SPF vs DKIM vs DMARC explained (what each one actually does)
SPF authorizes which servers can send for your domain, DKIM signs messages so they can't be tampered with, and DMARC tells receivers what to do when SPF/DKIM fail. You need all three.
Short answer: SPF says *which servers are allowed* to send email for your domain; DKIM adds a *cryptographic signature* so receivers can verify the message wasn't altered and really came from you; DMARC ties them together and tells receivers *what to do* (none / quarantine / reject) when SPF or DKIM fails — plus it sends you reports. Cold email needs all three passing.
What each record does
- SPF (TXT record): lists authorized sending IPs/services. Prevents spoofing from unauthorized servers.
- DKIM (TXT record + signature): a public key receivers use to verify your signed mail. Prevents tampering.
- DMARC (TXT record): policy + reporting. Aligns SPF/DKIM to your domain and instructs receivers on failures.
Why all three
SPF or DKIM alone leaves gaps. DMARC is what Gmail/Yahoo now effectively require from bulk senders — start at p=none (monitor), then move to quarantine.
Autocloz checks all three on every connected domain and flags anything missing before you send.
> Start free — connect a domain and Autocloz verifies SPF, DKIM and DMARC.