How to Fix SPF, DKIM, and DMARC Failures — Complete Troubleshooting Guide
When your emails start failing authentication or landing in spam, it’s almost always a broken SPF, DKIM, or DMARC record. These three DNS entries are what prove your domain is legitimate — and without them, your mail server looks like a spammer even if you’re fully legit.
This guide breaks down exactly how each record works, how to test your setup, and the exact fixes to apply when something fails.
1️⃣ Why SPF, DKIM, and DMARC Matter
Every major email provider — Gmail, Outlook, Apple Mail, Yahoo, Zoho — checks your domain’s authentication before accepting messages. Here’s what each record does:
- SPF (Sender Policy Framework) — Defines which mail servers are authorized to send on your domain’s behalf.
- DKIM (DomainKeys Identified Mail) — Signs each message cryptographically to prove it wasn’t altered.
- DMARC (Domain-based Message Authentication, Reporting & Conformance) — Tells servers how to handle unauthenticated mail and provides reporting feedback.
If any one of these fails, your domain trust collapses — and that’s when emails start bouncing, getting quarantined, or quietly dumped into spam.
2. How to Identify What’s Failing
Before editing DNS blindly, you need data. Send a test message through MailTested — you’ll get a full deliverability report showing which checks passed or failed, including:
- SPF authorization status
- DKIM signature verification
- DMARC alignment (policy enforcement)
- Blacklists and reputation summary
Once you know what’s broken, use the steps below to repair each one systematically.
3. Fixing SPF Problems
SPF tells the world which servers can send mail for your domain. A single typo or missing include can trigger a complete authentication failure.
Check your SPF record in DNS:
v=spf1 include:_spf.google.com include:spf.mailgun.org -allIf you use multiple mail sources (like Google Workspace, Mailgun, and a CRM), all of them must be listed. Never create more than one SPF record — it invalidates both.
Make sure your SPF ends with ~all (soft fail) or -all (strict fail). If unsure, start with ~all to avoid blocking legitimate traffic.
4. Fixing DKIM Authentication
DKIM ensures your message hasn’t been tampered with. It relies on a private key on your server and a matching public key in DNS. If DKIM fails, it usually means one of three things:
- Your selector (e.g.
default._domainkey) doesn’t match your mail server setting. - Your DKIM TXT record got split across multiple lines by your DNS host.
- The private/public key pair is outdated or expired.
If you don’t have a key yet, generate one directly from your mail platform or using our DKIM generator tool, then publish it in DNS under:
default._domainkey.yourdomain.comAlways test again after publishing — it should return “pass” within a few minutes.
5. Setting and Verifying DMARC
DMARC glues SPF and DKIM together. It also defines what the receiving server should do if either fails.
Start simple with a monitoring-only policy:
v=DMARC1; p=none; rua=mailto:[email protected]; adkim=s; aspf=sOnce your authentication passes consistently, switch to a stricter enforcement:
v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]or even:
v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]This ensures only properly authenticated messages make it to inboxes.
6. Test, Monitor, and Maintain
Once you’ve fixed SPF, DKIM, and DMARC, send another test via MailTested to confirm all green checks. Authentication is not “set and forget” — keep monitoring your DMARC reports and SPF validity, especially after changing hosting or mail providers.
✅ Final Thoughts
SPF, DKIM, and DMARC failures are not random — they’re signals that your domain’s identity isn’t fully trusted. Fixing them isn’t complicated once you know where to look.
MailTested shows you exactly what went wrong and how to repair it — instantly. One test can reveal years of hidden issues that hurt your sender reputation.