SPF vs DKIM vs DMARC: Which One Is Breaking Your Emails?

SPF, DKIM, and DMARC all deal with email authentication but they do different things, fail in different ways, and have different impacts on delivery. When you have an authentication-related deliverability problem, identifying which specific record is failing is the fastest path to the right fix.

Quick diagnostic: what does the placement test show?

Run a placement test and look at the authentication results in the output. The receiving server's verdict tells you which checks passed and which failed. This is more reliable than checking your DNS records directly, because it shows end-to-end results including what your ESP is actually doing.

SPF failures

What SPF does

SPF checks whether the server that sent your email is authorized to send for your domain. It does this by looking up your domain's SPF record and checking if the sending server's IP is listed.

When SPF fails

Missing SPF record entirely
SPF record doesn't include your ESP's servers
Multiple SPF records (only one is allowed)
SPF has more than 10 DNS lookups
You're sending through an ESP or tool that's not in your SPF record

Impact of SPF failure

Moderate to high impact on its own. Combined with DKIM failure, very high impact. Spam filters weight SPF failure as a significant negative signal.

Fix

Use the SPF checker to identify the issue. Most SPF failures resolve by adding the correct include for your ESP or removing duplicate records.

DKIM failures

What DKIM does

DKIM adds a cryptographic signature to outgoing email. The receiving server verifies this signature against the public key in your DNS. A valid DKIM signature confirms the email came from an authorized source and hasn't been modified.

When DKIM fails

DKIM not enabled in your ESP
DKIM enabled but DNS record not published
DNS record published but ESP is using a different selector than what's in DNS
DKIM key was rotated in your ESP but DNS wasn't updated

Impact of DKIM failure

High impact. DKIM is the most important individual auth check for cold email deliverability. A DKIM failure causes immediate spam placement on most providers. This is the highest-priority fix when auth is broken.

Fix

Use the DKIM checker — it auto-discovers selectors. If no key is found, DKIM isn't published. Re-enable it in your ESP and add the DNS record. If the key is found but verification fails, the key may not match what your ESP is signing with — regenerate the key in your ESP and update DNS.

DMARC failures

What DMARC does

DMARC tells receiving servers what to do when SPF or DKIM fails. It also requires alignment — the domain in your From address must match the domain that SPF and DKIM are authenticated for. DMARC failure means either the alignment check failed or SPF and DKIM both failed.

When DMARC fails

No DMARC record (this shows as "no DMARC" not "fail" — impact varies)
Both SPF and DKIM failed
Alignment failure: sending from a different domain than what SPF/DKIM authenticate

Impact of DMARC failure

If DMARC is set to p=reject or p=quarantine, a DMARC failure can cause immediate rejection or spam placement. If p=none, the DMARC failure itself doesn't directly filter the email — but the underlying SPF/DKIM failures that caused it do.

Fix

Use the DMARC lookup. If DMARC is failing due to alignment, ensure your From address domain matches your sending domain exactly. If it's failing because SPF and DKIM failed — fix SPF and DKIM first, then DMARC will pass.

The order of priority

DKIM: fix first, highest impact
SPF: fix second, high impact especially in combination with DKIM
DMARC: fix third, important for alignment and reporting

After fixing, rerun the placement test to confirm all three pass. Don't assume DNS changes took effect immediately — allow 10–15 minutes for propagation, then test.