What is DMARC, DKIM, and SPF and why do emails land in spam without them?
SPF, DKIM, and DMARC are email authentication protocols that prove your emails genuinely come from your domain. Gmail and Microsoft 365 spam-filter or reject emails from domains missing these records. Since February 2024, Gmail requires DMARC for all senders sending over 5,000 emails/day.
DETAILED EXPLANATION:
The core problem: SMTP (email protocol) has zero built-in sender verification. Anyone can forge From: [email protected]. These three DNS records fix this at the infrastructure level.
SPF (Sender Policy Framework):
DNS TXT record listing which mail servers can send email for your domain.
When your email arrives, recipient server checks: "Did it come from an authorized server?"
Example: v=spf1 include:_spf.google.com include:amazonses.com ~all
DKIM (DomainKeys Identified Mail):
Your mail server signs outgoing email with a private cryptographic key.
Public key published in DNS. Recipient verifies the signature.
Proves: Email was not altered in transit AND came from an authorized server.
DMARC (Domain-based Message Authentication Reporting & Conformance):
Policy telling receiving servers what to do with emails that fail SPF/DKIM.
Also sends daily reports showing who is sending email using your domain.
Policies: none (monitor only), quarantine (spam folder), reject (bounce).
Authentication result in received email headers:
Authentication-Results: mx.google.com;
dkim=pass (key 2048-bit) [email protected];
spf=pass (google.com: domain of [email protected]);
dmarc=pass (p=REJECT) header.from=yourdomain.com
All three pass = delivered to inbox.
WHEN TO USE:
- Any business sending transactional email (invoices, OTPs, order confirmations)
- Marketing email campaigns and newsletters
- Support email systems
- All Connect Quest hosted domains should have these configured
STEP-BY-STEP - Complete setup in cPanel DNS Zone Editor:
1. SPF Record:
Type: TXT
Name: @ (or yourdomain.com)
Value: v=spf1 include:_spf.connectquest.in include:_spf.google.com ~all
Explanation:
v=spf1 = SPF version
include:_spf.connectquest.in = authorize Connect Quest mail servers
include:_spf.google.com = if also using Google Workspace
~all = softfail anything else (suspicious but not rejected)
Use -all (hardfail/reject) only after confirming all legitimate senders are listed
2. DKIM:
In cPanel: Email > Email Authentication > DKIM > Enable
cPanel automatically generates 2048-bit key pair and adds the DNS TXT record.
Manual (if not using cPanel):
openssl genrsa -out dkim.key 2048
openssl rsa -in dkim.key -pubout > dkim.pub
DNS record:
Name: default._domainkey.yourdomain.com
Type: TXT
Value: v=DKIM1; k=rsa; p=YOUR_BASE64_PUBLIC_KEY
3. DMARC (add LAST, after SPF and DKIM are verified working):
Name: _dmarc.yourdomain.com
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:[email protected]; pct=100
Progression over 4 weeks:
Week 1: p=none (monitor reports, no blocking)
Week 2: p=quarantine (spam folder for failures)
Week 4+: p=reject (bounce failures) - only after reviewing reports
4. Verify everything works:
Online: mxtoolbox.com/SuperTool.aspx
Test SPF: enter "spf:yourdomain.com"
Test DKIM: enter "dkim:default._domainkey.yourdomain.com"
Test DMARC: enter "dmarc:yourdomain.com"
Score test: mail-tester.com (send test email, get score /10)
REAL EXAMPLES:
DMARC XML report excerpt (received daily):
Sender IP: 203.0.113.5
SPF result: pass
DKIM result: pass
Total messages: 1,247
Policy applied: none
-> All legitimate = safe to upgrade to p=quarantine
Common failure: Transactional emails sent via third-party (Mailchimp, SendGrid)
not listed in SPF record -> emails fail SPF -> DMARC fail -> spam folder.
Fix: Add include:servers.mcsv.net (Mailchimp) to SPF record.
FLOW:
Your server sends email -> Recipient MX server:
1. SPF check: Is this server IP in yourdomain.com SPF record?
2. DKIM check: Is cryptographic signature valid with public key in DNS?
3. DMARC check: Do SPF/DKIM results align with From: header domain?
-> All pass: Deliver to inbox
-> Any fail + p=reject: Bounce email back to sender
KEY POINTS:
- Gmail requires DMARC p=quarantine or p=reject for bulk senders (5000+/day) since Feb 2024
- Only ONE SPF record allowed per domain - merge multiple includes into one
- DMARC takes 24-48 hours to start receiving reports
- Connect Quest mail servers are pre-configured for DKIM signing
COMMON MISTAKES:
- Going straight to p=reject without monitoring phase (legitimate emails get rejected)
- Multiple SPF records (only one allowed - merge them: v=spf1 include:X include:Y ~all)
- Forgetting to add transactional email service to SPF (SendGrid, AWS SES, Mailchimp)
QUICK FIX:
Emails going to Gmail spam: run mail-tester.com test. Most common causes:
1. Missing DMARC record
2. PTR record not matching sending hostname
3. IP on blacklist (check mxtoolbox.com/blacklists)
Contact Connect Quest +91 2269711150 for email deliverability audit
DIFFICULTY: Intermediate
RELATED: Email Hosting, cPanel, Google Workspace, Connect Quest Email
DETAILED EXPLANATION:
The core problem: SMTP (email protocol) has zero built-in sender verification. Anyone can forge From: [email protected]. These three DNS records fix this at the infrastructure level.
