Email authentication explained: SPF, DKIM, and DMARC for non-techy people

You’ve set up your account and you’re ready to start sending gorgeous emails. Then you hear someone mention “SPF records”, “DKIM”, or “DMARC policy” and your eyes glaze over immediately. Totally fair. But here’s the thing: these three protocols could be the reason your emails land in inboxes instead of spam folders, and they’re much simpler to understand than they sound.

This post explains what SPF, DKIM, and DMARC actually do, why they matter for your deliverability, and what you need to set up before you send.

Email authentication is a set of technical standards that prove your emails are actually from you. When you send an email, inbox providers like Gmail and Outlook run a quick background check: Did this email really come from the domain it claims to be from? Authentication is how you pass that check.

With it, you’re giving inbox providers a reason to trust you. Without it, your emails look suspicious, even if you’ve done everything else right. 

There are three main authentication protocols: SPF, DKIM, and DMARC. They work together, and all three matter.

Before authenticating, you need to set up a custom domain—meaning an address like hello@yourbusiness.com rather than yourbusiness@gmail.com or yourbusiness@yahoo.com.

Free email addresses (Gmail, Yahoo, Outlook, etc.) are owned by those providers, not you. That means you can’t add DNS records to them, which is exactly what authentication requires. If you’re sending from a free address, inbox providers are already treating your emails with less trust, and there’s no way to authenticate your way out of it.

A custom domain is owned by you and registered through a domain host like GoDaddy, Namecheap, or Squarespace Domains. Once you have the domain, you’ll be able to add email capabilities to that domain through Google Workspace or other similar providers.Then you can connect your new email to Flodesk and add the authentication records that tell inbox providers your emails are legitimate. If you haven’t set up a custom sending domain yet, that’s the starting point—everything else in this post builds on it.

SPF (Sender Policy Framework) tells inboxes who is authorized to send email on behalf of your domain (like Flodesk). Think of it like a guest list at an event—the venue (inbox provider) checks the list before letting anyone in. If the server sending your email isn’t on the list, the email may be blocked or flagged.

SPF protects your domain from being spoofed by spammers. Without an SPF record, anyone could technically send emails that look like they came  from your domain. Inbox providers know this. Having SPF in place signals that you’re a legitimate sender who’s taken basic steps to secure your sending identity.

When you connect a custom domain to Flodesk, you’ll be prompted to add DNS records to your domain host (like GoDaddy, Namecheap, or Squarespace). One of those records is your SPF record. It’s a single line of text—you don’t need to understand the syntax, just copy and paste it exactly where directed.

DKIM (DomainKeys Identified Mail) adds a “signature” to your emails that inbox providers can verify. The signature is invisible to your reader, but it proves two things: the email genuinely came from your domain, and the content wasn’t tampered with in transit.

Imagine DKIM as a wax seal on a letter. The recipient can verify the seal came from you and that no one broke it open and resealed it along the way. Without DKIM, there’s no proof of origin or integrity. Just an email claiming to be from you.

DKIM is particularly important for deliverability because Gmail, Yahoo, and most major inbox providers use it as a trust signal. Emails without DKIM signatures are more likely to be filtered or blocked.

Like SPF, DKIM is set up through your domain’s DNS settings. Flodesk provides the specific DKIM records you need to add. There are usually two of them, and again—it’s a simple copy-paste job, not a coding project.

DMARC: telling inbox providers what to do when something looks wrong

DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells inbox providers what to do with emails that fail SPF or DKIM checks. It also gives you visibility into who’s sending email on behalf of your domain.

SPF and DKIM verify that an email is legitimate. DMARC is the policy layer that says: “And if it’s not legitimate, here’s what to do with it.” You can set your DMARC policy to:

DMARC also unlocks reporting, which means you can receive data on emails being sent from your domain. That’s useful if someone is ever trying to spoof your brand.

Since 2024, Gmail and Yahoo have required senders to have a valid DMARC policy in place to reach inboxes reliably.

Add a DMARC record to your DNS settings. If you’re just getting started, a p=none policy is fine—it tells inbox providers to monitor but not take action while you’re getting set up. As your sending becomes more consistent, you can tighten the policy over time.

Yes—and they have to. Here’s the simple version of how it works:

All three working together is what inbox providers call full authentication. It’s the baseline expectation for any sender who wants consistent deliverability in 2025 and beyond.

Unauthenticated emails don’t always bounce. Sometimes they just quietly go to spam. That means your subscribers never see them, your open rates sink, and your sender reputation erodes over time. The damage is often invisible until it’s significant.

The other risk is spoofing. Without authentication records, it’s easier for bad actors to send emails that appear to come from your domain. If that happens, it affects not just your deliverability, but also your brand trust.

When you connect a custom sending domain in Flodesk, you’ll get step-by-step instructions for adding your SPF and DKIM records. The process looks like this:

Not sure if your authentication is set up correctly? Google Postmaster Tools is a free resource that shows you whether your domain is passing SPF, DKIM, and DMARC checks, along with your overall domain reputation.

SPF (Sender Policy Framework): A DNS record that lists the servers authorized to send email from your domain. Prevents spoofing and proves your sending source is legitimate.

DKIM (DomainKeys Identified Mail): A cryptographic signature added to each email that verifies it came from your domain and wasn’t altered in transit.

DMARC (Domain-based Message Authentication, Reporting, and Conformance): A policy that tells inbox providers what to do with emails that fail SPF or DKIM—and gives you reporting on who’s sending from your domain.

DNS record: A setting in your domain host that tells the internet how to handle traffic associated with your domain. Authentication protocols are configured here.

Sender reputation: A score inbox providers assign to your domain based on factors like authentication, engagement, and complaint rates. Higher reputation = better deliverability.

Authentication isn’t a one-time fix. It’s the foundation everything else is built on. Get these three records in place, and you’ve given your emails the best possible starting point for landing where they belong: right in front of your audience.