Deliverabilityintermediatetechnicalcore

Email Deliverability Fundamentals: SPF, DKIM, DMARC Explained

Master the technical foundations of email deliverability. Learn SPF, DKIM, DMARC authentication, DNS records, and reputation management for maximum inbox placement.

22 min read DeliverabilityUpdated 2026-04-18
Back to courseCzytaj po polsku

# Email Deliverability Fundamentals: SPF, DKIM, DMARC Explained

Deliverability is the foundation of cold email success. You can write perfect copy, target ideal prospects, and have a great offer - but if your emails don't reach the inbox, nothing else matters. Mastering SPF, DKIM, DMARC, and sender reputation isn't optional technical detail; it's core competence for serious outbound operations.

This lesson breaks down the technical infrastructure that separates emails landing in Primary from those dying in Spam. No fluff, just practical implementation steps you can execute today.

Key Takeaways
- SPF, DKIM, DMARC are mandatory, not optional
- DNS changes propagate in 15-30 minutes (usually)
- Sender reputation takes weeks to build, hours to destroy
- Separate sending domain protects your main brand

The Authentication Trinity: SPF, DKIM, DMARC

SPF (Sender Policy Framework)

What it does: SPF tells the world which mail servers are authorized to send email for your domain. When an email arrives, the receiving server checks if it came from an approved IP address.

How it works: ``` 1. You publish SPF record in DNS 2. Receiving server extracts sender domain 3. Server looks up SPF record 4. Server compares sending IP to allowed IPs 5. Result: PASS, FAIL, or NEUTRAL ```

SPF Record Structure: ``` v=spf1 [mechanisms] [modifiers]

Mechanisms: include: Include another domain's SPF ip4: Authorize IPv4 address/range ip6: Authorize IPv6 address/range a: Authorize domain's A records mx: Authorize domain's MX records all: Default action (~all, -all, ?all)

Examples: v=spf1 ip4:192.168.1.1 include:sendgrid.net -all v=spf1 mx include:_spf.google.com ~all v=spf1 a:mail.example.com ip4:203.0.113.0/24 -all ```

Setting Up SPF:

1. Identify all sending sources:

  • Your mail server IP
  • Email service provider (ESP)
  • Marketing automation platform
  • Any other email tools

2. Create SPF record: ``` Type: TXT Host: @ (or your domain) Value: v=spf1 ip4:YOUR_IP include:ESP_DOMAIN -all ```

3. Common ESP includes: ``` SendGrid: include:sendgrid.net Mailgun: include:mailgun.org Amazon SES: include:amazonses.com Postmark: include:spf.mtasv.net Google: include:_spf.google.com Microsoft: include:spf.protection.outlook.com ```

4. Verify with MXToolbox:

  • Go to mxtoolbox.com/spf.aspx
  • Enter your domain
  • Check for errors

SPF Best Practices:

  • Use `-all` (hard fail) when confident in your setup
  • Use `~all` (soft fail) during testing or with uncertainty
  • Don't exceed 10 DNS lookups (SPF has a limit)
  • Keep record under 255 characters (DNS TXT limit)
  • Include all sending sources (missing = delivery problems)

DKIM (DomainKeys Identified Mail)

What it does: DKIM cryptographically signs your emails, proving they weren't altered in transit and genuinely came from your domain. It's like a digital wax seal.

How it works: ``` Sending: 1. Email content is hashed 2. Hash is encrypted with private key 3. Signature added to email headers 4. Public key published in DNS

Receiving: 1. Extract signature from headers 2. Look up public key in DNS 3. Decrypt hash with public key 4. Hash received content 5. Compare hashes: Match = authentic ```

Setting Up DKIM:

1. Generate DKIM keys: ```bash # Using openssl openssl genrsa -out private.key 1024 openssl rsa -in private.key -pubout -out public.key

# Or use your ESP's DKIM generator # Most ESPs provide ready-to-use keys ```

2. Create DNS record: ``` Type: TXT Host: selector._domainkey.yourdomain.com Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

