← All posts · Email Deliverability

SPF, DKIM, DMARC Explained for Sales Teams (2026)

By · · 9 min read

DNS records (SPF, DKIM, DMARC) are the foundation of email deliverability because they prove to ISPs your emails are authorized and untampered. Most cold email fails here: 50% skip SPF, 70% misconfigure DKIM, and 90% never move DMARC beyond monitoring; at Outbound Pros we use Primeforge to automate setup across 13+ active client campaigns, but even DIY takes about 30 minutes and can move inbox placement from roughly 60% to 90%.

Why Do DNS Records Matter for Cold Email Deliverability?

DNS records matter because SPF, DKIM, and DMARC are the authentication layer inbox providers use to decide whether your domain is a legitimate sender.

Without them, Gmail and Outlook treat your mail as suspicious before they ever evaluate your copy, targeting, or sequence logic. That is why broken DNS beats bad subject lines as a spam cause in cold outbound. You can have a solid ICP, a clean list, and decent messaging and still sit around 40% inbox placement if authentication is broken.

At Outbound Pros we manage outbound infrastructure across 13+ active client campaigns, and the first audit on every new account is DNS. Roughly half the teams that come to us with a deliverability complaint do not have a copy problem first. They have a missing record, a broken include, a wrong DKIM selector, or a DMARC policy that is stricter than their setup can support.

This is also one of the few fixes that is both high impact and fast. In most cases you can set up or correct all three records in under 30 minutes, validate with MXToolbox, and remove the biggest technical blocker to inbox placement.

What Is SPF and How Does It Work?

SPF is a DNS record that tells receiving servers which systems are allowed to send email from your domain.

When a server receives a message from yourdomain.com, it checks whether the sending IP or sending service is listed in your SPF policy. If yes, SPF passes. If not, SPF fails or soft fails depending on your policy.

A typical record looks like this.

- v=spf1 include:sendgrid.net include:mailgun.org ~all

The syntax is straightforward. v=spf1 declares the version. Each include pulls in another provider's authorized sending infrastructure. The ending matters most. ~all is a soft fail and is the right place to start while testing. -all is a hard fail and is what you move to after confirming every legitimate sender is included.

At Outbound Pros, the five SPF issues we see most are missing the record entirely, exceeding the 10 DNS lookup limit, leaving ~all in place forever, switching to -all too early, and forgetting to add a new tool after adding it to the stack. That last one is common when a team adds a new outbound platform or SMTP relay and assumes deliverability will just carry over.

An honest limitation: SPF alone is not enough. It helps prevent spoofing, but forwarding and some relay setups can still create edge cases. That is why SPF has to be evaluated alongside DKIM and DMARC, not as a standalone deliverability fix.

What Is DKIM and How Does It Authenticate Email?

DKIM is a cryptographic signature system that proves an email was signed by your domain's authorized mail system and was not altered in transit.

Your email provider signs each outgoing message with a private key. You publish the matching public key in DNS. The receiving server retrieves that public key and verifies the signature. If the signature checks out, the server knows the message is authentic and intact.

A DKIM record usually contains three main elements.

- v=DKIM1
- k=rsa
- p=your-public-key

The record also lives under a selector such as default._domainkey.yourdomain.com or google._domainkey.yourdomain.com. The selector has to match what your sending system is actually using. That mismatch is one of the most common silent failures.

We learned this the hard way early on. At Outbound Pros, one client had migrated platforms and accidentally enabled signing with two selectors while DNS only matched one of them. Their reply rate dropped about 30%, and the fix took 10 minutes once identified. The painful part was diagnosis, which took two days because the symptoms looked like a messaging problem, not an auth problem.

DKIM setup is usually generated by the email provider, not hand-written from scratch. The rule is simple: copy the DNS host and value exactly, wait for propagation, then send a test email and confirm dkim=pass in the headers. One stray space or a wrong selector is enough to break the whole check.

What Is DMARC and Why Does It Tie SPF and DKIM Together?

