Email Deliverability Tools — SPF, DKIM & DMARC Checker Guide

Dovecot 閲覧

Why Emails Land in Spam

The most common technical reason emails get marked as spam is a missing or misconfigured SPF, DKIM, or DMARC record. These three protocols form the email authentication system that tells receiving servers: "this email genuinely comes from a server authorized by the domain owner."

The Three Email Authentication Protocols

SPF (Sender Policy Framework)

SPF is a DNS TXT record that lists which IP addresses and mail servers are authorized to send email on behalf of your domain. Receiving servers check the sending IP against this list.

# SPF record example (DNS TXT record for yourdomain.com)
v=spf1 include:_spf.google.com include:sendgrid.net ~all

# v=spf1         → SPF version 1
# include:...    → authorize these services' sending IPs
# ~all           → soft fail for all others (use -all for hard fail)

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every outgoing email. The sending server signs the message with a private key; the receiving server looks up the public key from DNS and verifies the signature — confirming the message wasn't altered in transit.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC builds on SPF and DKIM to specify what happens when authentication fails — none, quarantine, or reject — and can configure reporting so you receive aggregate authentication data.

# DMARC record (DNS TXT at _dmarc.yourdomain.com)
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

# p=none       → monitor only, take no action
# p=quarantine → failed messages go to spam
# p=reject     → failed messages are rejected entirely

Deployment Order

  1. Configure SPF first: Declare which servers can send mail for your domain
  2. Set up DKIM: Enable DKIM signing in your email service provider (ESP)
  3. Add DMARC last: Start with p=none to collect reports, verify SPF and DKIM are working, then upgrade to quarantine or reject

How to Check Your Email Configuration

Use tool.tl's email diagnostic tools:

Common Configuration Mistakes

  • SPF exceeds 10 DNS lookup limit: Too many include: directives trigger the RFC limit, causing SPF failures — use flattening tools to consolidate
  • Stale DKIM selectors: Old DKIM records from a previous ESP left in DNS cause verification failures for resigned messages
  • DMARC set to reject too early: Setting p=reject before confirming SPF and DKIM work can block legitimate mail — start with p=none

Frequently Asked Questions

Do I need to configure these if I use Gmail or Outlook?

Not for personal email — those platforms handle authentication automatically. But if you send business email from your own domain (@yourcompany.com) or use a third-party ESP like SendGrid or Mailchimp, you must configure SPF, DKIM, and DMARC for your domain.

How long do DNS changes take to propagate?

Depending on your TTL setting, DNS changes take anywhere from 5 minutes to 48 hours. In most cases, you can verify within 1 hour.

Are the tools free?

Yes — all of tool.tl's email diagnostic tools are completely free, query results are instant, and no account is required.