AI Summary
Last year, fake emails cost businesses and people over $10 billion. Every three seconds, someone clicks on a phishing email. These attacks happen because email has a big problem: anyone can pretend to be anyone else.
When you send an email, there’s no built-in way to prove it’s really from you. Scammers use this weakness to send millions of fake emails every day. They pretend to be banks, companies, or even your boss.
Without the right protection, email providers can’t tell the difference between real emails and fake ones. SPF, DKIM, and DMARC fix this problem. Think of them as a three-part ID check for every email you send.
In this article, I’ll explain how DMARC, SPF, and DKIM work together to verify your outgoing mail and make sure your messages always get through.
Do I Really Need SPF, DKIM, and DMARC for My Email?
Yes, you need all three, and here’s why this isn’t optional anymore.
Starting February 2024, Google and Yahoo made these protocols mandatory for anyone sending over 5,000 emails per day. But even if you send just 10 emails a month, you still need them. Without proper email authentication, up to 76% of your legitimate emails could end up in spam folders or get rejected completely.
The numbers tell a scary story. According to the FBI’s 2024 Internet Crime Report, Business Email Compromise (BEC) scams cost victims $2.9 billion last year alone. That’s just in the United States. These attacks work because most domains still don’t use proper email security.
When you don’t have SPF, DKIM, and DMARC set up, criminals can send emails that look exactly like they came from you. Here’s what each one does and why you can’t skip any of them:
- SPF stops server spoofing. It creates a list of servers allowed to send email for your domain. But SPF breaks when emails get forwarded. That’s problem number one.
- DKIM adds a signature. Every email gets a unique encrypted signature that proves it hasn’t been changed. But DKIM alone doesn’t stop someone from using your domain name. That’s problem number two.
- DMARC connects everything. It tells receiving servers what to do when SPF or DKIM fail. Without DMARC, the other two are just suggestions that servers can ignore.
The bottom line? Email authentication isn’t about following rules or avoiding spam folders anymore. It’s about protecting your business, your reputation, and everyone who trusts your emails.
Where Do I Add SPF, DKIM, and DMARC Records?
Setting up SPF, DKIM, and DMARC takes about 15 minutes when you know where to look. All three are added as TXT records in your domain’s DNS settings. The same place where you manage your website’s nameservers and other records.
Finding Your DNS Records Takes 30 Seconds:
- If you bought domain + hosting together: Log into your hosting account (like Bluehost, SiteGround, or HostGator). Look for “DNS Zone Editor” or “DNS Management” in your control panel.
- If you bought them separately: Go to your domain registrar (GoDaddy, Namecheap, Google Domains). Find “DNS Settings” or “Manage DNS” in your domain dashboard.
- If you use Cloudflare or similar: Access your Cloudflare dashboard, select your domain, then click the “DNS” tab on the left menu. Here’s an example from Cloudflare:
The Setup Order Matters (Most People Get This Wrong):
First, add SPF → Wait 1 hour → Add DKIM → Wait 1 hour → Add DMARC
Why this order?
DMARC checks if SPF and DKIM work. If you add DMARC first, it fails immediately and can block your emails. Many providers won’t even let you add DMARC until SPF passes validation.
What You’ll Actually Add:
- SPF: One TXT record starting with “v=spf1” (takes 2 minutes)
- DKIM: One or two TXT records with long character strings (takes 3 minutes)
- DMARC: One TXT record at “_dmarc.yourdomain.com” (takes 2 minutes)
Time Until They Work:
- SPF: Active in 5-30 minutes
- DKIM: Active in 1-4 hours
- DMARC: Active in 1-24 hours (but needs SPF/DKIM working first)
Common Setup Mistakes That Break Everything:
- Having two SPF records (combine them into one)
- Wrong DKIM selector name (check your email provider’s exact format)
- Starting DMARC with p=reject (always start with p=none, then increase)
- Adding records to the wrong subdomain
- Extra spaces or quotes in the record values
Quick Test After Setup:
Send a test email to Gmail and check the message headers (click the three dots and then on Show original). Look for these lines:
- SPF: PASS
- DKIM: PASS
- DMARC: PASS
What Are DMARC, SPF, and DKIM?
What Is DMARC?
DMARC helps to prevent domain spoofing and generates email reports if suspicious activity is detected. It stands for Domain-based Authentication, Reporting, and Conformance, so the clue is partly in the name.
On a basic level, your DMARC record acts as the glue between your SPF and DKIM records. And it does 3 things:
- It compares the sending IP with the authorized sender for the domain by looking at SPF and DKIM. That’s how these 3 records all work together to stop WordPress emails from going to spam.
- If that check fails, it tells the email server what to do. For example, the email could be rejected or quarantined.
- DMARC can also generate email reports if it detects emails that aren’t properly authenticated. In the DMARC record, you can specify the email address that’ll receive these reports. They will be sent to you as XML files.
