provider (ESP) since they generate the keys and provide the exact DNS records you need.

Step 1: Access Your ESP’s Authentication Settings by logging into your ESP’s domain authentication section (usually found under “Domains” or “Authentication” in your dashboard).

Screenshot of a MailerLite dashboard

Step 2: Generate your DKIM record by following your provider’s instructions. They’ll provide DNS records that look like this:

“Name: ml._domainkey.yourdomain.com

Type: TXT  

Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A…”

Step 3: Add generated records to your DNS settings exactly as provided by your ESP.

Step 4: Verify your setup by waiting for your ESP to confirm if its working correctly. Most platforms will show a “verified” or “authenticated” status once everything is configured properly.

DMARC: Setting your security policy

Step 1: Ensure SPF and DKIM are working properly before setting up DMARC as it builds on these two protocols.

Step 2: Create your first DMARC record  by going to your DNS management area and adding a new TXT record:

• Name/Host: _dmarc
• Type: TXT
• Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Replace “dmarc@yourdomain.com” with an actual email address where you want to receive reports.

Step 3: Start with a monitor-only campaign to instruct email providers to monitor your emails and send you reports, but not to block anything. You’ll receive weekly reports showing how your emails are performing.

Step 4: Review your DMARC reports after a few weeks to see:

• How many of your emails are passing authentication
• If there are any legitimate emails failing
• Whether anyone is trying to send fake emails from your domain

Step 5: Gradually increase security once you’re confident your legitimate emails are passing authentication. You can make your policy stricter by updating the record:

• Start with: p=none (monitoring only)
• Then move to: p=quarantine (send failures to spam)
• Finally use: p=reject (block failures completely)

To change your policy, simply update the TXT record value. For example, to move to quarantine: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

It is important you always monitor your legitimate email delivery when changing DMARC policies to ensure you’re not accidentally blocking your own emails.

How to Test Your Email Authentication Setup

After configuring your authentication settings, you need to verify they’re working properly. Here are several ways to test your setup:

Free Testing Tools

• MXToolbox: Check your SPF, DKIM, and DMARC records for proper configuration
• Mail Tester: Send test emails and receive detailed deliverability scores
• Google Admin Toolbox: Use Google’s official verification tools

For an immediate check, send a test email to any Gmail address. Open the email in Gmail, click the three dots menu next to “Reply,” and select “Show original.” Look for confirmation lines showing SPF: PASS, DKIM: PASS, and DMARC: PASS. If you see all three passes, your authentication is working correctly.

If any tests fail, don’t panic – there are common fixes for each issue. If SPF fails, check that all your email services are included in your SPF record. If DKIM fails, verify you’ve added the exact DNS records provided by your ESP. If DMARC fails, ensure your SPF and DKIM are working first, then check your DMARC record syntax.

Remember to give DNS changes 24-48 hours to fully propagate before assuming something is broken.

Common Setup Mistakes to Avoid

When setting up SPF, the biggest mistake is creating multiple SPF records or forgetting to include all your email services. You can only have one SPF record per domain, but it can include multiple email providers in a single record. Make sure every service you use to send emails is listed.

For DKIM setup, use the exact record type your ESP specifies – some require TXT records while others need CNAME records. Copy the record names exactly as provided, including any subdomains or selectors, since even small typos will break authentication.

With DMARC, avoid jumping straight to a strict policy like “reject.” Start with monitoring only (p=none) to collect data about your email authentication performance. Only increase enforcement to “quarantine” or “reject” after you’ve confirmed your legitimate emails are consistently passing SPF and DKIM checks.

The Business Impact of Email Authentication

Proper email authentication typically improves inbox delivery rates significantly. Many businesses see their delivery rates jump from the 70% range to over 90% after implementing SPF, DKIM, and DMARC correctly.

Beyond better delivery, authentication protects your domain reputation from spammers who might try to impersonate you. It also provides valuable insights through DMARC reports about who’s sending emails from your domain, helping you spot both legitimate issues and potential fraud attempts.

While setting up these protocols requires some technical work upfront, they’re a one-time investment that provides ongoing deliverability benefits. The time you spend configuring authentication today will pay off through better email performance and protected domain reputation for years to come.

Once you have your authentication properly configured, choosing the right email service provider becomes important for maintaining those high delivery rates. If you’re still evaluating email platforms or considering a switch, check out my comprehensive guide to the 7 best free email marketing platforms.

Need help setting up email authentication or improving your email marketing strategy? I offer email deliverability consulting and setup services to ensure your emails reach inboxes consistently. Book a consultation call to discuss your specific email marketing needs and get professional assistance with technical configuration.