SPF, DKIM, DMARC, and BIMI Made Simple
Email authentication sounds scary and is actually a one-time setup. Get these four records right and inbox providers start trusting your mail.
One brand lost $347,000 in four and a half months because Google decided their emails were junk.
Part of the reason was simple. They had ZERO authentication set up. No SPF. No DKIM. No DMARC.
We fixed it in 45 minutes and their revenue jumped $11,750 the following week.
That is what authentication does. It tells Gmail, Yahoo, and Outlook that the mail claiming to come from your domain actually came from you. Without it, you look like a stranger wearing your name tag, and inbox providers treat you accordingly.
Here is the good news. This is a one-time setup. Four DNS records, done in an afternoon, and you rarely touch them again.
What each record actually does
Skip the DNS jargon. Here is the plain-English version of what these four records do and why you care.
| Record | What it does | Why it matters |
|---|---|---|
| SPF | Lists which servers are allowed to send email for your domain | Stops random servers from sending as you. Providers check this first. |
| DKIM | Adds a tamper-proof signature to every message you send | Proves the email was not faked or altered in transit. Builds sender trust. |
| DMARC | Tells providers what to do when a message fails SPF or DKIM | This is the instruction that says "reject the fakes." Gmail and Yahoo now require it. |
| BIMI | Displays your verified logo next to your emails in the inbox | Free brand real estate. Your logo shows up before anyone even opens. |
Think of it as a chain. SPF and DKIM prove who you are. DMARC decides what happens to anything that fails the check. BIMI is the reward you earn once the first three are solid.
The order to set them up
Do these in sequence. Each one builds on the last, and skipping ahead breaks things.
DMARC has three modes: none (monitor only), quarantine, and reject. If you set it to reject before SPF and DKIM are passing cleanly, you can block your own legitimate email. Run it in monitor mode first, read the reports it sends you, confirm everything passes, then tighten. Rushing this step is how people accidentally take their own mail offline.
Why this moves the needle
Gmail and Yahoo made authentication a hard requirement for bulk senders. If you send real volume and you are missing these records, you are not fighting for the inbox. You are getting filtered before the fight even starts.
We have seen a brand's deliverability go from 41% to 88% in three weeks after we cleaned up their foundation and rewrote their emails. Authentication was the base layer that made the rest of it stick.
The BIMI piece is underrated too. Your verified logo sitting in the inbox before anyone opens is trust you get for free. It makes you look like the established brand you are instead of a maybe-spam sender.
None of this is optional anymore, and none of it is hard. It is a checklist.
Common Mistakes
- Publishing two SPF records. A domain can only have ONE SPF record. Two of them cancel each other out and both fail. Merge your sending sources into a single record.
- Forgetting DKIM after a platform switch. Move from one email tool to another and your old DKIM key stops matching. Republish the new key or your mail starts failing checks.
- Setting DMARC to reject on day one. Enforce before SPF and DKIM pass and you block your own campaigns. Monitor first, tighten later.
- Authenticating the wrong domain. Your sending subdomain needs the records, not just your root domain. Confirm you set them up where the mail actually goes out.
- Never testing. Run your domain through a tool like GlockApps and send a test. Guessing that it works is not the same as confirming it.
Get Expert Help
Getting these four records right is a one-time job, and doing it wrong quietly costs you revenue every day it sits broken. Our team sets up and verifies your full authentication stack so your mail lands where it should.
Need help implementing this?
We build and manage complete email & SMS programs for DTC brands. Get a custom plan for your brand.
Apply Now