If you do get DMARC reports, don’t worry. Your DMARC record is doing the job it’s supposed to do. It’s important not to ignore the reports because they might be a sign of someone abusing your domain to send spam. You can forward the report to your email service provider if you need help understanding the contents.
How to Add a DMARC Record
If your email provider gives you a specific DMARC record, you should add that to your DNS. If your provider doesn’t tell you what to include, see our article on what is a DMARC record and how to create one. It includes a generic DMARC record that you can copy and paste, and it’ll work on any domain.
The only time you don’t need DMARC is when you’re sending from a domain that you don’t control. For example, a Gmail account with a @gmail.com email address doesn’t need DMARC, but a Google Workspace account with a custom domain name does.
What Is SPF?
The SPF record is a TXT record in your DNS. The name stands for Sender Policy Framework. SPF is responsible for checking that an IP address is authorized to send emails from the sending domain. It works a little like a return address on a letter.
If you don’t have an SPF record, your WordPress emails will likely be marked as spam. In some cases, they’ll be discarded.
For example, Gmail blocks emails without SPF authentication. So a missing SPF record is a common cause of WordPress not sending emails.
In fact, WordPress might be generating emails and sending them without any issues. But the emails are likely being discarded further down the line because there’s no SPF record to validate them.
Don’t Use More Than 1 SPF Record
Creating an SPF record is important, and your provider will give you instructions on exactly what to add to your DNS.
When you do this, keep in mind that it’s also important that you only have one SPF record on your domain, so you’ll want to check for existing rules first.
For example, you may have already created an SPF record for your email marketing provider. If you then want to add another one for your transactional email provider, you’ll need to combine those SPF records into one.
See our guide on how to merge multiple SPF records for the easiest way to do this.
What Is DKIM?
Your DKIM record is responsible for verifying your domain using a key. It stands for DomainKeys Identified Mail.
The main goal of DKIM is to prove that the content hasn’t been changed between sender and recipient. So DKIM is a little bit like putting your own signature on each email you send.
In your DNS, you’ll have one part of the DKIM record: the public key. And the mail server holds the private key to match. By comparing these 2 keys, mail servers can check that the email really came from you.
Later on, the DMARC record checks this verification and then decides whether the email is legitimate.
How to Add a DKIM Record
To add a DKIM record to your DNS, you’ll want to reach out to your email provider to find out what to include. Most providers include instructions in their setup documentation.
If you’re using WP Mail SMTP, we’ve got detailed instructions for all of our supported email providers too:
| Mailers available in all versions | Mailers in WP Mail SMTP Pro |
|---|---|
| SendLayer | Amazon SES |
| SMTP.com | Microsoft 365 / Outlook.com |
| Brevo (formerly Sendinblue) | Zoho Mail |
| Google Workspace / Gmail | |
| Mailgun | |
| Postmark | |
| SendGrid | |
| SparkPost | |
| Other SMTP |
Sometimes you may need to split a DKIM record into two lines. We’ve got a guide on how to split a DKIM record that explains how to do that.
Finally, let’s take a quick look at an easy way to check your DNS records in WordPress.
How to Check DMARC, SPF, DKIM in WP Mail SMTP
If you’re sending emails from WordPress, you’ll want to make sure that DMARC, SPF, and DKIM are correctly configured on your domain. WP Mail SMTP makes this easy.
You can send a test email at any time to make sure that your WordPress emails are working, and this will also check these 3 important DNS records at the same time.
If the plugin detects that any of your DNS records are missing or broken, it’ll let you know right away.
And for complete peace of mind, you’ll also see Domain Checker alerts on your Site Health screen. And that’s it! Now you know how DMARC, SPF, and DKIM work together to improve email deliverability.
FAQs on SPF, DKIM, and DMARC Records
Do you have more questions about DNS records and email deliverability? I’ll cover them below.
How do I create a DMARC record?
You can copy and paste a DMARC record and add it to your domain’s DNS zone. There’s a DMARC record example in our guide on how to create a DMARC record and add it to your domain.
How do I add SPF records for WordPress and WP Mail SMTP?
First, find your DNS settings at your domain provider (like GoDaddy or Namecheap). Add a new TXT record with your domain name as the host. For the value, start with “v=spf1” and include your mail server.
For WP Mail SMTP, the exact record depends on which mailer you pick. If you use SendLayer, add: “v=spf1 include:sendlayer.net ~all”. For Gmail, use: “v=spf1 include:_spf.google.com ~all”.
The mistake most people make? Adding two SPF records. You can only have one. If you need multiple services, combine them like this: “v=spf1 include:sendlayer.net include:_spf.google.com ~all”. Save the record and wait about 15 minutes. That’s it.
Why does WP Mail SMTP need DKIM configuration?
