Tutorials

SPF vs DKIM vs DMARC: What's the Difference?

J

Written by

Jason McDonald

Published

Jan 12, 2026

Reading time

6 min read

Updated: May 05, 2026
SPF vs DKIM vs DMARC: What's the Difference?

Part of the Cold Email Infrastructure Guide

Cold Email Infrastructure: The Complete Technical Guide to Deliverability

This article is part of our comprehensive guide. Read the full resource for complete context and technical depth.

Your cold emails are landing in spam because you skipped the authentication step. SPF, DKIM, and DMARC are the three protocols that prove your emails are legitimate—and without them, Gmail and Outlook assume you're a spammer.

This guide explains what each protocol does and how to set them up correctly. For the complete technical deep-dive on deliverability, read our Cold Email Infrastructure Guide.

The 30-Second Summary

SPF tells receiving servers which IP addresses can send email from your domain. DKIM adds a cryptographic signature proving the email wasn't tampered with. DMARC tells servers what to do when SPF or DKIM fail—and sends you reports.

All three work together. Missing any one of them significantly reduces deliverability. Let's break down each one.

SPF: Sender Policy Framework

SPF is a DNS TXT record that lists every IP address and server authorized to send email on behalf of your domain.

How SPF Works

When you send an email:

  1. Receiving server looks up your domain's SPF record
  2. Checks if the sending IP address is in that list
  3. If yes, SPF passes. If no, SPF fails.

SPF Record Syntax

v=spf1 include:_spf.google.com include:amazonses.com ~all

Breaking this down:

  • v=spf1 — Version identifier (required)
  • include:_spf.google.com — Allows Google Workspace servers
  • include:amazonses.com — Allows Amazon SES
  • ~all — Soft fail for everything else (use -all for hard fail once tested)

Common SPF Mistakes

1. Multiple SPF records Only ONE SPF record per domain is allowed. Multiple records cause validation failures.

Wrong:

v=spf1 include:_spf.google.com ~all
v=spf1 include:amazonses.com ~all

Right:

v=spf1 include:_spf.google.com include:amazonses.com ~all

2. Too many DNS lookups SPF has a 10-lookup limit. Each include: is a lookup. Exceeding 10 causes SPF to fail.

3. Forgetting third-party senders If you use any cold email platform, CRM, or marketing tool that sends email, their servers must be in your SPF record.

Testing SPF

Use MXToolbox SPF Lookup:

  1. Enter your domain
  2. Check for "SPF Record Found" status
  3. Verify all sending services are included
  4. Ensure lookup count is under 10

DKIM: DomainKeys Identified Mail

DKIM uses public-key cryptography to verify email integrity. It proves the email content wasn't modified after sending.

How DKIM Works

  1. Your email server signs outgoing emails with a private key
  2. The public key is published in your DNS as a TXT record
  3. Receiving servers use the public key to verify the signature
  4. If signature matches, DKIM passes

DKIM Record Format

DKIM records are TXT records with a selector prefix:

selector._domainkey.yourdomain.com

The record value contains your public key:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA...

DKIM Setup Process

For Google Workspace:

  1. Admin Console > Apps > Google Workspace > Gmail
  2. Authenticate Email > Generate New Record
  3. Copy the TXT record to your DNS
  4. Wait 48 hours, then click "Start Authentication"

For most email platforms:

  1. Go to Settings > Domain Authentication
  2. Get the DKIM record from your provider
  3. Add to DNS as TXT record
  4. Verify in provider dashboard

Testing DKIM

Send a test email to mail-tester.com and check the DKIM section, or use MXToolbox DKIM Lookup with your selector.

DMARC: Domain-based Message Authentication

DMARC builds on SPF and DKIM. It tells receiving servers what to do when authentication fails—and sends you reports about who's sending email from your domain.

How DMARC Works

  1. Receiving server checks SPF and DKIM
  2. If either fails, server looks up DMARC policy
  3. DMARC tells server to: do nothing (none), quarantine (spam folder), or reject (block)
  4. Server sends you a report of the result

DMARC Record Format

DMARC is a TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Key parameters:

  • v=DMARC1 — Version (required)
  • p=none — Policy: none, quarantine, or reject
  • rua=mailto:... — Where to send aggregate reports
  • ruf=mailto:... — Where to send forensic reports (optional)
  • pct=100 — Percentage of emails to apply policy to

DMARC Policy Progression

Start with monitoring (p=none):

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

After 2-4 weeks, move to quarantine:

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com

Once confident, enforce rejection:

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

Reading DMARC Reports

DMARC aggregate reports are XML files showing:

  • Who sent email from your domain
  • Whether SPF/DKIM passed
  • What action receivers took

Use free tools like DMARC Analyzer or Postmark DMARC to parse these reports into readable dashboards.

The Complete Setup Checklist

Day 1: SPF

  • Identify all services sending email from your domain
  • Create single SPF record including all services
  • Add TXT record to DNS
  • Test with MXToolbox

Day 2: DKIM

  • Generate DKIM keys in your email provider
  • Add DKIM TXT record to DNS
  • Wait 24-48 hours for propagation
  • Test with MXToolbox or mail-tester

Day 3: DMARC

  • Create DMARC record with p=none (monitoring mode)
  • Set up reporting email address
  • Add TXT record to DNS
  • Review reports after 1-2 weeks

Week 4+: Enforcement

  • Review DMARC reports for unauthorized senders
  • Fix any legitimate services failing authentication
  • Gradually increase DMARC policy (quarantine, then reject)

Why This Matters for Cold Email

Without proper authentication, your cold email campaigns start with a handicap. ISPs see unauthenticated emails as higher risk:

Authentication Status Typical Deliverability
None 50-60% inbox placement
SPF only 70-75%
SPF + DKIM 80-85%
SPF + DKIM + DMARC 90-95%

The gap between "SPF only" and "full authentication" is often 15-20 percentage points. On a 1,000-email campaign, that's 150-200 additional prospects who actually see your message.

Frequently Asked Questions

How long does email authentication take to set up?

Email authentication takes 2-3 days to fully configure. SPF and DKIM records typically propagate within 24-48 hours. DMARC can be added immediately but should run in monitoring mode (p=none) for 2-4 weeks before enforcement.

Can I skip DMARC if I have SPF and DKIM?

You can skip DMARC, but deliverability will suffer. DMARC provides the policy that tells receivers what to do with authentication failures. Without it, each ISP makes its own decision—often defaulting to spam folder placement.

Why is my SPF failing with too many lookups?

SPF has a hard limit of 10 DNS lookups. Each include: statement counts as a lookup. If you use multiple email services (Google, cold email platform, marketing automation, etc.), you may hit this limit. Solutions include SPF flattening services or consolidating to fewer sending providers.

Do I need different DKIM keys for different senders?

Each email service uses its own DKIM selector and key pair. This is normal and expected. You'll have separate DKIM records for Google Workspace, your cold email infrastructure, and any other sending service—all under the same domain.

Get the Complete Guide

Download this resource as a beautifully formatted PDF for offline reading, sharing with your team, or future reference.

Share:

Never miss an update

Get technical insights on revenue operations, cold email infrastructure, and AI-powered support delivered to your inbox.

No spam, ever. Unsubscribe anytime.

Related Articles