DMARC is the policy layer that tells inbox providers what to do when SPF or DKIM fails and gives you reporting on who is sending from your domain.

A basic DMARC record looks like this.

- v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

The critical setting is p. p=none means monitor only. p=quarantine means failing mail should go to spam. p=reject means failing mail should be blocked. Most teams should start at none, read reports for about two weeks, fix alignment issues, then move to quarantine. At Outbound Pros that rollout pattern is the safest one across client domains, and most domains stay at quarantine long term.

DMARC also introduces alignment, which is where many third-party setups break. SPF can technically pass on one domain and DKIM can technically pass on another, but DMARC wants the authenticated domain to align with the visible From domain. If your platform signs as a different domain than the one in the From header, DMARC can still count the message as a failure.

This is where many founders overcorrect. They set p=reject immediately because it sounds more secure, then wonder why legitimate mail disappears. In practice, reject is for mature setups with clean reports over multiple months, usually for brand protection more than outbound performance. If you skip the monitoring phase, you risk blocking good mail along with bad.

How Do SPF, DKIM, and DMARC Work Together on a Live Email?

SPF, DKIM, and DMARC work together because each one answers a different trust question during message delivery.

SPF asks whether the sender is authorized. DKIM asks whether the message was signed correctly and remained intact. DMARC asks whether those checks align with the visible From domain and what action to take if they do not.

In practical terms, inbox providers score the combination, not just one record in isolation.

| Authentication state | Typical outcome |
|---|---|
| SPF pass + DKIM pass + DMARC aligned | Strong trust, often 90%+ inbox placement |
| SPF pass + DKIM fail, or the reverse | Partial trust, still deliverable but weaker |
| SPF fail + DKIM fail | High spam risk, often around 40% inbox placement or worse |
| DMARC reject + failed alignment | Rejection, effectively 0% delivery |

We have seen this play out with the same client before and after a fix. In one SaaS campaign, the configured version had SendGrid properly included in SPF, the right DKIM selector live, and DMARC at quarantine with alignment confirmed. Inbox placement sat at 91% across Gmail and Outlook targets. Before the fix, SendGrid was missing from SPF, DKIM used the wrong selector, and DMARC was set to reject. The result was not lower performance. It was total failure.

That is the operator view of DNS. These are not abstract security settings. They directly determine whether your outreach exists in the recipient's inbox at all.

What's the Step-by-Step Verification Checklist Before Launching?

A launch checklist is the fastest way to catch DNS mistakes before they burn a domain's reputation.

Every new domain should go through an external validation pass, not just an internal assumption that the records were added correctly. DNS propagation delays, copy paste issues, and provider-specific selector quirks are common.

1. Confirm an SPF record exists and validates in MXToolbox.
2. Confirm every sending service in your stack is included in SPF.
3. Check for SPF syntax errors and the 10-lookup limit.
4. Confirm a DKIM record exists for the active selector.
5. Verify the selector in DNS matches the selector your provider uses for signing.
6. Add a DMARC record starting with p=none.
7. Make sure the rua mailbox is live and monitored.
8. Send a test email to personal Gmail and Outlook inboxes.
9. Inspect headers and confirm spf=pass and dkim=pass.
10. Recheck all three records in MXToolbox after propagation.

For ongoing monitoring, we look at DMARC reports weekly, keep bounce rate under 2%, keep complaint rate under 0.1%, and investigate any auth failures rather than assuming they are harmless noise. At Outbound Pros, that habit catches most infrastructure issues before a client notices a drop in replies.

One honest limitation: passing this checklist does not guarantee great deliverability. It guarantees your technical foundation is sound. If mail still lands in spam after that, the issue is usually reputation, list quality, warmup, sending behavior, or content.

What Are the Common Misconfigurations and How Do You Fix Them?

The most damaging DNS misconfigurations are the ones that look fine at a glance but fail under real traffic.

The first is incomplete SPF. A valid-looking SPF record can still fail if one active sender is missing. We have diagnosed 40% spam placement caused by one absent include for an SMTP relay while everything else looked normal.

