How to Set Up SPF, DKIM & DMARC in 2026: 3-Step Email Authentication Guide (Updated)

TL;DR:

• SPF, DKIM and DMARC are three DNS records that prove your emails are legitimate.
• SPF lists which servers can send on your behalf. DKIM adds a cryptographic signature to each message. DMARC tells receiving servers what to do when either check fails.
• Google, Yahoo and Microsoft all require these for reliable inbox delivery — skipping them risks your emails going to spam or being rejected outright.

This is serious. This is about your email deliverability. I know from my own experience that these acronyms may sound unfamiliar, scary and may seem totally uninteresting. Or maybe they sound familiar, but you never cared enough to check what they really are.

Either way, it’s time to learn what SPF, DKIM and DMARC are and how to set them up in your DNS records for your email server. They’re the baseline requirement for any sender who wants their emails to actually arrive. We’ll also show you where in Woodpecker you can check if they’re set up properly.

What is SPF? How Does SPF Work?

SPF (Sender Policy Framework) is a DNS record that specifies exactly which IP addresses are authorized to send email on behalf of your domain — and it’s the first thing a receiving mail server checks before deciding whether to trust your message.

Simply speaking, SPF is a security mechanism created to prevent the bad guys from sending emails on your behalf. The mechanism is all about communication between DNS servers — and this is the point when it all starts to sound scary. But don’t panic. I’ll try to keep it as simple as possible.

Let’s say you’ve sent an email to Bob. But how does Bob’s DNS server know that the email was in fact sent by you? The problem is, it doesn’t — unless you have SPF set on your DNS server.

SPF defines which IP addresses can be used to send emails from your domain name. Let’s imagine two possible server “conversations”. To make it all easier, let’s assume your name is Mike.

Scenario 1 – You don’t have SPF set up.

Mike’s server: Hey, Bob’s server. I’ve got a new message from Mike.
Bob’s server: Hi Mike’s server. What’s your SPF?
Mike’s server: Yeah, about the SPF… Who cares, really. I don’t have one. Trust me, it’s from Mike.
Bob’s server: If you don’t have SPF, I can’t be sure it was Mike who sent this. Give me Mike’s allowed IPs, so I can compare it with yours.
Mike’s server: I don’t have the list of Mike’s allowed IPs.
Bob’s server: Then I don’t want your message. Delivery denied. Sorry, buddy…

Scenario 2 – You do have SPF set up.

Mike’s server: Hey, Bob’s server. I’ve got a new message from Mike.
Bob’s server: Hi Mike’s server. What’s your SPF?
Mike’s server: There you go, here’s my SPF. There’s a whole list of IPs that Mike himself declared as the ones which can be used on his behalf.
Bob’s server: Ok, let me see… And the message you have for me is sent from IP 64.233.160.19. Ok, it’s on the list. Everything looks fine. Gimme the message, I’ll show it to Bob. Thanks!

The moral of those two short dialogues is: set your SPF. If you don’t, you risk having your email spoofed or you may look like a bad guy and not all your emails will be delivered.

What Apps Should You Include in Your SPF?

The general idea is to make sure all applications that send emails on your behalf (and are using their own SMTP, not yours) are included in your SPF. For instance, if you’re using Google Workspace to send emails from your domain, you should put Google in your SPF. Here’s Google’s instruction on SPF setup.

But it’s important to check whether Google is the only app you should “allow” in your SPF. For instance, if you use HelpScout to manage support emails and Mailchimp to send newsletters, you should include both of them in your SPF.

Should you include Woodpecker in your SPF as well?

No. You should remember to put into your SPF record only the apps that send emails on your behalf using their own SMTP. Woodpecker uses your SMTP to send your emails, so it’s more of an online email client with superpowers than a mass email sending app.

That said, the deliverability of emails sent from Woodpecker depends on the reputation of your domain. Setting SPF and DKIM authentication will help you protect that reputation and thus improve deliverability of your email.

SPF Quick-Check: What to Include

• Google Workspace
  • Include in SPF: Yes
  • Example SPF mechanism: include:_spf.google.com
• Microsoft 365
  • Include in SPF: Yes
  • Example SPF mechanism: include:spf.protection.outlook.com
• Mailchimp
  • Include in SPF: Yes
  • Example SPF mechanism: include:servers.mcsv.net
• HelpScout
  • Include in SPF: Yes
  • Example SPF mechanism: include:helpscoutemail.com
• Woodpecker
  • Include in SPF: No
  • Example SPF mechanism: Uses your own SMTP
• Mailgun
  • Include in SPF: Yes
  • Example SPF mechanism: include:mailgun.org
• SendGrid
  • Include in SPF: Yes
  • Example SPF mechanism: include:sendgrid.net
• Amazon SES
  • Include in SPF: Yes
  • Example SPF mechanism: include:amazonses.com

How to Set Up SPF Record on Your Server Step by Step

The first step is to check what your current SPF record is. You can do that using tools like:

• MxToolbox
• Google Apps Toolbox

When you type in your domain (for instance: woodpecker.co), these tools will run some tests and show you your current SPF or a notification that it hasn’t been set yet.