WP Mail SMTP needs DKIM because WordPress doesn’t sign emails by itself. When you send an email through WordPress, it goes out unsigned. Email providers like Gmail see unsigned emails as suspicious, even if they’re real.
DKIM adds a special signature to every email you send. Think of it like a wax seal on an old letter. This signature proves two things: the email really came from your website, and nobody changed it along the way.
Without DKIM, about 30% of your WordPress emails might go to spam folders. With it, your delivery rate jumps to over 95%. The plugin makes DKIM setup easy. It generates the keys for you and tells you exactly what to add to your DNS.
What SPF record should I use for WP Engine hosting?
For WP Engine, use this SPF record: “v=spf1 include:mail1.wpengine.com ~all”
But here’s what catches people: if you’re using WP Engine for hosting but sending emails through a different service, you need that service’s SPF instead. Many WP Engine users send mail through SendGrid or Mailgun. In that case, you’d use their SPF records, not WP Engine’s.
If you need both, combine them: “v=spf1 include:mail1.wpengine.com include:sendgrid.net ~all”. Add this as a TXT record in your DNS. Don’t add it in WP Engine’s control panel – it goes in your domain registrar’s DNS settings.
Can I use DMARC without both SPF and DKIM?
Yes, DMARC works with just one of them, but it’s risky. DMARC passes when either SPF or DKIM passes and aligns with your domain. So technically, you only need one.
But here’s why that’s a bad idea: SPF breaks when emails get forwarded. DKIM can break if your email service modifies messages. When you only have one and it breaks, DMARC fails completely. Your emails get rejected.
I’ve seen companies lose thousands of dollars because they relied on SPF alone. A customer forwarded their invoice to accounting, SPF broke, and the invoice never arrived. Start with both SPF and DKIM, then add DMARC. It takes maybe 20 minutes total and saves huge headaches later.
What’s the difference between SPF, DKIM, and DMARC?
SPF is a list of servers allowed to send email for your domain. It’s like saying “only these post offices can send my mail.” The problem? It checks the server, not the actual sender.
DKIM is a signature that proves an email hasn’t been changed. Each email gets a unique encrypted stamp. But DKIM doesn’t stop someone from using your domain name on a different server.
DMARC is the boss that checks if SPF or DKIM passed, then tells receiving servers what to do with failures. Without DMARC, the other two are just suggestions. Servers can ignore them.
Here’s the simple truth: SPF says who can send, DKIM proves emails are real, and DMARC enforces the rules. You need all three because each one fixes what the others miss.
How do I test if SPF, DKIM, and DMARC are working correctly?
Send a test email to a Gmail account you control. Once it arrives, open the email and click the three dots menu. Select “Show original” to see the technical details.
Look for these three lines:
- SPF: PASS (with your domain)
- DKIM: PASS (shows ‘header.d’ with your domain)
- DMARC: PASS
If any show FAIL, you have a problem. SPF failures mean wrong server settings. DKIM failures mean incorrect DNS records or keys. DMARC failures happen when SPF and DKIM don’t match your “From” domain.
For quick testing, you can use WP Mail SMTP’s email test feature. Send an email to any test address and get instant results.
Do I need to authenticate with both SPF and DKIM, or just one?
You should set up both, even though technically one is enough for basic authentication. Google and Yahoo now require both for anyone sending over 5,000 emails daily. But even small senders benefit from using both.
Here’s what happens with just one: SPF alone fails when someone forwards your email. DKIM alone doesn’t prove which server sent the email. When you have both, one can fail and your email still gets through.
Real example: A client only had SPF. Their newsletter worked fine until subscribers started forwarding it to friends. Every forwarded email bounced back. Adding DKIM fixed it immediately.
How do I fix DMARC failures in WordPress?
DMARC fails in WordPress usually happen because the “From” address doesn’t match your domain. WordPress defaults to “[email protected]” but your site might send from “[email protected]”. That’s a mismatch.
Fix it by going to WP Mail SMTP settings. Set the “From Email” to an address at your own domain. Never use Gmail, Yahoo, or other free email addresses as your sender. Next, make sure your SPF record includes your actual mail server. If you use SMTP.com, your SPF needs “include:smtp.com”.
Check that DKIM is active and the DNS records are correct. The selector (usually “default” or your service name) must match exactly. Even one wrong character breaks everything.
Next, Check Your PTR Record
While you’re checking your DNS, it’s a good idea to check your PTR record. The PTR record is a special type of record that also plays a role in preventing spam. To learn more, check out our article on What Is a PTR Record (and Do I Need One?)
Ready to fix your emails? Get started today with the best WordPress SMTP plugin. If you don’t have the time to fix your emails, you can get full White Glove Setup assistance as an extra purchase, and there’s a 14-day money-back guarantee for all paid plans.
If this article helped you out, please follow us on Facebook and Twitter for more WordPress tips and tutorials.
