Email Deliverability: SPF, DKIM, and DMARC Explained
Plain-English guide to setting up SPF, DKIM, and DMARC so your cold outreach actually lands in the primary inbox instead of spam.
Three DNS records decide whether your cold email lands in inbox or spam: SPF, DKIM, and DMARC. They are not optional in 2026 — Gmail, Yahoo, and Outlook now require them for any sender doing meaningful volume.
SPF — who is allowed to send?
A TXT record listing the IPs/services authorized to send mail "from" your domain. Misconfigure and your good mail gets rejected. Best practice: keep the lookup count under 10.
DKIM — was the message actually signed by you?
A cryptographic signature added to each outgoing message and verified against a public key in your DNS. Your ESP (Brevo, SendGrid, Postmark) gives you the record to publish.
DMARC — what should the receiver do if SPF/DKIM fail?
Policy record telling the receiver to none, quarantine, or reject failing mail, plus a rua reporting address. Start with p=none and watch the reports for a week before tightening to quarantine.
This article is a stub
The full version includes example records for Brevo, SendGrid, and Google Workspace, plus a debug checklist for "I just authenticated and mail still goes to spam". Coming soon.