Guide · Deliverability
SPF, DKIM & DMARC explained
These three DNS records prove your email is really from you. Without them, mailbox providers distrust your mail — and since 2024 Gmail and Microsoft require them from senders. Sovereign Mail generates the exact records for you; here's what each does.
SPF — who's allowed to send
SPF (Sender Policy Framework) is a DNS TXT record listing which servers may send mail for your domain. Receivers check the sending server against it. Use -all (hard fail) so unauthorised servers are rejected.
DKIM — a tamper-proof signature
DKIM (DomainKeys Identified Mail) cryptographically signs each message with a private key; receivers verify it against a public key in your DNS. It proves the message wasn't altered and genuinely came from your domain. We sign with a per-domain key for you.
DMARC — the policy that ties it together
DMARC tells receivers what to do when SPF/DKIM don't align with your domain, and where to send reports. Start at p=none to monitor, read the aggregate reports (we ingest them into a per-domain dashboard), then ramp to quarantine and reject.
Also worth having
- MTA-STS & TLS-RPT — enforce TLS encryption to your domain and get reports on failures.
- BIMI — show your verified logo in supporting inboxes (needs DMARC at enforcement).
Common mistakes
- More than one SPF record (only one is allowed) or exceeding the 10-DNS-lookup limit.
- Jumping straight to
p=rejectbefore confirming all your legitimate senders pass — legitimate mail gets quarantined. - Forgetting a sending subdomain, or a mismatched Return-Path breaking SPF alignment.
In Sovereign Mail, add a domain and we generate SPF, DKIM, DMARC, MTA-STS, TLS-RPT and BIMI records ready to paste, then verify them for you.
Frequently asked questions
Do I need all three of SPF, DKIM and DMARC?
Yes for reliable inbox placement. Gmail and Microsoft now require SPF, DKIM and a DMARC policy for senders. Sovereign Mail generates all the records for you to publish.
What DMARC policy should I start with?
Start at p=none (monitor only) so you can read aggregate reports without affecting delivery, then move to quarantine and finally reject once your legitimate sources all pass.
Why is my mail still going to spam with SPF and DKIM passing?
Authentication proves identity but not reputation. New sending IPs must be warmed gradually, and complaint/bounce rates must stay low — see our deliverability guidance.