Think of email authentication like a building’s security system. SPF is the guest list (who’s allowed in). DKIM is the ID badge (proof you are who you say). DMARC is the security guard (checks if the guest list OR the badge match the name on the door).

Here’s the fastest way to check all three — no command line, no DNS digging:

Step 1 → Run a full scan first to see the big picture.
Email Health Checker — shows whether SPF, DKIM, and DMARC exist and flags obvious problems.

Step 2 → Check your SPF record — look for a TXT record on your root domain starting with v=spf1.

Step 3 → Check your DMARC record — look for a TXT record at _dmarc.yourdomain.com starting with v=DMARC1.

Step 4 → Check your DKIM record — you need the selector first, then check selector._domainkey.yourdomain.com.

Step 5 → Confirm alignment — at least SPF or DKIM must pass and match your visible From domain.

Step 6 → If everything looks right but emails still go to spam, check a real email header:
Email Header Analyser — shows what the receiving server actually saw.

Trick: Don’t just check whether records exist. Send yourself a test email, then look at the raw header — that’s where the truth is. DNS can look perfect while live messages silently fail.

SPF — The Guest List

Think of SPF like a door policy at a club. Your domain publishes a list of IPs and services allowed to send email on your behalf. If Google Workspace, SendGrid, or Amazon SES sends your mail, they need to be on that list.

SPF lives as a TXT record on your root domain. It looks like this:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

If a service sends email for you but isn’t in this record, SPF fails for those messages.

DKIM — The ID Badge

DKIM adds an invisible digital signature to every email you send. When the receiving server gets your message, it checks a public key stored in your DNS to confirm two things: the message was signed by someone you authorized, and nobody changed it in transit.

The tricky part: DKIM doesn’t live at your root domain. It lives at a specific address like:

google._domainkey.yourdomain.com

That first part (google) is the selector — and if you check the wrong selector, the whole lookup fails even when DKIM is perfectly configured.

DMARC — The Security Guard

DMARC sits on top of SPF and DKIM. It tells receiving servers what to do when authentication fails — ignore it (p=none), put it in spam (p=quarantine), or reject it entirely (p=reject).

But here’s the critical part most guides skip:

DMARC doesn’t just care whether SPF or DKIM passed. It cares whether they passed AND matched your visible From address.

That matching is called alignment — and it’s the #1 reason people get stuck.

A surprising number of checks fail because someone tested the wrong domain.

Root domain vs subdomain matters. These are all different:

• example.com
• mail.example.com
• updates.example.com

If your emails go out from a subdomain, that changes which SPF record applies, which DKIM selector is used, and which DMARC policy kicks in.

For DMARC, the visible From address is everything. Three domains often get confused:

Trick: If you use a third-party sender (Mailchimp, SendGrid, HubSpot), they often set the Return-Path to their own domain. SPF passes for their domain, but DMARC fails because it doesn’t match your From domain. Always check the actual sending path, not just the base domain.

Where SPF lives: TXT record on your root domain, starting with v=spf1.

What to look for:

A healthy SPF record includes every service that sends email for you. It starts with v=spf1, lists your services with include:, and ends with ~all (softfail) or -all (hardfail).

The 5 most common SPF problems:

The hidden killer: the 10 DNS lookup limit

This is the #1 SPF problem nobody warns you about. Every include:, a, mx, and exists in your SPF triggers a DNS lookup. If the total chain (including nested includes inside other SPF records) exceeds 10 lookups, SPF returns a permanent error — your email fails authentication and you never get a warning.

Real-world example: Google Workspace alone eats 3-5 lookups. Add Microsoft 365 (3-5 more), SendGrid (1-3), and a CRM (1-2) — you’re already past the limit.

This limit is defined in RFC 7208. It’s not optional. And ip4: / ip6: mechanisms don’t count against it — only mechanisms that need DNS resolution.

If your SPF record is bloated, use this:
SPF Flattening Tool — replaces include: mechanisms with direct IP addresses, cutting your lookup count.

Trick: Your SPF can break without you touching it. When a provider like Google or Microsoft adds servers to their SPF record, your nested lookup count increases silently. Check quarterly — not just when something breaks.

DKIM is where most “simple” guides become useless — because they skip the hardest part: you need the selector.

