Email Deliverability Explained: SPF, DKIM, DMARC, and Why They Matter

Three obscure DNS records decide whether your cold email lands in the inbox or in spam. SPF, DKIM, and DMARC. If you have ever wondered why your beautifully crafted email never gets a reply, these three records are usually the culprit. This guide explains what each one does in plain English and how to set them up correctly.

Why Email Authentication Exists

Email was designed in the 1970s without authentication. Anyone could send email pretending to be anyone else. Spammers exploited this for decades. Mailbox providers fought back with three layered authentication standards: SPF, DKIM, and DMARC. Together, they prove that the email actually came from who it claims to be from. Without all three configured correctly, your mail looks suspicious and gets filtered.

SPF (Sender Policy Framework)

SPF is a DNS record that lists which mail servers are allowed to send email on behalf of your domain. When a mail server receives an email claiming to be from you, it checks your SPF record to verify the sender. If the actual sending server is not on the approved list, the message fails SPF and gets flagged.

Example SPF record: "v=spf1 include:_spf.google.com include:sendgrid.net include:mail.instantly.ai -all"

The key parts: v=spf1 declares the version, the include statements list authorized senders, and -all says any sender not listed is unauthorized. Common mistake: too many include statements. SPF has a 10-DNS-lookup limit. Exceed it and SPF breaks completely.

DKIM (DomainKeys Identified Mail)

DKIM uses cryptographic signatures to prove an email was actually sent by your domain and was not modified in transit. Your sending email service generates a public-private key pair. The private key signs every outgoing message. The public key is published in your DNS so receiving mail servers can verify the signature.

DKIM is set up at the email service provider level (Google Workspace, Microsoft 365, SendGrid, Instantly) and requires adding a TXT record to your DNS with the public key. Most providers give you the exact record to copy and paste.

Common mistake: SPF and DKIM are configured for your primary domain but not your sister domain used for outbound. Both must be configured on the actual sending domain.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC ties SPF and DKIM together and tells receiving mail servers what to do when one of them fails. It also enables aggregate reporting so you can see how often your domain is being used (or spoofed) across the internet.

Example DMARC record: "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100"

The p= policy is the key field. p=none means "do nothing, just report" (good for first 30 days). p=quarantine means "send failed messages to spam." p=reject means "refuse failed messages entirely." Most B2B sending domains should reach p=quarantine within 60 days of setup. Aggressive p=reject too early can block legitimate mail.

How To Verify Yours Is Working

Use mxtoolbox.com or dmarcian.com to check your domain's authentication. Send a test email to mail-tester.com to get a deliverability score. If your domain scores under 9 out of 10, something is misconfigured. Common red flags:

• SPF record is missing or has too many DNS lookups
• DKIM record is missing for your sending email service
• DMARC record is missing entirely
• DMARC policy is p=none after 60+ days (you should be at quarantine by now)
• You are sending from a primary domain that has no authentication

Why It Matters Even More for Cold Email

Mailbox providers apply heavier scrutiny to unsolicited email. Properly authenticated cold email gets the benefit of the doubt. Unauthenticated cold email is treated as suspicious by default. The same message that lands in primary for an authenticated sender will go to spam for an unauthenticated sender. Authentication is the lowest-cost, highest-impact deliverability investment you can make.

Setup Order

• 1. Configure SPF first (single TXT record)
• 2. Configure DKIM next (per email service provider)
• 3. Wait 24 hours for DNS propagation
• 4. Verify both with mxtoolbox.com
• 5. Add DMARC at p=none with reporting
• 6. Monitor reports for 30 days
• 7. Move DMARC to p=quarantine if reports look clean
• 8. Optional: move to p=reject after another 30 to 60 days

How Delvixo Handles Authentication

Every Delvixo client uses a sister domain for outbound, configured with SPF, DKIM, and DMARC before any campaign launches. We test inbox placement before warmup, monitor authentication health throughout warmup, and verify everything is still passing once live sending begins. The result is consistent inbox placement that holds up across thousands of sends per day.