Depending on your domain host, the exact steps will differ. Basically, it’s about pasting a properly structured line of text in the right place in your DNS console.

For instance, if you are using Google Workspace to send all emails from your domain, the line would look like this:

v=spf1 include:_spf.google.com ~all

The v=spf1 part is called the version and the parts that follow are called mechanisms:

1. v=spf1 — identifies the record as an SPF record
2. include:_spf.google.com — authorizes Google’s mail servers to send on your behalf
3. ~all — emails from unauthorized servers are tagged as soft fail (can be flagged as spam but not necessarily blocked)

If you’re using more apps than just Google, the record will be longer — you’ll need to chain them all together. For example:

v=spf1 include:_spf.google.com include:servers.mcsv.net include:helpscoutemail.com ~all

Here’s how to set up SPF for the most common domain hosts:

• Google Workspace
• Microsoft 365
• Zoho Mail
• Namecheap
• GoDaddy
• Amazon SES

If you’re using Woodpecker and aren’t sure if your SPF is properly set, check it directly in the app: go to Settings → Email Accounts → gear icon → Domain Check-Up or reach out to the Woodpecker support team for individual help.

What is DKIM?

DomainKeys Identified Mail (DKIM) is an email authentication standard that adds a cryptographic digital signature to every outgoing message — letting the recipient’s server verify that the email genuinely came from your domain and hasn’t been tampered with in transit.

DKIM was created for the same reason as SPF: to prevent bad actors from impersonating you as an email sender. By setting DKIM on your DNS server, you’re adding an additional layer of proof that says “yes, it’s really me sending this.”

The whole idea is based on encrypting and decrypting an additional signature placed in the header of your message. To make that possible, you need two keys:

• The private key — unique to your domain, available exclusively to you. It encrypts your signature in the header of outgoing messages.
• The public key — added to your DNS records using the DKIM standard, so the recipient’s server can retrieve it and decrypt your signature.

Think of it like the wax seal in Game of Thrones. Ned Stark’s direwolf seal is public knowledge (the public key) — anyone can verify a message came from House Stark. But only Ned has the original signet ring (the private key) to set that seal on outgoing messages.

Setting DKIM means placing your public key information into DNS records for your domain. Once done, every email you send carries a hidden signature. When the recipient’s server decrypts it successfully using your public key, your message is authenticated — boosting deliverability.

How to Set Up DKIM Record on Your Server Step by Step

First, generate the public key by logging in to your email provider’s admin console.

If you’re using Google Workspace: note that DKIM signatures are off by default — you need to turn them on manually in your Google Admin console.

Once you have the public key, paste the generated TXT record into the right place in your DNS records.

Finally, turn on email signing so outgoing messages include your signature. Here’s how to enable email signing in Google Workspace.

Setup guides for other providers:

• Microsoft 365
• Zoho Mail
• Namecheap

If you’re using Woodpecker and don’t have an IT person handy, check your DKIM status directly in the app: Settings → Email Accounts → gear icon → Domain Check-Up.

Set Up SPF & DKIM and Improve Your Deliverability

If you’re sending lots of emails — whether for cold outreach, inbound or outbound sales or newsletters — the reputation of your domain is crucial. You don’t want your domain to get blacklisted or your emails to land in spam.

Setting SPF and DKIM records properly is a necessary step toward the security of your email service domain and high deliverability. In 2026, this is no longer just best practice — it’s a hard requirement enforced by Google, Yahoo and Microsoft.

SPF vs DKIM: Key Differences at a Glance

What it does

• SPF: Authorizes sending IP addresses
• DKIM: Digitally signs the message content

Where it lives

• SPF: DNS TXT record
• DKIM: DNS TXT record

What it protects against

• SPF: IP spoofing
• DKIM: Content tampering and domain impersonation

Survives email forwarding?

• SPF: No
• DKIM: Yes

Required by Google/Yahoo 2024+?

• SPF: Yes
• DKIM: Yes

Best for

• SPF: Controlling which servers can send
• DKIM: Verifying message integrity

Check these posts on email deliverability for deeper reading:

• What Can We Do to Boost Our Cold Email Deliverability?
• Why We Set up a Separate Mailbox for Outbound Campaigns
• 14 Deliverability Checks to Carry Out Before Sending Your Cold Email Campaign

What is DMARC?

In a nutshell — DMARC is an email security measure that protects your domain against being used by bad actors and gives you better control over your email deliverability. It builds on top of SPF and DKIM.

The acronym stands for Domain-based Message Authentication, