Email deliverability may look straightforward, but it’s deceptively simple. It’s not just about hitting send to a list of emails, but instead about earning space in readers’ inboxes, and the way you do that is not just by putting out good content–email deliverability is about trust. 

When you send your newsletter, the email provider asks, “Is this person really who they say they are?” If it decides the answer is yes, your email lands in the subscriber’s inbox. If there’s some doubt, you’re marked as spam. 

Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-Based Message Authentication, Reporting, and Conformance (DMARC) are the foundation of sender credibility. Think of them as the “invisible handshake” that occurs when your email hits your subscribers’ servers. In a quick second, your identity is verified as a legit or sus sender. 

But here’s the tricky part: because this handshake occurs behind closed curtains, no one’s in the room where it happens. 

Most advice on SPF, DKIM, and DMARC is confusing or outdated. Following it could negatively impact your sender reputation, so I’ve filtered out the technical rabbit holes and unnecessary noise to bring you the best advice on email authentication. 

Let’s break down what SPF, DKIM, and DMARC are without getting too technical. I think the best way is to use a metaphor. Think of your email as a visitor trying to get into a building. 

Following the metaphor of trying to get into a company, an SPF (Sender Policy Framework) is like a company ID card. When your email lands in a subscriber’s server, it checks your Domain Name System (DNS) “guest list” to see if there’s a match with your IP address. 

If it’s someone pretending to be you and tries to send an email from your domain but with their own server, they’ll get stopped at the door because their name isn’t on the “list.” 

Here’s an example of what an SPF looks like: 

Translated to non-coder terms, SPF basically tells servers the type of record, the approved IP addresses and a third-party for this domain. 

Every domain can only have one SPF record. The uniqueness of the components is to authenticate emails and increase email deliverability. 

Important!! Don’t get too carried away. SPF records only allow 10 lookups, so if you try to authorize too many different platforms, it may cause your SPF to break down. Limit yourself to the tools that you think would benefit from sending emails for you.  

DKIM (DomainKeys Identified Mail) is a built-in authenticity seal for your emails. Working behind the scenes, it prevents tampering between send and delivery. 

Think of DKIM like a wax seal on a letter. That seal tells the receiver who it came from and that the letter was not opened or altered. 

When you send an email, your server uses a private key to create a cryptographic “signature,” and the receiving server uses your public key to check that signature.

If someone tries to tamper with the email, like changing one letter to your well-crafted subject line, that breaks the digital seal. The receiving server will be pinged that this message is a fake. 

If SPF is the guest list and DKIM is the seal, DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the bouncer at the door giving the final yes or no. 

DMARC looks at the results of the SPF check: Is this sender on the list? DKIM asks: Is this seal valid? 

If the sender passes both of those checks, DMARC tells the receiving server to allow the email through. If there’s some suspicion, the email gets quarantined into the Spam folder. But if it’s completely sketch, the email gets destroyed immediately. 

Powerful, right? DMARC works to help you enforce your security standards. 

Why Trust Me?

I’ve been an editor with beehiiv and started writing for them because I love their content. I’m a technical writer who pivoted to business-to-business (B2B) and direct-to-consumer (D2C) articles because of my knowledge of SEO strategies and optimization. 

I used to think that as long as my content was very engaging and targeted, it would reach the right people; but I soon learned that even if you write the most engaging newsletter, people may not see it because of these protocols. 

If you ignore authentication, you may have written great content, but your email is anonymous and it affects your inbox placement. You may be authentic, but you haven’t been authenticated; so email providers think you’re fake. 

There’s so much spam, malware, and just plain malicious emails floating around that email providers have to be on guard. The way you can bypass all that is by communicating you’re a legit sender. This greatly reduces the likelihood that your email will land in the Spam or Promotions tab. 

Think of your sender reputation like your domain’s credit score. With every email sent, your credit score will either take a hit or get boosted. 

Without protocols like SPF, DKIM, and DMARC, it’s easy for your domain to get “spoofed” – in other words, people pretending to be you and sending phishing scams to your unsuspecting subscribers. Not only is this annoying for your readers, but it tanks your reputation and domain. 

By verifying your domain, you can put up walls against unauthorized sends, protecting your sender reputation. 

Providers like Gmail, Yahoo, and Outlook are all looking out for the users’ inboxes. Thus, they reward authenticated senders with better inbox placement and stronger domain reputation. 

These providers are on your side because they help buff up your reputation. But if you’re not authenticated, they will expose you; so work with them. Make sure your SPF, DKIM, and DMARC all check out. 

Actually, Google and Yahoo recently mandated these protocols for bulk senders, so it’s not just a nice thing to do, but absolutely mandatory. 

Google and Yahoo also instituted a strict 0.3% spam complaint rate threshold. This means that if you have even just 3 of your subscribers (out of 1000) mark you as spam, your risk of getting blocked increases. 

You need both authentication and spam control to stay in people’s inbox. While authentication matches you with your identity, keeping the spam complaints low boosts your reputation. 

To all my content creators, setting up these protocols doesn’t require you to be a coder. If you can copy and paste, you’re chilling. 

Just take the specific text codes given by your email platform and paste them into your domain. 

If you’re using beehiiv as your platform, good news – beehiiv makes it even easier by using a tool called Entri: 

Important !! I’ve included the rua tag, which tells servers where to send security reports to.

v=DMARC1; p=none;

rua=mailto: [email protected]

I’m telling you all this because I don’t want you to make the same mistakes I did. The acronyms, the unapproachability, and seemingly unnecessary complications deterred me from following these protocols. 

I thought, “I’ll write good content and that’s all I can control. Once I hit ‘send,’ it’s up to the universe.” 

Now, some things in life are out of your control but whether your email hits your subscriber’s inbox is not one of those things. You don’t need to live in the “Promotions” tab, hoping for your reader to have time to check it. 

Your reputation should precede you, especially on the Internet. When you authenticate your domain, you’re communicating to every email server, “I am who I say I am, and my words have value.” 

These protocols are part of your communication with your target audience. Implementing SPF, DKIM, and DMARC isn’t just for big brands like Amazon. You want to show up for your audience, so work with your email provider to increase your reliability and trustworthiness. 

I want to take you through some of the worst advice you could hear, aka what is myth vs. reality. 

Myth: You can set DMARC to p=none and then just forget about it. 

Reality: p=none is like having a security camera on but not locking the front door. 

→ Move to p=quarantine or p=reject 

Myth: SPF is enough for email deliverability. 

Reality: SPF is just one leg of a three-legged stool. 

→ Stabilize your security with SPF, DKIM, and DMARC together. 

Myth: A strict DMARC policy, p=reject, could be too strict and prevent your emails from being sent out. 

Reality: DMARC only blocks emails that haven’t been properly authenticated. 

→ Monitor your reports (with a tool like Postmaster Tools to read the data, so it’s not sitting as raw code) and then switch to reject.

Myth: Once you put the protocols in place, you can forget about them. 

Reality: Email sending standards are always evolving. Google and Yahoo recently modified theirs. 

→ Be sure to continuously check on your domain health. 

If you’re thinking, “Thanks for trying to simplify SPF, DKIM, and DMARC for me, but I still don’t want to do it,” don’t worry – beehiiv’s got you. 

beehiiv is the platform that removes the technical guesswork. It guides you through the authentication setup, with features like the Entri integration. beehiiv’s simplicity ensures that your newsletter looks both credible and professional from the get go. 

beehiiv also looks out for you, so you don’t fall prey to the myths I mentioned earlier: 

Sign up for beehiiv today and simplify your verification process, while boosting your credibility and trustworthiness.