Are you wondering, “What are DMARC, SPF, and DKIM?”
In short, these 3 lines in your DNS zone all work together to stop your WordPress emails from going to spam.
In this article, we’ll explain how DMARC, SPF, and DKIM work together to verify your outgoing mail.
How Do I Set Up DMARC, SPF, and DKIM?
To set up DMARC, SPF, and DKIM, you’ll need to edit your domain’s DNS records.
Your DNS records likely exist in one of the following places:
- Your web hosting control panel if you bought your domain and hosting together, or your host gave you a free domain.
- Your domain registrar’s control panel if you purchased your hosting and domain separately.
- Your CDN or DNS management control panel if you use one of these services to manage your domain.
Here’s an example from Cloudflare:
DMARC, SPF, and DKIM are important, but not every provider will require all 3. And here’s the good news: once they’re set up, your emails will be fixed, and you can (mostly) forget about them.
What Are DMARC, SPF, and DKIM?
What Is DMARC?
DMARC helps to prevent domain spoofing and generates email reports if suspicious activity is detected. It stands for Domain-based Authentication, Reporting, and Conformance, so the clue is partly in the name.
On a basic level, your DMARC record acts as the glue between your SPF and DKIM records. And it does 3 things:
- It compares the sending IP with the authorized sender for the domain by looking at SPF and DKIM. That’s how these 3 records all work together to stop WordPress emails from going to spam.
- If that check fails, it tells the email server what to do. For example, the email could be rejected or quarantined.
- DMARC can also generate email reports if it detects emails that aren’t properly authenticated. In the DMARC record, you can specify the email address that’ll receive these reports. They will be sent to you as XML files.
If you do get DMARC reports, don’t worry. Your DMARC record is doing the job it’s supposed to do. It’s important not to ignore the reports because they might be a sign of someone abusing your domain to send spam. You can forward the report to your email service provider if you need help understanding the contents.
How to Add a DMARC Record
If your email provider gives you a specific DMARC record, you should add that to your DNS. If your provider doesn’t tell you what to include, see our article on what is a DMARC record and how to create one. It includes a generic DMARC record that you can copy and paste, and it’ll work on any domain.
The only time you don’t need DMARC is when you’re sending from a domain that you don’t control. For example, a Gmail account with a @gmail.com email address doesn’t need DMARC, but a Google Workspace account with a custom domain name does.
What Is SPF?
The SPF record is a TXT record in your DNS. The name stands for Sender Policy Framework.
SPF is responsible for checking that an IP address is authorized to send emails from the sending domain. It works a little like a return address on a letter.
If you don’t have an SPF record, your WordPress emails will likely be marked as spam. In some cases, they’ll be discarded. For example, Gmail blocks emails without SPF authentication. So a missing SPF record is a common cause of WordPress not sending emails.
In fact, WordPress might be generating emails and sending them without any issues. But the emails are likely being discarded further down the line because there’s no SPF record to validate them.
Don’t Use More Than 1 SPF Record
Creating an SPF record is important, and your provider will give you instructions on exactly what to add to your DNS.
When you do this, keep in mind that it’s also important that you only have one SPF record on your domain, so you’ll want to check for existing rules first.
For example, you may have already created an SPF record for your email marketing provider. If you then want to add another one for your transactional email provider, you’ll need to combine those SPF records into one.
See our guide on how to merge multiple SPF records for the easiest way to do this.
What Is DKIM?
Your DKIM record is responsible for verifying your domain using a key. It stands for DomainKeys Identified Mail.
The main goal of DKIM is to prove that the content hasn’t been changed between sender and recipient. So DKIM is a little bit like putting your own signature on each email you send.
In your DNS, you’ll have one part of the DKIM record: the public key. And the mail server holds the private key to match. By comparing these 2 keys, mail servers can check that the email really came from you.
Later on, the DMARC record checks this verification and then decides whether the email is legitimate.
How to Add a DKIM Record
To add a DKIM record to your DNS, you’ll want to reach out to your email provider to find out what to include. Most providers include instructions in their setup documentation.
If you’re using WP Mail SMTP, we’ve got detailed instructions for all of our supported email providers too:
| Mailers available in all versions | Mailers in WP Mail SMTP Pro |
|---|---|
| SendLayer | Amazon SES |
| SMTP.com | Microsoft 365 / Outlook.com |
| Brevo (formerly Sendinblue) | Zoho Mail |
| Google Workspace / Gmail | |
| Mailgun | |
| Postmark | |
| SendGrid | |
| SparkPost | |
| Other SMTP |
Sometimes you may need to split a DKIM record into two lines. We’ve got a guide on how to split a DKIM record that explains how to do that.
Finally, let’s take a quick look at an easy way to check your DNS records in WordPress.
How to Check DMARC, SPF, DKIM in WP Mail SMTP
If you’re sending emails from WordPress, you’ll want to make sure that DMARC, SPF, and DKIM are correctly configured on your domain.
WP Mail SMTP makes this easy.
You can send a test email at any time to make sure that your WordPress emails are working, and this will also check these 3 important DNS records at the same time.
If the plugin detects that any of your DNS records are missing or broken, it’ll let you know right away.
And for complete peace of mind, you’ll also see Domain Checker alerts on your Site Health screen.
And that’s it! Now you know how DMARC, SPF, and DKIM work together to improve email deliverability.
FAQ on SPF, DKIM, and DMARC Records
Do you have more questions about DNS records and email deliverability? We’ll cover them below.
How Do I Create a DMARC Record?
You can copy and paste a DMARC record and add it to your domain’s DNS zone. There’s a DMARC record example in our guide on how to create a DMARC record and add it to your domain.
Is DMARC a TXT Record?
Yes, DMARC is normally added to your DNS as a TXT record.
Does DMARC Require DKIM?
No, DMARC does not require DKIM. DMARC will work without a DKIM record. However, if your provider recommends that you create a DKIM record, you should. It will help DMARC to isolate spam emails and let legitimate ones through.
Next, Check Your PTR Record
While you’re checking your DNS, it’s a good idea to check your PTR record. The PTR record is a special type of record that also plays a role in preventing spam.
To learn more, check out our article on What Is a PTR Record (and Do I Need One?)
Ready to fix your emails? Get started today with the best WordPress SMTP plugin. WP Mail SMTP Elite includes full White Glove Setup and offers a 14-day money-back guarantee.
If this article helped you out, please follow us on Facebook and Twitter for more WordPress tips and tutorials.