Deliverability

How to Improve Email Deliverability: SPF, DKIM & DMARC Explained

The best email in the world is worthless in the spam folder. Here's how SPF, DKIM and DMARC work — in plain English — and a checklist to reach the inbox.

By The SendDoggie Team · June 2026 · 10 min read

You can write the perfect email, but if it lands in spam, none of it matters. Deliverability is the unglamorous foundation of email marketing — and the single biggest thing most senders get wrong.

The good news: the fundamentals are simple, mostly one-time setup, and explained here without the jargon. Gmail, Yahoo, and other major inbox providers no longer accept this as optional — authentication is now the industry standard enforced across all bulk senders.

What "deliverability" really means

Deliverability isn't whether your email was sent — it's whether it reached the inbox rather than spam or a block. Mailbox providers (Gmail, Outlook, Apple Mail) decide that based on two things: can they verify you are who you say you are, and do people want your mail.

SPF: The server allowlist

SPF (Sender Policy Framework) is a DNS record that says "these servers are allowed to send email from my domain." Think of it as a guest list: if an email claims to come from your domain but isn't sent from an allowed server, the mailbox provider flags it as suspicious.

What an SPF record looks like:

Breaking it down:

• v=spf1 — the SPF version (always v1).
• include:sendgrid.net — "allow SendGrid's servers to send for my domain."
• include:senddoggie.com — "allow SendDoggie's servers to send for my domain."
• ~all — "anything else gets a soft fail" (emails still deliver, but flagged as not fully authenticated). Use -all for a hard reject of everything not explicitly allowed.

Common SPF mistake: the 10 DNS lookup limit. Each "include:" is a DNS lookup. If you have more than 10, SPF fails silently. If you hit this wall, consolidate includes or ask your provider for a single IP range instead.

DKIM: Tamper-proof signatures

DKIM (DomainKeys Identified Mail) uses cryptographic key pairs to create a digital signature on every email. Here's how it works: your email platform holds a private key (secret, never shared). It uses that to sign every outgoing email. Mailbox providers use your public key (published in DNS) to verify that signature. If the email was altered after sending, the signature breaks and providers know it's been tampered with.

Think of it like a wax seal on an old envelope: the recipient can verify the seal is intact and unbroken, proving it came from you and hasn't been altered in transit.

What a DKIM public key looks like in DNS:

The p= part contains the public key (a long string of characters). Your email platform generates both the public and private keys — you only ever paste the public key into DNS.

Common DKIM mistake: hidden spaces or line breaks in the key when copying it. Even one extra space breaks the signature. Copy slowly, paste into a text editor first to check for invisible characters, then paste into your DNS provider.

DMARC: The enforcement policy

DMARC (Domain-based Message Authentication, Reporting & Conformance) is the boss that tells mailbox providers what to do if SPF or DKIM fail. It has three policy modes, and you should follow a progression:

Example DMARC record:

The rua= part tells providers where to send aggregate reports so you can monitor authentication failures.

Common authentication failures (and how to fix them)

1. Adding your root domain twice to SPF. If you have an SPF record like v=spf1 include:yourdomain.com ~all, that's circular and fails. The "include:yourdomain.com" should be your email provider's domain (SendGrid, SendDoggie, etc.), not your own.
2. Forgetting DKIM selector. When you paste a DKIM public key into DNS, it goes in a record like default._domainkey.yourdomain.com. The "default" part is the selector — if your provider uses a different one (like "senddoggie"), your DNS record name needs to match.
3. SPF hitting the 10-lookup limit. Each include: costs one lookup. If you have many sending services, you'll exceed the limit and SPF fails silently. Solution: ask providers for IP ranges instead of includes, or consolidate.
4. Not publishing DMARC. Many senders skip DMARC entirely. Without it, mailbox providers have no policy to follow if SPF/DKIM fail. At minimum, set p=none to start gathering intelligence.

Sender reputation: the hidden score

Authentication gets you in the door; reputation keeps you there. Providers track how recipients react to your mail and score you accordingly. Every major provider (Gmail, Yahoo, Outlook) maintains a sender reputation algorithm.

How to test your setup

Don't guess. Use these free tools to verify your authentication is working:

1. MxToolbox SPF Check — paste your domain and see your SPF record parsed and validated.
2. MxToolbox DKIM Check — verify your DKIM public key is published correctly in DNS.
3. MxToolbox DMARC Check — confirm your DMARC policy is live.
4. Mail-tester.com — send a test email and get a detailed report on authentication, spam score, and deliverability warnings.
5. Gmail headers (manual) — send a test email to your Gmail account. Open it, click the three dots, select "Show original." You'll see the full email headers, including SPF/DKIM/DMARC results. Look for "pass" or "fail" next to each.

Run through all five checks. If any show "fail," fix the underlying record before sending campaigns.

The inbox checklist

1. Set up SPF. Add an SPF record for each sending platform you use (email service, CRM, etc.).
2. Set up DKIM. Generate a DKIM key pair and publish the public key to DNS. Configure your email service to use the private key for signing.
3. Set up DMARC. Start with p=none for 1–2 weeks, monitor reports, then move to p=quarantine once all legitimate sources are authenticated.
4. Test all three. Use MxToolbox and Mail-tester to confirm everything is working before sending campaigns.
5. Send from a branded domain (you@yourbrand.com), never a free Gmail/Yahoo address.
6. Use confirmed opt-in so only real, willing subscribers join.
7. Remove hard bounces and long-dormant contacts regularly.
8. Make unsubscribing one click — it's far better than a spam report.
9. Warm up a new domain gradually instead of blasting on day one.

Deliverability is step one of any program. Once your domain is verified, focus on the message — start with our small business email guide or learn what good open rates look like.