email guide

SPF, DMARC, And DKIM Explained

SPF, DKIM, and DMARC are email authentication controls. They help receiving systems decide whether a message is allowed, signed, and aligned with the visible sender domain.

SPF

SPF lists which mail servers are allowed to send for a domain. It is published as a TXT record that starts with v=spf1.

DKIM

DKIM uses a cryptographic signature on the message. The public key is stored in DNS under a selector, so checking DKIM requires knowing the selector name.

DMARC

DMARC tells receivers what to do when SPF or DKIM alignment fails.
p=none is monitoring, p=quarantine is stricter, and p=reject is strictest.
DMARC depends on alignment with the visible From domain, not just any SPF or DKIM pass.

Common Failure Pattern

A message can pass SPF but fail DMARC if the authenticated SPF domain does not align with the visible From domain. This is common during migrations or third-party sending setup.

Troubleshooting Route

Use this guide as the field note, then move through the matching tools to gather evidence.

1 SPF / DMARC / DKIM Checker Check SPF, DMARC, and DKIM DNS records for email authentication troubleshooting.
2 DNS Lookup Tool Look up DNS A, AAAA, CNAME, MX, TXT, NS, SOA, SRV, and CAA records.
3 MX Lookup Check a domain's mail exchangers, priorities, and basic email routing warnings.
4 Blacklist Check Check a domain or IP against common DNSBL-style blocklists for reputation troubleshooting.

Related Glossary Terms

SPF DKIM DMARC MX Record PTR Record Blacklist

Open tools panel