SPF, DKIM, and DMARC explained for lifecycle marketers

SPF (Sender Policy Framework) publishes the servers allowed to send mail on behalf of your domain. One TXT record on your DNS, listing your approved sending IPs and services. When a receiving server gets mail claiming to come from you, it checks SPF and either accepts or treats the mail as suspect. Simple idea, fiddly execution.Source · GoogleEmail sender requirementsGoogle's 2024 requirements mandating SPF, DKIM, and DMARC for bulk senders above the complaint threshold.support.google.com/a/answer/81126

DKIM (DomainKeys Identified Mail)cryptographically signs the body and headers of every outgoing message. The receiver uses a public key published in your DNS to verify the mail wasn't modified in transit. DKIM doesn't prove you're trustworthy. It proves that if a message is signed as you, it actually came from you.

DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receivers what to do when SPF or DKIM fail. Three policy options: p=none (report only, don't act), p=quarantine (send to spam), p=reject(bounce outright). DMARC also emits daily reports of who's sending mail as you, which is the first time most teams discover there are three services mailing their customers that nobody in the room knew about.

Yes, you need all three. That's been true since Gmail and Yahoo moved the goalposts in 2024 for any sender over 5,000 messages per day. Before then you could probably get away with two. Not anymore.

SPF verifies the sending server. DKIM verifies the message contents. DMARC checks that at least one of them passed AND that the authenticated domain aligns with the visible From address. That alignment bit is where most teams trip — an ESP can happily sign your mail with DKIM but use its own domain in the signature, which passes DKIM but fails DMARC alignment. Congratulations, your mail is cryptographically valid and also going to spam.

Walk the actual flow. The receiving server gets your message, checks SPF (is the source IP allowed?), checks DKIM (is the signature valid?), checks alignment (does the authenticated domain match the visible From?), then consults DMARC to decide what happens on any failure. Most bulk-sending problems are alignment failures, not signature failures. Every ESP supports custom-domain DKIM — it's the step most teams skip during setup because the default works "well enough" in the wrong sense of the phrase.

Step 1 — SPF. List every service that sends mail as your domain: your ESP (Braze, Iterable, whoever), your transactional provider (Postmark, SendGrid), Google Workspace if corporate runs on Gmail, and any marketing tools that email users directly. Miss one and mail from that service fails SPF. Keep the record under 10 lookups — SPF has a hard limit and blowing past it silently breaks authentication for every recipient that hits an ambitious resolver.

Step 2 — DKIM. Each service publishes its own DKIM public key. Braze gives you yours through the sending-domain configuration; Google Workspace has a separate flow. Add each key as a TXT record on a unique selector (e.g. braze._domainkey.mail.yourbrand.com). Verify each service signs with its own selector before you touch anything else. Rotate keys annually as hygiene.

Step 3 — DMARC, in monitoring only. Start with v=DMARC1; p=none; rua=mailto:dmarc@yourbrand.com. Read the reports for 2–4 weeks. Fix whichever services are misaligned. Move to p=quarantine; pct=25 for partial enforcement. Only then p=reject. Do not hot-swap p=none to p=reject. That's the version of this project where you block the CEO's mail to the board on a Thursday.

The single most useful architectural decision in email authentication is splitting sending by subdomain. Marketing on mail.yourbrand.com, transactional on notify.yourbrand.com, corporate human mail on the root yourbrand.com. Each subdomain gets its own SPF, DKIM, and DMARC configuration. Reputation tracks independently.

Here's why this matters the one time it matters. A marketing campaign triggers a complaint spike. Reputation damage stays confined to the marketing subdomain. Corporate email (people-to-people) keeps delivering cleanly. Without the split, a bad campaign week can poison your CEO's ability to get mail to clients — which is exactly the kind of second-order damage nobody models when they're picking an ESP.

SPF too long. The 10-lookup limit trips easily once you've added three or four services. Fix by using include:mechanisms sparingly, flattening nested includes into direct IP ranges where necessary, or consolidating sending services. It's boring work. It's also why half the programs in your peer group are quietly failing auth on a fraction of their mail and don't know it.

DKIM signing with the ESP's domain instead of yours. Passes DKIM. Fails DMARC alignment. Quiet disaster. Every ESP supports custom-domain DKIM — the step is in the sending-domain setup and it takes ten minutes.

DMARC p=reject on day one. Don't. Always p=none first. The Deliverability Management skill walks the full reputation and authentication story end to end if you want the deeper version.

Forgetting Google Postmaster Tools.Once auth is set up, register your sending domain with Postmaster Tools to see your reputation scores through Google's eyes. It's free. It's the single best monitoring tool for Gmail deliverability, bar none. Microsoft SNDS covers Outlook and Hotmail on the same basis.Source · GooglePostmaster ToolsFree Google service for monitoring Gmail sender reputation, spam rate, authentication results, and delivery errors.postmaster.google.com

One more worth mentioning because people ask: BIMI. Brand Indicators for Message Identification — displays your logo next to messages in the inbox, needs a Verified Mark Certificate (~$1,500/year) and DMARC at p=quarantine or p=reject. Worth it for brands where inbox recognition meaningfully drives opens. Skip until you're already at DMARC enforcement; there's no use buying the certificate if your DMARC is still in monitoring mode.