Emails Going to Spam in 2024: SPF, DKIM, and DMARC Explained

Posted by Adem on May 31, 2024

For anyone who relies on email for personal or professional communication, ensuring that your messages land in the recipient's inbox is crucial. A common issue many face is emails not arriving as intended, often ending up in the spam or junk folder.

Starting February 2024, Gmail and Yahoo will impose DMARC policies on bulk senders (those who send over 5000 emails per day) as well as SPF and DKIM records on all senders. However, it's advised that all senders configure their SPF, DKIM and DMARC policies to help future-proof the forever-changing nature of email deliverability constraints.

This means mastering email deliverability is now a necessity and it requires an understanding of email authentication protocols: SPF, DKIM, and DMARC. These protocols boost your email credibility and protect against phishing and spoofing attacks. Let’s dive into what these protocols are, how they work, and how you can implement them.

What is SPF and How Does it Prevent Spam?

Understanding SPF

Think of a sender policy framework (SPF) record as a bouncer for your domain's email. It’s a type of DNS TXT record listing all the servers authorized to send emails from your domain. Without SPF, SMTP (the standard email protocol) can’t authenticate the “from” address, making it easy for attackers to impersonate you.

How does SPF work?

  1. DNS Record: You publish an SPF record in your DNS, listing the authorized IP addresses.
  2. Email Sending: When an email is sent, the recipient's server checks this SPF record via DNS.
  3. Validation: The server compares the sender's IP address with the SPF record. If there's a match, the email passes; if not, it fails.

What does an SPF Record look like?

yourdomain.tld TXT v=spf1 ip4: -all 6000
  • v=spf1: Tells the server this is a SPF record; along with the version.
  • ip4: Authorizes this IP ( to send emails.
  • This is an example that authorizes Outlook to send emails on your behalf.
  • -all: Denies any IP not listed from sending emails.

Why is SPF important?

SPF helps prevent spammers from using your domain to send unauthorized emails. It ensures that only legitimate servers can send emails on your behalf, reducing the likelihood of your emails being marked as spam.

What is DKIM and How Does it Protect Emails?

Understanding DKIM

DomainKeys Identified Mail (DKIM) is like a wax seal on a letter, ensuring the email is from the claimed sender and hasn’t been tampered with. It uses public key cryptography to achieve this.

How does DKIM work?

  1. Digital Signature: When an email is sent, a private key generates a digital signature, added to the email header.
  2. DNS Record: The corresponding public key is published in your DNS.
  3. Verification: The recipient's server retrieves this public key to verify the signature. If it matches, the email is authentic.

Example DKIM DNS record

default._domainkey.yourdomain.tld TXT v=DKIM1; k=rsa; p= 6000
  • default._domainkey.yourdomain.tld: Specifies the selector and domain.
  • v=DKIM1: Tells the server this is a DKIM record; along with the version.
  • k=rsa: Indicates the key type (RSA).
  • p=: The public key used for verifying the signature.

Why is DKIM important?

DKIM ensures your email content hasn’t been altered during transit and verifies the sender’s identity, providing an extra layer of trust.

What is DMARC and How Does it Work?

Understanding DMARC

Domain-based Message Authentication Reporting and Conformance (DMARC) builds on SPF and DKIM. It tells receiving servers how to handle emails that fail these checks and provides reporting for better monitoring.

How does DMARC work?

  1. Policy Specification: Publish a DMARC policy in DNS, specifying actions for failed SPF/DKIM checks (e.g., reject, quarantine, none).
  2. Alignment Check: Ensures the "From" header matches the domain in SPF and DKIM.
  3. Reporting: Generates reports on authentication results and potential malicious activity.

Example DMARC DNS Record

_dmarc.yourdomain.tld TXT v=DMARC1; p=quarantine; adkim=r; aspf=r; rua=mailto@yourdomain.tld 32600
  • v=DMARC1: Tells the server this is a DMARC record; along with the version.
  • p=quarantine: Indicates that email servers should "quarantine" emails that fail the DKIM and SPF checks; considering them to be potentially spam. Other possible values for this include "none" (allows emails that fail to still go through) and "reject" (instructs email servers to block emails that fail)
  • adkim=r: Indicates that the DKIM checks are "relaxed". The other possible value is "s", for Strict.
  • aspf=r: This is the same as adkim=r (above) but for SPF records.
  • rua=mailto@yourdomain.tld: Specifies the email address to receive aggregate reports.

Why is DMARC important?

DMARC provides clear instructions for handling failed authentication attempts, enhancing email security and monitoring.

How to Implement SPF, DKIM, and DMARC for Better Email Deliverability

Implementing these protocols is essential for protecting your email infrastructure. Here’s a step-by-step guide:

Set up SPF:

  1. Identify all IP addresses and third-party services sending email for your domain.
  2. Create and publish an SPF record in your DNS settings (see the example above).

Set up DKIM:

  1. Generate a public/private key pair.
  2. Publish the public key in your DNS settings (see the example above).
  3. Configure your email server to sign outgoing emails with the private key.

Set up DMARC:

  1. Create and publish a DMARC policy in your DNS settings (see the example above).
  2. Specify how to handle emails failing SPF or DKIM checks.
  3. Set up email addresses to receive DMARC reports.

By implementing these protocols, you can significantly reduce the risk of your emails being marked as spam and protect your domain against malicious attacks.


Why are my emails going to spam?

Emails can end up in spam due to lack of proper authentication, suspicious content, sending behavior, or blacklisted IP addresses. Implementing SPF, DKIM, and DMARC improves deliverability.

How do I check if my SPF, DKIM, and DMARC are correctly set up?

Use online tools like MXToolbox or your email provider’s diagnostics tools. I personally love using mail-tester for a detailed analysis of email configurations.

What happens if I don’t implement SPF, DKIM, and DMARC?

Without these protocols, your emails are more likely to be marked as spam or rejected. Your domain is also more vulnerable to spoofing and phishing, leading to potential blacklisting.

Can I use SPF, DKIM, and DMARC together?

Absolutely. Using SPF, DKIM, and DMARC together offers a comprehensive approach to email authentication, greatly enhancing deliverability and security.


Setting up SPF, DKIM, and DMARC might sound technical, but it’s worth the effort. These tools help your emails land in the inbox instead of the spam folder, protect your domain from scams, and keep your email reputation intact. By following some straightforward steps, you can make sure your emails are safe and sound.

blog comments powered by Disqus