What these records do
SPF (Sender Policy Framework) lists which servers are authorized to send email as your domain. It's a TXT record on your root domain that starts with v=spf1.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email, proving the message wasn't tampered with. It's a TXT record at {selector}._domainkey.yourdomain.com.
DMARC tells receiving mail servers what to do if SPF or DKIM fails — quarantine, reject, or just monitor. It's a TXT record at _dmarc.yourdomain.com.
Why all three matter
- Gmail & Yahoo require DKIM + SPF + DMARC for bulk senders (5,000+/day) since Feb 2024
- Without authentication, your messages are more likely to land in spam
- DMARC prevents spoofing — stops scammers from impersonating your brand
- All three together give you control over your sender reputation
Privacy
This tool uses Cloudflare DNS-over-HTTPS (cloudflare-dns.com) directly from your browser. The domain you enter is visible to Cloudflare only — nothing touches our servers.
Frequently asked questions
Do I really need all three — SPF, DKIM and DMARC?
For the Gmail/Yahoo 2024 bulk-sender rules: yes. Even for smaller senders the combination is what makes your email trustworthy to modern providers. SPF alone is no longer enough — DKIM cryptographically signs your mails and DMARC tells receivers how to handle failures.
What does DMARC p=none vs p=quarantine vs p=reject mean?
p=none — monitor only, receivers don't act on failures. p=quarantine — route failures to spam. p=reject — bounce failures entirely. Start with none to collect reports, move to quarantine, then reject once you're confident every legitimate mail passes.
Why does DKIM fail even though I set it up?
Common causes: the DNS record hasn't fully propagated yet, the selector doesn't match the one your mail server signs with, or the key was truncated during DNS entry (DKIM public keys are long and easy to mis-paste). Double-check by fetching the TXT record with dig.