Common selectors:

```

  • default._domainkey
  • mail._domainkey
  • s1._domainkey (SendGrid)
  • smtp._domainkey

3. Configure mail server/ESP: ``` # Add private key to your sending system # Most ESPs handle this automatically # Self-hosted: Configure in Postfix/Exim/etc. ```

4. Test DKIM:

  • Send test email to Gmail
  • View original message (show details)
  • Look for "DKIM: PASS"
  • Or use: appmaildev.com/dkim

DKIM Key Sizes:

  • 1024-bit: Standard, widely supported
  • 2048-bit: More secure, some receivers prefer
  • Rotate keys every 6-12 months

DMARC (Domain-based Message Authentication)

What it does: DMARC tells receiving servers what to do if SPF or DKIM checks fail. It also provides reports about authentication results, helping you monitor and improve.

How it works: ``` 1. Receiving server checks SPF and DKIM 2. If both fail, consults DMARC policy 3. Policy tells server what to do:

4. Server sends report to specified address ```

  • none: Do nothing (monitor only)
  • quarantine: Send to spam/junk
  • reject: Bounce the email

DMARC Record Structure: ``` v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100

Components: v=DMARC1 Version (required) p=none/quarantine/reject Policy (required) rua=mailto:... Aggregate report address (recommended) ruf=mailto:... Forensic report address (optional) pct=100 Percentage of mail to apply (0-100) sp=none Subdomain policy (optional) adkim=r/relaxed DKIM alignment (strict/relaxed) aspf=r/relaxed SPF alignment (strict/relaxed) fo=1 Failure reporting options ri=86400 Report interval (seconds) ```

DMARC Implementation Strategy:

Phase 1: Monitor (Week 1-2) ``` v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100

```

  • Collect reports without affecting delivery
  • Identify authentication gaps
  • Fix SPF/DKIM issues

Phase 2: Quarantine (Week 3-4) ``` v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=10

```

  • Start with 10% to test impact
  • Gradually increase to 100%
  • Monitor delivery rates

Phase 3: Reject (Month 2+) ``` v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100

```

  • Full protection against spoofing
  • Maximum brand protection
  • Monitor reports continuously

Setting Up DMARC Reporting:

1. Create mailbox: dmarc@yourdomain.com

2. Add DMARC record: ``` Type: TXT Host: _dmarc Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com ```

3. Set up report analysis:

  • Use free tools: DMARCian, Postmark DMARC
  • Or parse XML reports manually
  • Review weekly during setup
  • Monthly during steady state

DNS Implementation Guide

Common DNS Providers

Cloudflare: 1. Login → Select domain 2. DNS → Records 3. Add Record → Type: TXT 4. Name: @ (for SPF), selector._domainkey (DKIM), _dmarc (DMARC) 5. Content: Record value 6. Save

GoDaddy: 1. My Products → DNS 2. Manage DNS Records 3. Add → Type: TXT 4. Host: @ or specific 5. TXT Value: Record content 6. Add Record

Route 53 (AWS): 1. Hosted Zones → Select domain 2. Create Record 3. Record name: @ or specific 4. Record type: TXT 5. Value: Record content 6. Create

Google Domains: 1. DNS → Custom resource records 2. Name: @ or specific 3. Type: TXT 4. TTL: 3600 5. Data: Record content 6. Add

Verification Tools

MXToolbox:

  • mxtoolbox.com/spf.aspx (SPF check)
  • mxtoolbox.com/dkim.aspx (DKIM check)
  • mxtoolbox.com/dmarc.aspx (DMARC check)
  • mxtoolbox.com/blacklists.aspx (Blacklist check)

Google Admin Toolbox:

  • toolbox.googleapps.com/apps/checkmx/

DMARC Analyzer:

  • dmarcian.com/dmarc-inspector/

DKIM Validator:

  • appmaildev.com/dkim

Sender Reputation Management

Reputation Factors

IP Reputation (40% weight):

  • Blacklist status
  • Sending volume consistency
  • Bounce rate
  • Complaint rate
  • Spam trap hits

Domain Reputation (35% weight):

  • SPF/DKIM/DMARC setup
  • Domain age
  • Historical sending patterns
  • Engagement rates
  • Complaint rates

Content Reputation (25% weight):

  • Spam trigger words
  • URL reputation
  • Image-to-text ratio
  • HTML quality
  • Authentication

Monitoring Your Reputation

Google Postmaster Tools: ``` 1. Sign up: postmaster.google.com 2. Add and verify your domain 3. Monitor metrics:

```

  • Domain reputation
  • IP reputation
  • Spam rate
  • Feedback loop
  • Authentication

Microsoft SNDS: ``` 1. Register: sendersupport.olc.protection.outlook.com 2. Add IP ranges 3. Monitor:

```

  • IP reputation
  • Complaint rate
  • Spam trap hits
  • Filter results

Third-Party Reputation Services:

  • Sender Score (senderscore.org)
  • Barracuda Reputation (reputation.barracudacentral.org)
  • Cisco Talos (talosintelligence.com)
  • Validity (formerly Return Path)

Reputation Repair

If reputation drops:

1. Immediate (Day 1):

  • Pause cold email campaigns
  • Check blacklists
  • Review recent bounces/complaints
  • Audit sending infrastructure

2. Short-term (Week 1):

  • Fix any authentication issues
  • Clean list (remove bounces)
  • Send only to highly engaged contacts
  • Implement double opt-in

3. Recovery (Weeks 2-4):

  • Gradual volume increase
  • Monitor reputation daily
  • Maintain <0.1% complaint rate
  • Target >20% open rates

