SPF, DKIM, and DMARC, Explained in Plain English

Three settings most owners have never heard of

If your email lands in spam, or someone told you to “set up your email authentication,” you’ve probably hit three acronyms: SPF, DKIM, and DMARC. They look like IT jargon you can safely ignore. They’re not. They’re the difference between your invoices getting read and your invoices getting filtered.

Here’s what each one does, in normal words — plus how to check what you’ve got and what to fix.

SPF: who’s allowed to send for you

SPF is a list. It tells the rest of the internet which servers are allowed to send email using your domain.

Think of the approved-driver list for a company truck. If a server tries to send mail as [email protected] and it isn’t on the list, receiving servers treat it as suspicious — maybe someone impersonating you, maybe spam.

The catch: every tool that sends email for you — your invoicing app, your scheduling software, your newsletter service — has to be on that list. Add a new tool and forget to update SPF, and its mail can quietly start failing.

DKIM: proof the message wasn’t tampered with

DKIM adds a sealed signature to every message you send. The receiving server checks the seal. Intact? The message is genuinely from you and wasn’t changed along the way. Broken or missing? That’s a red flag.

Why both matter. SPF says “this server is allowed to send for me.” DKIM says “and this exact message really is mine, untouched.” Together, they’re how a filter tells your invoice apart from someone spoofing your name.

DMARC: your instructions for failures

DMARC ties the first two together. It tells receiving servers what to do when a message claiming to be from you fails the SPF and DKIM checks: let it through, send it to spam, or reject it outright.

It also sends you reports — so you can see who’s sending email in your name, including anyone trying to impersonate your business. Without DMARC you’re flying blind. With it, you get a say in how your domain is protected and a window into what’s actually going out under your name.

How to see what you have right now

You can check all three in a few minutes without touching anything:

• MXToolbox (free): look up your domain’s SPF and DMARC records. If either comes back empty, that’s your problem in plain sight.
• Gmail’s “Show original”: open a message you received from your own company address, click the three dots, choose “Show original,” and read the SPF / DKIM / DMARC results — each marked PASS or FAIL.
• Your DMARC reports: once DMARC is switched on, you start getting reports listing every source sending mail as you. Most owners are surprised by what shows up.

The most common ways these break

• You added a new tool — invoicing, CRM, email marketing — and never authorized it, so its mail fails.
• You have two SPF records. Only one is allowed; a second one cancels the first out.
• Someone copied an SPF record off a template, and it doesn’t list the senders you actually use.
• DMARC is set to “do nothing” and left there for years, so it watches but never protects.

None of these are exotic. They’re the quiet result of a business growing and adding tools while the email settings stayed frozen on day one.

Walk DMARC up in stages

DMARC has three settings for what to do with mail that fails the checks:

• p=none — watch and report, change nothing. Start here so you can see who’s sending as you.
• p=quarantine — send failing mail to spam.
• p=reject — block it outright.

Move from none to quarantine to reject as you confirm your real mail is passing. Jump straight to reject before you’ve checked, and you risk blocking your own invoices — which is worse than where you started.

Do you need all three?

Yes. SPF and DKIM build the trust; DMARC enforces it and tells you what’s happening. Two out of three leaves a gap a filter will notice and a scammer can use.

Who should set this up

If you’re comfortable editing DNS records, you can do it in an afternoon. If “DNS records” already lost you, hand it to whoever manages your website or email. Either way, it’s worth having someone confirm what’s actually in place first, so you’re fixing the real gap instead of guessing.

What you get once it’s right

Set up correctly, three things change:

• Your invoices and quotes start landing in inboxes instead of spam folders.
• It becomes very hard for anyone to send email pretending to be your business — a common way customers get burned by fake invoices with someone else’s bank details.
• Once DMARC is enforcing (quarantine or reject), you can add one more record called BIMI, which displays your company logo next to your emails in Gmail and Apple Mail. Customers notice it — a small, visible sign the message is really from you.

The point isn’t collecting acronyms. It’s that the mail you send gets read, and mail nobody authorized gets stopped at the door.

A simple next step

If you want to know whether your three records are set up right, without learning DNS yourself, that’s what our free email and domain check is for. We look at your SPF, DKIM, and DMARC, flag anything missing, and send you a written summary you can hand to whoever manages your tech. No jargon, no sales call.

Get a free email & domain check →

For the bigger picture on why this moved from “nice to have” to lost revenue, read why your @gmail.com is now a business risk.