Where DKIM lives: selector._domainkey.yourdomain.com — NOT at the root domain.

How to find the selector:

1. Check your email provider’s DNS setup instructions (Google uses google, many services use default or k1)
2. Look in a real email header — find the DKIM-Signature section, then look for s= (selector) and d= (signing domain)
3. Check your ESP or mailbox settings

Best tool for DKIM: DKIM Analyzer — validates the selector, checks the public key, and confirms whether the signing domain aligns with your From domain.

The 3 most common DKIM problems:

Why DKIM can pass but DMARC still fails:

This is the single most important concept in this entire guide.

DKIM “pass” alone is not enough. For DMARC to pass via DKIM, the signing domain (d= in the DKIM header) must match your visible From domain.

Scenario	DKIM Result	DMARC Result
From: [email protected] / DKIM d=example.com	Pass + aligned	DMARC passes
From: [email protected] / DKIM d=sendgrid.net	Pass but NOT aligned	DMARC fails via DKIM

Trick: When setting up a third-party sender, always ask: “Can I use custom DKIM with my own domain?” If they sign with their domain instead of yours, DMARC will never pass through DKIM — no matter how valid the signature is.

Where DMARC lives: TXT record at _dmarc.yourdomain.com — not the root domain.

What a valid DMARC record looks like:

At minimum: v=DMARC1; p=none

Common tags:

Best tool for DMARC: DMARC Checker — catches missing policies, duplicate records, and malformed tags.

What the three policies actually mean:

Recommended path: Start with p=none → collect reports → verify every legitimate sender → move to quarantine → later consider reject.

Common DMARC mistakes:

• Multiple DMARC records (only one is allowed)
• Missing the p= tag entirely (invalid record)
• Publishing the record on the root domain instead of _dmarc.
• Setting strict alignment before all senders are properly configured
• Assuming “record exists” means “DMARC is working”

If you only remember one thing from this guide:

DMARC requires alignment, not just pass.

DMARC doesn’t simply ask “did SPF pass?” or “did DKIM pass?” It asks: did SPF or DKIM pass in a way that matches the visible From domain?

SPF alignment example:

• From: [email protected]
• Return-Path: mailer.sendplatform.com
• SPF passes for mailer.sendplatform.com

SPF passed — but the Return-Path domain doesn’t match example.com, so DMARC doesn’t pass via SPF.

DKIM alignment example:

• From: [email protected]
• DKIM signature validates
• DKIM d=vendor-mail.com

DKIM passed — but vendor-mail.com doesn’t match example.com, so DMARC doesn’t pass via DKIM.

This is exactly why “everything looks fine but emails go to spam” happens. You see SPF = pass, DKIM = pass, and assume you’re done. But if neither one aligns with your From domain, DMARC fails — and inbox providers treat the message as suspicious.

Trick: When debugging, stop looking at DNS first. Open a real email header and search for Authentication-Results. That single line tells you exactly what passed, what failed, and what aligned — all in one place.

DNS records tell you what should happen. The email header tells you what actually happened.

A domain can look perfect in DNS and still fail because:

• The wrong provider sent the email
• The message used a different Return-Path than expected
• DKIM signing wasn’t enabled on that specific sending stream
• Email forwarding changed the authentication path
• A third-party tool bypassed your intended sending route

What to look for in the raw header:

Best tool: Email Header Analyser — paste your raw header, get a breakdown of exactly what passed and what failed.

Trick: Gmail makes this easy. Open any email → three dots → “Show original.” That gives you the raw header with Authentication-Results right at the top. Outlook: open the message → File → Properties → Internet Headers.

Here’s the complete order, using free tools:

Authentication is just one piece. Even with perfect SPF, DKIM, and DMARC, emails can still miss the inbox:

Trick: Landing in Gmail’s Promotions tab? That’s not an authentication problem — it’s a content classification. Authentication won’t fix it. Sending more personal-style emails (fewer images, shorter text, no marketing templates) helps.

What NOT to do: Don’t set DMARC to p=reject before you’ve confirmed every legitimate sender. Don’t use multiple SPF records. Don’t ignore the 10-lookup limit. Don’t check DNS once and assume it stays correct forever. Don’t skip the email header when troubleshooting.