· 10 min read
SPF, DKIM, and DMARC explained for lifecycle marketers
You don't need to be a DNS engineer to run a lifecycle program, but you do need to understand the three records that decide whether your email is trusted. Since 2024, Gmail and Yahoo have made SPF, DKIM, and DMARC mandatory for bulk senders. Get one of them wrong and deliverability silently degrades. Here's what each one actually does — in practitioner terms — and how they fit together.
Justin Williames
Founder, Orbit · 10+ years in lifecycle marketing
What each record actually does
SPF (Sender Policy Framework)publishes which servers are allowed to send mail on behalf of your domain. It's a single TXT record on your DNS that lists allowed sending IPs and services. When a receiving server gets mail claiming to be from your domain, it checks SPF and either accepts or treats the mail as suspicious.Source · GoogleEmail sender requirementsGoogle's 2024 requirements mandating SPF, DKIM, and DMARC for bulk senders above the complaint threshold.support.google.com/a/answer/81126
DKIM (DomainKeys Identified Mail)cryptographically signs the body and headers of every outgoing message. Receiving servers use a public key published in your DNS to verify the mail hasn't been modified in transit. DKIM doesn't prove you're trustworthy — it proves that if a message is signed as you, it actually came from you.
DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving servers what to do when a message fails SPF or DKIM. Three policy options: p=none (report only, don't act), p=quarantine (send to spam), p=reject(bounce outright). DMARC also emits daily reports of who's sending mail as you — which is the first time many teams discover they have unauthorised services in the mix.
How the three work together
DMARC is the escalation layer. SPF and DKIM are the evidence layers. Publishing DMARC without fixing SPF and DKIM first is how teams accidentally block their own sends.
SPF verifies the sending server. DKIM verifies the message contents. DMARC checks that at least one of them passed AND that the authenticated domain aligns with the visible From address. Alignment matters — an ESP can sign your mail with DKIM but use its own domain in the signature, which passes DKIM but fails DMARC alignment.
The practical flow: a receiving server gets your message, checks SPF (source IP allowed?), checks DKIM (signature valid?), checks alignment (does the authenticated domain match the visible From?), then consults DMARC to decide what happens when anything fails. Most bulk-sending problems come from alignment failures, not signature failures.
Setup order that doesn't break production
3
DNS records to publish: SPF (TXT), DKIM (TXT), DMARC (TXT).
p=none
Always start DMARC in monitoring mode. Only move to quarantine after reports look clean for 2–4 weeks.
2024
Year Gmail and Yahoo made all three mandatory for bulk senders. The grace period is over.
Step 1 — SPF. List every service that sends mail as your domain: your ESP (Braze), your transactional provider (Postmark, SendGrid), Google Workspace if you use Gmail, and any marketing tools. If you miss one, mail from that service will fail SPF. Keep the record under 10 lookups; SPF has a hard limit and exceeding it breaks authentication.
Step 2 — DKIM. Each service publishes its own DKIM public key. Braze provides yours through the sending-domain configuration; Google Workspace has its own. Add each key as a TXT record on a unique selector (e.g. braze._domainkey.mail.yourbrand.com). Verify each service signs with its own selector before moving on.
Step 3 — DMARC, in monitoring only. Start with v=DMARC1; p=none; rua=mailto:dmarc@yourbrand.com. Review the reports for 2–4 weeks. Fix any failing services. Then move to p=quarantine; pct=25 for partial enforcement, then p=rejectonce you're confident.
The subdomain strategy that saves you
The single most useful architectural decision in email authentication is splitting sending by subdomain. Marketing mail on mail.yourbrand.com, transactional on notify.yourbrand.com, corporate email on the root yourbrand.com. Each subdomain gets its own SPF, DKIM, and DMARC configuration, and reputation for each is tracked independently.
Why this matters: if a marketing campaign triggers a complaint spike, the reputation damage is confined to the marketing subdomain. Corporate email (people-to-people) continues delivering cleanly. Without this split, a bad marketing week can poison your CEO's ability to get mail to clients.
Common mistakes and what they cause
SPF too long. The 10-lookup limit trips easily once you add 3–4 services. Fix by using include: mechanisms sparingly, flattening nested includes into direct IP ranges if necessary, or consolidating sending services.
DKIM signing with ESP domain instead of yours.Makes the message pass DKIM but fail DMARC alignment. Every ESP supports custom-domain DKIM; it's the step most teams skip during setup.
DMARC p=reject on day one. Publishing p=reject before verifying all services align is how teams block their own mail. Always p=none first. The Deliverability Management skill covers the full reputation and authentication story.
Forgetting Google Postmaster Tools.Once authentication is set up, register your sending domain with Postmaster Tools to see reputation scores in Google's eyes. It's free and the single best monitoring tool for Gmail deliverability.Source · GooglePostmaster ToolsFree Google service for monitoring Gmail sender reputation, spam rate, authentication results, and delivery errors.postmaster.google.com
Frequently asked questions
- Do I need all three of SPF, DKIM, and DMARC?
- Yes, for bulk senders. Gmail and Yahoo have required all three since 2024 for any sender above 5,000 messages per day. Before 2024 you could get away with two; now all three are table stakes for deliverability.
- Should I start DMARC with p=reject or p=none?
- Always p=none first. It emits reports without acting on failures, so you can find and fix authentication issues before they start blocking legitimate mail. Move to p=quarantine once reports are clean for 2–4 weeks, then p=reject.
- What's DMARC alignment and why does it fail?
- Alignment checks that the authenticated domain (from SPF or DKIM) matches the visible From domain. A common failure: your ESP signs DKIM with its own domain, so DKIM passes but alignment fails. Fix by configuring custom-domain DKIM on every sending service.
- What's BIMI and is it worth setting up?
- Brand Indicators for Message Identification. Displays your logo next to messages in the inbox — but requires a Verified Mark Certificate (~$1,500/year) and DMARC at p=quarantine or p=reject. Worth it for brands where inbox recognition drives open rates; skip until you're already at DMARC enforcement.
- Should marketing and transactional use the same domain?
- Use subdomains: mail.yourbrand.com for marketing, notify.yourbrand.com for transactional, keep the root for corporate email. Isolates reputation and prevents marketing issues from poisoning transactional delivery.
- Where do I monitor authentication performance?
- Google Postmaster Tools (free, Gmail) and Microsoft SNDS (free, Outlook/Hotmail). Both show authentication results, spam rate, and reputation scores. DMARC reports from your rua= address are the full authentication ledger across every receiving server.
- How often do I need to update these records?
- Set and forget, mostly. Update SPF when you add a new sending service. Rotate DKIM keys annually for security hygiene. DMARC policy changes should be staged deliberately — never hot-swap p=none to p=reject.
This guide is backed by an Orbit skill
Related guides
Email deliverability — the practitioner's guide
Deliverability is the cumulative result of every send decision over the lifetime of a domain. This guide covers the four pillars — authentication, reputation, engagement, and list hygiene — and how to recover when one breaks.
IP warm-up for Braze — the practitioner's playbook
A dedicated IP has no sending reputation on day one. This guide shows how to ramp to full volume in 14–30 days without triggering spam filters — including the Random Bucket Number methodology most teams miss.
Apple Mail Privacy Protection, four years in
In 2021, Apple broke the email open rate. Four years later, the dust has settled — and the lifecycle programs that adapted are outperforming the ones still measuring like it's 2020. Here's what actually changed.