Email deliverability isn't determined by your subject line alone. Before an email reaches someone's inbox, mail providers first check whether they trust the domain that sent it.
SPF, DKIM and DMARC work together to prove that your email is legitimate. When they're configured correctly, your messages are more likely to reach the inbox and your domain is better protected against spoofing and phishing.
For any business sending invoices, quotes, newsletters or automated notifications, these records are an essential part of your email infrastructure.
Why email authentication matters
Email providers continue to strengthen their security requirements.
Messages that aren't properly authenticated are more likely to be filtered, marked as spam or rejected altogether.
At the same time, cybercriminals frequently impersonate legitimate businesses to send fraudulent emails. Email authentication helps prevent this by allowing receiving mail servers to verify that messages genuinely came from your domain.
SPF: who can send email for your domain
SPF (Sender Policy Framework) identifies which servers and services are authorised to send email using your domain.
This includes providers such as Microsoft 365, Google Workspace, Mailgun, SendGrid, Amazon SES and other marketing or CRM platforms.
Every legitimate sender should be included within a single SPF record. Multiple SPF records or missing senders are common causes of deliverability issues.
DKIM: proving your email hasn't changed
DKIM (DomainKeys Identified Mail) digitally signs every outgoing email.
Receiving mail servers use the published public key in your DNS to verify that the email genuinely came from your domain and that the message hasn't been modified during delivery.
Many third-party email services require their own DKIM configuration, so it's important to enable DKIM wherever email is sent on your behalf.
DMARC: your email security policy
DMARC combines SPF and DKIM to tell receiving mail servers how to handle messages that fail authentication.
A DMARC policy can monitor authentication failures, quarantine suspicious email, or reject unauthorised email completely.
DMARC also generates reports showing who is sending email using your domain, making it easier to identify unauthorised activity and confirm legitimate services are configured correctly.
Common configuration mistakes
The most common issues we encounter include multiple SPF records instead of one consolidated record, missing DKIM records for third-party services, enabling a strict DMARC policy before testing, and exceeding SPF lookup limits by including too many services.
Most deliverability problems can be resolved by correcting these configuration issues.
Recommended setup process
A structured approach reduces the risk of interrupting legitimate email.
1. Configure a single SPF record covering every authorised sender. 2. Enable DKIM for each email platform you use. 3. Publish a DMARC policy in monitoring mode. 4. Review DMARC reports and resolve any issues. 5. Gradually move to quarantine or reject policies once legitimate email is consistently passing authentication.
Final thoughts
SPF, DKIM and DMARC are fundamental to modern email delivery.
They help improve inbox placement, protect your brand from impersonation and give receiving mail servers confidence that your email is genuine.
Since 2008, Network Dynamics has helped Australian businesses configure secure email platforms across Microsoft 365, Google Workspace, dedicated mail services and hosted infrastructure. If your emails are landing in spam or you're unsure whether your authentication is configured correctly, our engineers can review your setup and help you get it right.