SPF (Sender Policy Framework):
DNS TXT record listing which mail servers can send email for your domain.
When your email arrives, recipient server checks: "Did it come from an authorized server?"
Example: v=spf1 include:_spf.google.com include:amazonses.com ~all
DKIM (DomainKeys Identified Mail):
Your mail server signs outgoing email with a private cryptographic key.
Public key published in DNS. Recipient verifies the signature.
Proves: Email was not altered in transit AND came from an authorized server.
DMARC (Domain-based Message Authentication Reporting & Conformance):
Policy telling receiving servers what to do with emails that fail SPF/DKIM.
Also sends daily reports showing who is sending email using your domain.
Policies: none (monitor only), quarantine (spam folder), reject (bounce).
Authentication result in received email headers:
Authentication-Results: mx.google.com;
dkim=pass (key 2048-bit) [email protected];
spf=pass (google.com: domain of [email protected]);
dmarc=pass (p=REJECT) header.from=yourdomain.com
All three pass = delivered to inbox.
WHEN TO USE:
- Any business sending transactional email (invoices, OTPs, order confirmations)
- Marketing email campaigns and newsletters
- Support email systems
- All Connect Quest hosted domains should have these configured
STEP-BY-STEP - Complete setup in cPanel DNS Zone Editor:
1. SPF Record:
Type: TXT
Name: @ (or yourdomain.com)
Value: v=spf1 include:_spf.connectquest.in include:_spf.google.com ~all
Explanation:
v=spf1 = SPF version
include:_spf.connectquest.in = authorize Connect Quest mail servers
include:_spf.google.com = if also using Google Workspace
~all = softfail anything else (suspicious but not rejected)
Use -all (hardfail/reject) only after confirming all legitimate senders are listed
2. DKIM:
In cPanel: Email > Email Authentication > DKIM > Enable
cPanel automatically generates 2048-bit key pair and adds the DNS TXT record.
Manual (if not using cPanel):
openssl genrsa -out dkim.key 2048
openssl rsa -in dkim.key -pubout > dkim.pub
DNS record:
Name: default._domainkey.yourdomain.com
Type: TXT
Value: v=DKIM1; k=rsa; p=YOUR_BASE64_PUBLIC_KEY
3. DMARC (add LAST, after SPF and DKIM are verified working):
Name: _dmarc.yourdomain.com
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:[email protected]; pct=100
Progression over 4 weeks:
Week 1: p=none (monitor reports, no blocking)
Week 2: p=quarantine (spam folder for failures)
Week 4+: p=reject (bounce failures) - only after reviewing reports
4. Verify everything works:
Online: mxtoolbox.com/SuperTool.aspx
Test SPF: enter "spf:yourdomain.com"
Test DKIM: enter "dkim:default._domainkey.yourdomain.com"
Test DMARC: enter "dmarc:yourdomain.com"
Score test: mail-tester.com (send test email, get score /10)
REAL EXAMPLES:
DMARC XML report excerpt (received daily):
Sender IP: 203.0.113.5
SPF result: pass
DKIM result: pass
Total messages: 1,247
Policy applied: none
-> All legitimate = safe to upgrade to p=quarantine
Common failure: Transactional emails sent via third-party (Mailchimp, SendGrid)
not listed in SPF record -> emails fail SPF -> DMARC fail -> spam folder.
Fix: Add include:servers.mcsv.net (Mailchimp) to SPF record.
FLOW:
Your server sends email -> Recipient MX server:
1. SPF check: Is this server IP in yourdomain.com SPF record?
2. DKIM check: Is cryptographic signature valid with public key in DNS?
3. DMARC check: Do SPF/DKIM results align with From: header domain?
-> All pass: Deliver to inbox
-> Any fail + p=reject: Bounce email back to sender
KEY POINTS:
- Gmail requires DMARC p=quarantine or p=reject for bulk senders (5000+/day) since Feb 2024
- Only ONE SPF record allowed per domain - merge multiple includes into one
- DMARC takes 24-48 hours to start receiving reports
- Connect Quest mail servers are pre-configured for DKIM signing
COMMON MISTAKES:
- Going straight to p=reject without monitoring phase (legitimate emails get rejected)
- Multiple SPF records (only one allowed - merge them: v=spf1 include:X include:Y ~all)
- Forgetting to add transactional email service to SPF (SendGrid, AWS SES, Mailchimp)
QUICK FIX:
Emails going to Gmail spam: run mail-tester.com test. Most common causes:
1. Missing DMARC record
2. PTR record not matching sending hostname
3. IP on blacklist (check mxtoolbox.com/blacklists)
Contact Connect Quest +91 2269711150 for email deliverability audit
DIFFICULTY: Intermediate
RELATED: Email Hosting, cPanel, Google Workspace, Connect Quest Email