{"id":12326,"date":"2026-06-16T18:49:31","date_gmt":"2026-06-17T02:49:31","guid":{"rendered":"https:\/\/flodesk.com\/blog\/?p=12326"},"modified":"2026-06-16T18:51:13","modified_gmt":"2026-06-17T02:51:13","slug":"email-authentication-spf-dkim-dmarc","status":"publish","type":"post","link":"https:\/\/flodesk.com\/blog\/email-authentication-spf-dkim-dmarc\/","title":{"rendered":"Email authentication explained: SPF, DKIM, and DMARC for non-techy people"},"content":{"rendered":"
\n

You’ve set up your account and you\u2019re ready to start sending gorgeous emails. Then you hear someone mention “SPF records”, \u201cDKIM\u201d, or “DMARC policy” and your eyes glaze over immediately. Totally fair. But here’s the thing: these three protocols could be the reason your emails land in inboxes instead of spam folders, and they’re much simpler to understand than they sound.<\/p>\n<\/div>\n\n

\n

This post explains what SPF, DKIM, and DMARC actually do, why they matter for your deliverability, and what you need to set up before you send.<\/p>\n<\/div>\n\n

\n

What is email authentication?<\/strong><\/h2>\n<\/div>\n\n
\n

Email authentication is a set of technical standards that prove your emails are actually from you.<\/strong> When you send an email, inbox providers like Gmail and Outlook run a quick background check: Did this email really come from the domain it claims to be from? Authentication is how you pass that check.<\/p>\n<\/div>\n\n

\n

With it, you’re giving inbox providers a reason to trust you. Without it, your emails look suspicious, even if you’ve done everything else right. <\/p>\n<\/div>\n\n

\n

There are three main authentication protocols: SPF, DKIM, and DMARC. They work together, and all three matter.<\/p>\n<\/div>\n\n

\n

First, you need a custom domain<\/strong><\/h2>\n<\/div>\n\n
\n

Before authenticating, you need to set up a custom domain\u2014meaning an address like hello@yourbusiness.com rather than yourbusiness@gmail.com or yourbusiness@yahoo.com.<\/p>\n<\/div>\n\n

\n

Free email addresses (Gmail, Yahoo, Outlook, etc.) are owned by those providers, not you. That means you can’t add DNS records to them, which is exactly what authentication requires. If you’re sending from a free address, inbox providers are already treating your emails with less trust, and there’s no way to authenticate your way out of it.<\/p>\n<\/div>\n\n

\n

A custom domain is owned by you and registered through a domain host like GoDaddy, Namecheap, or Squarespace Domains. Once you have the domain, you\u2019ll be able to add email capabilities to that domain through Google Workspace or other similar providers.Then you can connect your new email to Flodesk and add the authentication records that tell inbox providers your emails are legitimate. If you haven’t set up a custom sending domain yet, that’s the starting point\u2014everything else in this post builds on it.<\/p>\n<\/div>\n\n

\n

SPF: proving your sending source is legitimate<\/strong><\/h2>\n<\/div>\n\n
\n

What is SPF?<\/strong><\/h3>\n<\/div>\n\n
\n

SPF (Sender Policy Framework) tells inboxes who is authorized to send email on behalf of your domain (like Flodesk).<\/strong> Think of it like a guest list at an event\u2014the venue (inbox provider) checks the list before letting anyone in. If the server sending your email isn’t on the list, the email may be blocked or flagged.<\/p>\n<\/div>\n\n

\n

Why SPF matters<\/strong><\/h3>\n<\/div>\n\n
\n

SPF protects your domain from being spoofed by spammers. Without an SPF record, anyone could technically send emails that look like they came  from your domain. Inbox providers know this. Having SPF in place signals that you’re a legitimate sender who’s taken basic steps to secure your sending identity.<\/p>\n<\/div>\n\n

\n

What you need to do<\/strong><\/h3>\n<\/div>\n\n
\n

When you connect a custom domain to Flodesk, you’ll be prompted to add DNS records to your domain host (like GoDaddy, Namecheap, or Squarespace). One of those records is your SPF record. It’s a single line of text\u2014you don’t need to understand the syntax, just copy and paste it exactly where directed.<\/p>\n<\/div>\n\n

\n

DKIM: adding a digital signature to every email<\/strong><\/h2>\n<\/div>\n\n
\n

What is DKIM?<\/strong><\/h3>\n<\/div>\n\n
\n

DKIM (DomainKeys Identified Mail) adds a \u201csignature” to your emails that inbox providers can verify.<\/strong> The signature is invisible to your reader, but it proves two things: the email genuinely came from your domain, and the content wasn’t tampered with in transit.<\/p>\n<\/div>\n\n

\n

Why DKIM matters<\/strong><\/h3>\n<\/div>\n\n
\n

Imagine DKIM as a wax seal on a letter. The recipient can verify the seal came from you and that no one broke it open and resealed it along the way. Without DKIM, there’s no proof of origin or integrity. Just an email claiming to be from you.<\/p>\n<\/div>\n\n

\n

DKIM is particularly important for deliverability because Gmail, Yahoo, and most major inbox providers use it as a trust signal. Emails without DKIM signatures are more likely to be filtered or blocked.<\/p>\n<\/div>\n\n

\n

What you need to do<\/strong><\/h3>\n<\/div>\n\n
\n

Like SPF, DKIM is set up through your domain’s DNS settings. Flodesk provides the specific DKIM records you need to add. There are usually two of them, and again\u2014it’s a simple copy-paste job, not a coding project.<\/p>\n<\/div>\n\n

\n


<\/strong>DMARC: telling inbox providers what to do when something looks wrong<\/strong><\/p>\n<\/div>\n\n

\n

What is DMARC?<\/strong><\/h3>\n<\/div>\n\n
\n

DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells inbox providers what to do with emails that fail SPF or DKIM checks.<\/strong> It also gives you visibility into who’s sending email on behalf of your domain.<\/p>\n<\/div>\n\n

\n

Why DMARC matters<\/strong><\/h3>\n<\/div>\n\n
\n

SPF and DKIM verify that an email is legitimate. DMARC is the policy layer that says: “And if it’s not<\/em> legitimate, here’s what to do with it.” You can set your DMARC policy to:<\/p>\n<\/div>\n\n

\n