4. Long-term (Ongoing):

  • Consistent sending patterns
  • Regular list hygiene
  • Engagement-based segmentation
  • Proper authentication maintenance

Infrastructure Setup for Cold Email

Domain Strategy

Separate Sending Domain: ``` Main brand: yourcompany.com Cold email: outreach.yourcompany.com OR mail.yourcompany.com OR yourcompany.io

Benefits:

```

  • Protects main domain reputation
  • Allows separate authentication
  • Easier to isolate and fix issues
  • Clean slate for reputation building

Subdomain vs. New Domain: ``` Subdomain (outreach.yourcompany.com): + Inherits some domain authority + Easier to manage + Lower cost

  • Issues can affect parent domain

New Domain (yourcompany.io): + Complete isolation + Independent reputation

  • Must build reputation from zero
  • More management overhead

Recommendation: Subdomain for established brands, new domain for high-volume cold email ```

IP Strategy

Shared vs. Dedicated IP:

``` Shared IP (ESP default): + Established reputation immediately + Lower cost + Good for low volume (<5k/day)

  • Affected by other senders
  • Less control

Dedicated IP: + Full reputation control + Not affected by others + Required for high volume (>10k/day)

  • Must warm up (2-4 weeks)
  • Higher cost
  • All reputation on you

Recommendation:

```

  • <5k/day: Shared IP
  • 5-10k/day: Either (test both)
  • >10k/day: Dedicated IP

IP Warmup Schedule: ``` Week 1: 50 emails/day Week 2: 100 emails/day Week 3: 250 emails/day Week 4: 500 emails/day Week 5: 1000 emails/day Week 6: 2500 emails/day Week 7: 5000 emails/day Week 8: Full volume

Rules:

```

  • Send only to highly engaged recipients initially
  • Maintain <0.1% complaints
  • Monitor reputation daily
  • Pause if issues detected

Troubleshooting Deliverability Issues

Symptom: High Bounce Rate (>5%)

Causes:

  • Invalid email addresses
  • Full mailboxes
  • Blocked/filtered sending IP
  • DNS/authentication issues

Solutions: 1. Clean your list (validate before sending) 2. Check authentication setup 3. Verify not on blacklists 4. Reduce volume temporarily

Symptom: Low Open Rates (<10%)

Causes:

  • Landing in spam/promotions
  • Poor subject lines
  • Bad timing
  • Low sender reputation

Solutions: 1. Check spam folder placement 2. Audit authentication (SPF/DKIM/DMARC) 3. Review Postmaster Tools for reputation 4. Test with seed accounts

Symptom: High Spam Complaints (>0.3%)

Causes:

  • Unsolicited emails
  • Misleading subject lines
  • No unsubscribe option
  • Poor list quality

Solutions: 1. Improve targeting/relevance 2. Clear unsubscribe link 3. Honor opt-outs immediately 4. Review copy for spam triggers

Deliverability Checklist

Before First Campaign:

  • [ ] SPF record configured and verified
  • [ ] DKIM keys generated and published
  • [ ] DMARC record set to monitoring mode
  • [ ] DNS changes propagated (verify with MXToolbox)
  • [ ] Sending domain separate from main brand
  • [ ] IP warmed up (if dedicated)
  • [ ] Seed accounts set up (Gmail, Outlook, Yahoo)
  • [ ] Postmaster Tools and SNDS registered
  • [ ] Blacklist check passed

Ongoing (Weekly):

  • [ ] Check Postmaster Tools reputation
  • [ ] Review DMARC reports
  • [ ] Monitor bounce rates (<2%)
  • [ ] Monitor complaint rates (<0.1%)
  • [ ] Check blacklist status
  • [ ] Review authentication alignment

Conclusion

Deliverability isn't sexy, but it's everything. Perfect copy sent to spam is worthless; mediocre copy hitting Primary inbox generates revenue.

Set up SPF, DKIM, DMARC correctly. Monitor your reputation obsessively. Use separate sending domains. Warm up IPs properly. These fundamentals separate amateurs from professionals.

Your deliverability action plan: 1. Verify SPF/DKIM/DMARC today (use MXToolbox) 2. Set up Google Postmaster Tools 3. Register for Microsoft SNDS 4. Create separate sending domain 5. Document your authentication setup

Technical excellence is a competitive advantage. Master deliverability, then worry about copy.

Test your knowledge

Next lesson

Inbox placement for cold email

Open

Continue through the course

Internal links reinforce topical authority and create a cleaner learning path.

Cold Email Tools: Complete Stack Guide
Comprehensive guide to cold email tools and software. Compare sending platforms, list building tools, and deliverability solutions for your outbound stack.

Sources and further validation

External references support credibility and help the reader validate the topic further.

DMARC.org Official Guide
Open source reference
Google Postmaster Tools
Open source reference
Microsoft SNDS
Open source reference