You wrote the perfect email. Great subject line, compelling offer, beautiful design. But none of it matters if it lands in spam. Email deliverability starts with three DNS records: SPF, DKIM, and DMARC. Here's how to set them up correctly.
What These Records Actually Do
SPF (Sender Policy Framework) tells receiving mail servers which IP addresses are authorized to send email on behalf of your domain. Without it, anyone can pretend to be you.
DKIM (DomainKeys Identified Mail) adds a digital signature to your emails. The receiving server checks this signature against a public key in your DNS to verify the email wasn't tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together and tells receiving servers what to do when authentication fails โ nothing, quarantine, or reject.
Step 1: Set Up SPF
Add a TXT record to your domain's DNS:
Host: @ (or your domain)
Type: TXT
Value: v=spf1 include:_spf.bestemail.in include:_spf.google.com ~all
The "include" mechanisms authorize BestEmail and Google (if you use Gmail/Workspace) to send on your behalf. The "~all" means emails from unauthorized senders get a soft fail โ they might still deliver but get flagged.
Important: You can only have ONE SPF record per domain. If you already have one, merge the includes into a single record.
Step 2: Set Up DKIM
In your BestEmail dashboard, go to Settings โ Domain Authentication. You'll get a DKIM record to add:
Host: bestemail._domainkey
Type: TXT
Value: (the long key string from your dashboard)
This usually takes 24-48 hours to propagate. BestEmail will show a green checkmark once it verifies.
Step 3: Set Up DMARC
Start with a monitoring-only policy:
Host: _dmarc
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100
This tells receivers to send you reports about authentication failures without rejecting anything. Review these reports for 2-4 weeks. Once you're confident everything's set up right, tighten the policy:
- p=quarantine โ failed emails go to spam
- p=reject โ failed emails get blocked entirely
Common Mistakes to Avoid
Multiple SPF records: Having two TXT records starting with "v=spf1" breaks SPF entirely. Always merge into one.
Too many DNS lookups: SPF has a 10-lookup limit. Each "include" counts as one or more lookups. If you use many email services, you might hit this limit. Use an SPF flattener tool to check.
Skipping DMARC: SPF and DKIM alone aren't enough. Without DMARC, spoofing is still possible. Even a p=none policy gives you visibility.
Not testing: Use tools like MXToolbox or mail-tester.com to verify your records are working before sending campaigns.
Verification Checklist
After setting up all three records, verify:
- 1. Send a test email to mail-tester.com โ aim for 9/10 or higher
- 2. Check MXToolbox for SPF, DKIM, and DMARC validation
- 3. Send test emails to Gmail, Outlook, and Yahoo โ check headers for PASS results
- 4. Monitor DMARC reports for the first month
What Happens After Setup
With proper authentication, you'll see deliverability improvements within 1-2 weeks. Gmail and Outlook will trust your domain more, inbox placement improves, and your sender reputation builds over time. It's not glamorous work, but it's the foundation everything else depends on.