SPF, DKIM, and DMARC are DNS records that tell inbox providers like Gmail and Outlook whether your email is legitimate. Get them wrong and your emails go to spam — or don't arrive at all. Get them right and your sender reputation stays clean.
Since 2024, Google and Yahoo require all three for bulk senders. Outlook followed in 2026. If you haven't checked yours recently, now is the time.
Check your records now — free
SPF, DKIM, DMARC and blacklist check in seconds.
Check your domain → No signup requiredWhat Are SPF, DKIM and DMARC?
A DNS record that lists which servers are allowed to send email on behalf of your domain. If your ESP (Klaviyo, Mailchimp, Sendgrid, etc.) isn't listed, Gmail may reject or spam-filter your email.
A cryptographic signature added to every outgoing email. It proves the message came from your domain and wasn't altered in transit. Your email provider generates the key — you add a DNS record to activate it.
A policy record that ties SPF and DKIM together. It tells inbox providers what to do with email that fails both checks: allow it, quarantine it, or reject it. It also enables reporting so you can see who's sending from your domain.
How to Check SPF, DKIM and DMARC (Step by Step)
You can check all three records at once using CheckLab — no signup, no configuration needed.
- Go to checklab.io
- Enter your domain — just the domain, no
https:// - Click Check
You'll get a result for each record within seconds, plus a blacklist check for your sending IP.
If you use a custom DKIM selector (common with Google Workspace or some ESPs), expand the Advanced panel and enter it manually before running the check.
How to Read the Results
| Result | What it means | Action needed |
|---|---|---|
| ✓ SPF pass | Your senders are correctly listed | None |
| ✕ SPF fail | Missing or misconfigured record | Add/update TXT record |
| ✓ DKIM pass | Signature verified, email trusted | None |
| ✕ DKIM fail | Signing not enabled or DNS missing | Enable in ESP + add DNS record |
| ✓ DMARC pass | Policy in place | None |
| ⚠ DMARC missing | No policy — domain unprotected | Add TXT record |
| ✓ Blacklist clean | IP not flagged | None |
| ✕ Blacklisted | IP on one or more blacklists | Request delisting |
How to Fix Common Issues
SPF Fail
Add a TXT record to your root domain (@). The exact value depends on your email provider — check their docs for the include: statement they require.
Example for a store using Klaviyo and Google Workspace:
v=spf1 include:klaviyomail.com include:_spf.google.com ~allIf you use multiple ESPs, all of them need to be included. Note: SPF has a limit of 10 DNS lookups — if you have many providers, you may need to consolidate.
DKIM Fail
Go to your ESP's domain authentication or DKIM settings and enable signing for your domain. They'll generate a public key and give you one or more DNS records (usually CNAME or TXT) to add.
Common locations:
- Klaviyo: Account → Settings → Domains
- Mailchimp: Account → Domains → Authenticate
- Google Workspace: Admin Console → Apps → Gmail → Authenticate email
- Shopify Email: Online Store → Domains → DNS settings
After adding the DNS records, wait a few hours and re-check. DNS propagation can take up to 48 hours.
DMARC Missing
Add a TXT record to _dmarc.yourdomain.com. Start with monitor-only mode:
v=DMARC1; p=none; rua=mailto:[email protected]p=none means inbox providers will take no action on failing emails — you're just collecting data. Once you've confirmed SPF and DKIM are solid, tighten to p=quarantine or p=reject.
Blacklisted IP
CheckLab shows which blacklist flagged your IP. Go to that blacklist's website and submit a delisting request — most have a self-service form. Before submitting, make sure you've stopped whatever caused the listing (spam complaints, misconfigured server, etc.).
If you're on shared hosting, the IP may belong to your provider and affect multiple tenants. Contact them directly.
What Happens If You Ignore Broken Records
Authentication issues don't fix themselves. Here's what typically happens over time:
- Short term: Emails routed to spam folder. Customers miss order confirmations.
- Medium term: Sender reputation degrades. More emails flagged even for users who previously received them fine.
- Long term: IP or domain blacklisted. Recovery can take weeks.
Google's bulk sender requirements mean that missing SPF, DKIM, or DMARC can now cause outright rejection — not just spam filtering. For ecommerce stores sending transactional email, this is a serious operational risk.
How to Keep Records Healthy Over Time
Authentication records break more often than most people expect:
- A new marketing tool gets added without updating SPF
- Your ESP rotates DKIM keys without notifying you
- A DNS migration accidentally overwrites records
- A shared IP gets blacklisted by another sender
Manual checks every few months aren't enough. CheckLab's monitoring checks your domain every 24 hours and sends an email alert the moment something changes — before customers start complaining.
The Pro plan covers up to 10 domains with daily checks and instant alerts. Useful if you manage multiple stores or client domains.
- SPF record exists and includes all your email providers
- DKIM enabled in your ESP — DNS records added and verified
- DMARC record added (p=none to start)
- Sending IP not on any major blacklist
- Monitoring set up so you catch issues before customers do
Check your SPF, DKIM and DMARC for free
Instant results. No signup required.
Check your domain → Free · No signup · Results in seconds