Sender Policy Framework. A DNS TXT record that lists which servers may send email for your domain. Receivers reject or quarantine mail from servers not on the list. The all qualifier sets strictness: -all is strict, ~all is soft-fail, ?all is neutral, +all is permissive (almost no protection).

Domain-based Message Authentication, Reporting and Conformance. The policy layer on top of SPF and DKIM. Tells receivers what to do when SPF or DKIM fails for your domain - none (do nothing), quarantine (route to spam), or reject (block entirely). Also configures aggregate reporting so you can see what is happening with your mail.

Since 2024, yes - if you send any meaningful volume to Gmail or Outlook. Both providers require valid SPF, valid DKIM, and DMARC at p=none or stronger for senders mailing more than ~5,000 messages per day. Without all three, mail spam-folders or rejects.

What order should I roll them out?

SPF first (easiest, immediate effect), then DKIM (one-time setup at your ESP, no risk), then DMARC at p=none with reporting on for 4-6 weeks to gather data, then ramp DMARC to p=quarantine, then to p=reject once you are confident no legitimate mail is failing.

November 19, 2025 · 9 min read · Deliverability · Newsletrix

SPF, DKIM, DMARC explained for newsletter operators

Q: What is DKIM?

DomainKeys Identified Mail. A cryptographic signature attached to every outgoing email. The receiver verifies the signature against your public key, published as a TXT record at selector._domainkey.yourdomain.com. If the signature checks out, the email was definitely sent by someone with your private key and was not modified in transit.

TL;DR

SPF says which servers may send for you. DKIM proves the email was not tampered with. DMARC tells receivers what to do when one of them fails. All three are mandatory in 2026 if you mail any meaningful volume to Gmail or Outlook. Roll them out in order: SPF, DKIM, DMARC at p=none with reporting, then ramp DMARC to p=quarantine and finally p=reject.

If your newsletters mostly land in spam at Gmail and Outlook in 2026, the cause is almost never the content. It is authentication. The three records that establish trust between your domain and the receiving inbox are SPF, DKIM, and DMARC. Set them correctly and your inbox-placement rate at major providers usually climbs 20-40 percentage points in 30 days, with no content changes.

SPF: who is allowed to send for you

SPF (Sender Policy Framework) is the simplest of the three. It is a DNS TXT record on your domain that lists every server allowed to send email claiming to be from you. When a receiver gets mail from your.brand, it looks up your SPF record, checks whether the sending server's IP is on the list, and decides whether to trust the source.

A typical SPF record looks like:

v=spf1 include:_spf.google.com include:mailgun.org include:servers.mcsv.net -all

The pieces:

v=spf1 - identifies the record as SPF version 1.
include: - delegates to another record. Each ESP has one (Mailchimp uses servers.mcsv.net, SendGrid uses sendgrid.net).
-all - the strict qualifier. Anything not matched fails. This is what you want.

The trap: SPF records have a 10-DNS-lookup limit. Stacking too many ESP includes silently breaks SPF. If you send through more than 4-5 ESPs you are probably already over the limit and your SPF is failing some of the time. Fix by flattening (resolving the includes once and listing the IPs directly) using a tool from your ESP.

DKIM: cryptographic proof the message is intact

DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to every outbound email. The signature covers the message headers and body. The receiver fetches your public key (published as a TXT record at selector._domainkey.yourdomain.com) and verifies the signature.

If the signature checks out, two things are proven:

The message was signed by someone with your private key (so the From domain is real).
The message body was not modified in transit (so no inline tampering).

The selector is a label your ESP picks. Common selectors: default, selector1, k1, google, krs. ESPs that send for you will tell you exactly which selector to use and what the public-key TXT record should look like - typically a long base64-encoded string starting with v=DKIM1; k=rsa; p=....

The trap: ESP migration. When you switch from Mailchimp to Klaviyo, the new ESP uses a different selector with a different public key. The old DKIM record stays in DNS but no longer signs your mail. Either remove the old record or you risk confused-state DKIM mismatches.

DMARC: the policy on top

DMARC sits above SPF and DKIM. It says: when a receiver checks SPF and DKIM for mail from my domain, and one of them fails, here is what I want them to do.

A typical DMARC record:

v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@yourbrand.com; aspf=r; adkim=r

The pieces:

p= - the policy. none = do nothing (reporting only). quarantine = route to spam. reject = block.
pct= - what percentage of failing mail to apply the policy to. Lets you ramp gradually (start at pct=10, watch reports, climb to 100).
rua= - aggregate reporting address. Receivers send daily reports here.
aspf= / adkim= - alignment mode. r (relaxed) is normal; s (strict) requires exact domain match.

The DMARC ramp

The standard rollout pattern, which avoids breaking legitimate mail:

Week 0-1. Publish DMARC at p=none with rua pointing to your reporting address. No enforcement; only data collection.
Week 2-6. Read the daily reports. Identify any legitimate mail-flows that fail SPF or DKIM. Fix them at the source (add missing ESPs to SPF, set up DKIM for that ESP, etc.).
Week 6-8. Move to p=quarantine; pct=10. Failing mail goes to spam for 10 percent of the time. Watch for complaints.
Week 8-12. Ramp pct to 50, then 100.
Week 12+. Move to p=reject. Failing mail is now blocked entirely. You are now fully protected against spoofing.

The 2024 mandate

In February 2024, Gmail and Yahoo announced new requirements for bulk senders (anyone mailing more than 5,000 messages per day to their domains). The requirements:

Valid SPF or DKIM (preferably both).
SPF and DKIM aligned with the From domain.
DMARC at p=none or stronger.
One-click List-Unsubscribe header (RFC 8058).
Spam complaint rate under 0.3 percent.

Outlook followed with similar requirements through 2024-25. As of mid-2025, missing any of the four authentication requirements typically means immediate spam-foldering or rejection at major providers.

Frequently asked questions

What is SPF?

A DNS TXT record listing servers allowed to send for your domain. The all qualifier sets strictness.

What is DKIM?

A cryptographic signature on every email. The public key is published at selector._domainkey.yourdomain.com.

What is DMARC?

The policy layer. Tells receivers what to do when SPF/DKIM fail. p=none, quarantine, or reject.

Need all three?

Yes since 2024. Gmail and Outlook require valid SPF, DKIM, and DMARC for bulk senders.

Rollout order?

SPF, DKIM, DMARC at p=none with reporting, then ramp to p=quarantine, then p=reject.