All posts
dns lookup email security spf record dkim dmarc

DKIM, SPF, and DMARC: How to Check Your TXT Records to Prevent Email Phishing Flags

Benchehida Abdelatif ·

When you send a critical email to a prospective client or user, you expect it to arrive safely in their main inbox folder.

However, in today’s security climate, sending an email without correct domain verification tags is like attempting to mail a confidential document without an official stamp, return address, or sealed signature.

Modern inbox providers (like Gmail and Yahoo) receive billions of spam and phishing messages every day. To protect their users, they employ aggressive security filters.

If your domain’s DNS settings lack authorized security records, their systems will immediately flag your email as a suspicious security threat, routing it to the spam folder or bouncing it back to you entirely.

This guide explains the technical mechanics of the three core email security frameworks: SPF, DKIM, and DMARC. It details how they work, how they align, and how to verify your TXT records to protect your brand reputation.

Quick answer

To stop your custom domain emails from getting caught in spam filters, you must configure three distinct TXT records in your DNS dashboard:

  1. SPF (Sender Policy Framework): Specifies which IP addresses and mail servers are authorized to send mail using your domain.
  2. DKIM (DomainKeys Identified Mail): Adds a unique cryptographic signature to the header of every outbound message, proving the email was not modified in transit.
  3. DMARC (Domain-based Message Authentication, Reporting, and Conformance): Sets a global policy that tells receiving servers exactly what to do (for example, take no action, quarantine, or reject) if SPF or DKIM checks fail.

Verify your live security records using a public DNS record lookup tool before sending large email campaigns.

SPF: The authorized sender registry

Sender Policy Framework (SPF) is the baseline level of email security. It is a simple text record that you publish on your root domain (@).

When a receiving server (for example, Microsoft Outlook) receives a message from sales@yourdomain.com, it parses the email header to find the sending server’s IP address. It then runs a DNS query for yourdomain.com to fetch its SPF record.

  • If the IP is listed: The SPF check passes, and the email is routed toward the inbox.
  • If the IP is missing: The SPF check fails. The receiving server flags the message as suspicious.

Syntax of a healthy SPF record

A standard SPF record looks like this:

v=spf1 include:_spf.google.com ~all

  • v=spf1: Identifies the record as SPF version 1.
  • include:_spf.google.com: Authorizes Google’s mail servers to send on your behalf.
  • ~all: Denotes a “SoftFail” policy. If the sender’s IP is not Google, accept the message but flag it as suspicious. (Alternatively, -all denotes a strict “HardFail” policy to block unauthorized senders entirely).

DKIM: The cryptographic wax seal

While SPF checks the server’s sending address, it does not verify the actual email content. An attacker could intercept a message and modify the text during transit. To prevent this, you need DKIM.

DKIM works using asymmetric key cryptography:

  1. Public Key: You publish a public cryptographic key as a TXT record in your DNS settings under a specific selector sub-domain (for example, google._domainkey.yourdomain.com).
  2. Private Key: Your email provider (like Google Workspace) holds a matching private key securely on their mail servers.
  3. Signature: When you send an email, the mail server uses the private key to generate a unique cryptographic signature and attaches it to the email header (DKIM-Signature).
  4. Verification: The receiving server fetches your public key from your DNS and uses it to verify the signature. If the key matches and the verification passes, it proves the message was indeed sent by you and was not modified in transit.

DMARC: The global security policy manager

SPF and DKIM operate independently. DMARC acts as the global conductor, telling receiving servers how to handle messages that fail either check.

A DMARC record also defines an email address where major inbox providers will send daily reports containing detailed data about who is attempting to send mail using your domain. This allows you to track and block spoofers.

Syntax of a healthy DMARC record

A standard DMARC record must be published under the host name _dmarc.yourdomain.com:

v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@yourdomain.com

  • v=DMARC1: Identifies the record as DMARC version 1.
  • p=quarantine: The policy rule. If SPF or DKIM fails, route the message to the spam/quarantine folder. (Other options are p=none for monitoring only, or p=reject to block the message entirely).
  • pct=100: Apply the policy to 100 percent of failed emails.
  • rua=mailto:: The email address where daily XML data reports should be sent.

How to check your domain’s email alignment

Email alignment is the key to passing modern inbox checks. Alignment means that the domain in the visible “From” header of your email matches the domains used in your SPF and DKIM authentication records.

If you send an email showing From: sales@yourdomain.com, but your SPF check validates against a different domain (like mailchimp.com), the SPF check is unaligned.

DMARC requires either SPF or DKIM to be aligned. If both are unaligned, the entire DMARC verification fails, and your message will be routed based on your quarantine or reject policy.

To verify your live configuration, copy your root domain, paste it into our DNS lookup tool, and scan the active TXT rows. Ensure your SPF and DMARC settings match your email provider’s instructions exactly.

Checklist: Securing your domain’s email delivery

  • Does your root domain have exactly one SPF record starting with v=spf1?
  • Are all external mail services (like HubSpot, Zendesk, or MailerLite) included inside your single SPF record?
  • Did you generate and publish a unique DKIM TXT record provided by your email host?
  • Is your DMARC record published on the host sub-domain _dmarc with a leading underscore?
  • Did you set up a dedicated mailbox to receive DMARC reports without cluttering your main inbox?

FAQ

What happens if I publish two SPF records?

Publishing two SPF records violates the official IETF standard. Receiving mail servers will immediately fail both checks, leading to severe email delivery issues. Always combine multiple mail services into a single record.

Can I set DMARC to “reject” immediately?

No. You should start with p=none (monitoring only) for a few weeks. Read the reports to confirm that all your legitimate email services (like transactional billing engines) are passing authentication. Once you confirm 100 percent alignment, change your policy to quarantine, and eventually to reject.

What is the “selector” in a DKIM record?

A selector is a unique string (like google, k1, or m365) used by your email provider to separate different DKIM keys on the same domain. The selector is part of the DNS host path where your public key is published.

Next step

Protect your domain from scammers and keep your emails out of spam folders. Use our DNS lookup tool to retrieve your domain’s TXT records. Inspect your SPF, DKIM, and DMARC strings for syntax errors, and update your DNS records to secure your brand today.

Disclaimer: Email security configurations depend entirely on your specific email provider and domain registrar. Always consult official support documentation to confirm exact key values and authentication paths.

Inspect live DNS records

Pull A, AAAA, MX, NS, and TXT answers for a hostname before you assume nothing is configured.

Open DNS lookup