TL;DR : SPF, DKIM and DMARC are three settings in your domain name that prove to receiving servers that your emails really come from you. Misconfigured, your legitimate messages fall into spam and, worse, fraudsters can impersonate your address. Properly set, your deliverability improves and your domain is shielded from spoofing. The trap: tightening too quickly, without first listing all your legitimate senders.
An important quote goes out by email. The client never replies. Three days later, surprise: it was sleeping in their junk. Frustrating, and entirely avoidable, because the cause most often boils down to three poorly-set acronyms.
The problem: proving it's really you
Email was designed in an era of trust. Any server can claim to send on your behalf, and that's exactly what fraudsters abuse. To counter that, three mechanisms let your domain prove the authenticity of its messages. Receiving servers use them to decide: inbox, or spam. It's the kind of invisible setting that almost no web agency configures correctly, and that sinks the deliverability of entire SMBs without their realizing it. We check it systematically when we take over a client's email, and we've of course done it for our own.
SPF, DKIM, DMARC et autres démons
SPF is the list of servers allowed to send email for your domain. DKIM adds a cryptographic signature to each message, proving it hasn't been altered and that it really comes from you. DMARC, finally, is the policy that tells recipients what to do if a message fails the first two tests, and that sends you reports on who is using your domain. The three work together.
Here's a picture that helps: SPF is the list of carriers allowed to deliver mail in your name. DKIM is a seal on the envelope that breaks if someone opened it along the way. DMARC is the instruction you leave with the recipient's post office: a letter without the right origin or the seal, here's what to do with it, and keep me posted on what's circulating under my name.
What happens when it's misconfigured
Without these settings, or with sloppy ones, two things happen. Your legitimate emails draw suspicion and end up in spam, which directly hurts your business. And your domain becomes an easy target for phishing : someone can send fake emails « from you » to your clients. Both problems share the same solution.
Since 2024, it's no longer optional
The big providers have tightened their rules. Gmail and Yahoo since 2024, then Outlook since 2025, now require these settings from organizations that send mail in volume, starting at a few thousand messages a day. Mail that fails these checks is no longer just filed as spam: it's outright refused at delivery. The bar hits the largest senders first, but it's working its way down to everyone. What used to be a best practice is becoming the minimum to get delivered.
How we fix it
First we inventory all the services that send email in your name (your mailbox, but also your newsletter, your CRM, your forms). We then publish the right settings in your domain name, then enable DMARC in monitoring mode to read the reports without blocking anything. Once we're sure all legitimate senders are recognized, we tighten the policy gradually up to blocking the spoofing.
The « touch it and everything breaks » trap
The classic mistake is to harden DMARC all at once, without prior inventory. You then block your own newsletters or the emails sent by your invoicing software, and the cure becomes worse than the disease. Hence the importance of the monitoring phase: look before you act. It's methodical work, not a switch.
Are your important emails quietly disappearing? We'll clean up your sending settings.
Sources
- DMARC.org : reference documentation