The second is selector mismatch in DKIM. The DNS record exists, but the mail provider signs with a different selector. That creates a clean-looking DNS setup that still fails on every real message.

The third is DMARC without monitoring. Teams add p=none with a rua address they never check, or worse, they go straight to p=reject before verifying alignment across all mail sources.

Other common issues are predictable.

- SPF include loops or too many lookups
- Multiple DKIM records on the same selector
- Copy paste errors in long DKIM keys
- noreply sender addresses that suppress engagement by design
- Strict DKIM canonicalization in environments where forwarding alters messages

The fix pattern is usually simple. Reduce sending tools where possible, flatten SPF if lookup count is the issue, keep one DKIM record per selector, use a real sender identity, and move DMARC in stages from none to quarantine after reviewing reports for two to four weeks. At Outbound Pros we have also seen DMARC reports reveal unauthorized spoofing attempts from infrastructure the client did not recognize, which is exactly why those reports matter beyond deliverability.

How Do We Handle DNS Setup at Outbound Pros?

At Outbound Pros, DNS setup is a standardized infrastructure step because outbound performance is too fragile to leave authentication to guesswork.

We use Primeforge to automate SPF, DKIM, and DMARC across client domains, then validate the records with MXToolbox before warmup starts. The end-to-end setup usually takes under 20 minutes per domain when the registrar and mailbox provider cooperate cleanly.

Our practical flow is simple.

1. Buy or connect the domain.
2. Point DNS and add the required records.
3. Generate DKIM from the mailbox provider.
4. Publish DMARC at p=none with a monitored reporting address.
5. Validate externally in MXToolbox.
6. Send test mail and inspect headers.
7. Start warmup only after auth checks pass.

The tools we lean on most are Primeforge for provisioning, MXToolbox for validation, Google Admin Toolbox for Workspace-specific checks, and Warmforge for monitoring reputation once mailboxes are live. If you are doing this manually, MXToolbox plus your provider's admin panel covers most of the work.

The trade-off is straightforward. DIY is absolutely possible and usually not hard. The risk is not setup complexity. The risk is missing a small detail, launching anyway, and spending the next two weeks trying to solve a deliverability issue that was actually a DNS typo.

Frequently Asked Questions

Can I use the same DNS records for multiple sending services?

Yes, but each record behaves differently. SPF can include multiple sending services, but you only get 10 DNS lookups total, so stacks with several tools can break faster than teams expect.

DKIM is easier to separate because each service can use its own selector. That means multiple DKIM records are fine as long as each selector is unique and the provider is signing with the matching one.

What if I'm using a third-party SMTP relay?

A third-party SMTP relay adds alignment risk because the relay may authenticate on one domain while your visible From header shows another.

That matters most for DMARC. SPF or DKIM can appear to pass technically, but if the authenticated domain does not align with the From domain, DMARC can still fail. In practice, use a relay that supports custom domain alignment or move to infrastructure that is built for outbound authentication.

Why do my DMARC reports show SPF failures if I have a valid SPF record?

A valid SPF record can still produce failures if the wrong sender is trying to use your domain or if one active sender is not included.

The usual causes are a new sending tool not yet added to SPF, incomplete provider coverage, or alignment problems between the Return-Path domain and the From domain. Read the report, identify the failing source, update SPF if it is legitimate, and allow up to 24 hours for propagation.

How often should I check my DNS records?

Quarterly is the minimum, and monthly is safer for active outbound domains.

You should also recheck immediately after adding a new sending platform, changing mailbox providers, or seeing any sudden drop in inbox placement. DNS records do not change often, but outbound stacks do.

Can DMARC strict policy p=reject break legitimate email?

Yes. p=reject can block legitimate forwarded mail, mailing list traffic, and some business automation if alignment is not clean.

That is why the safer rollout is p=none first, then p=quarantine after two to four weeks of clean reporting, and only then consider p=reject after several months of stable data. Many outbound teams never need to go beyond quarantine.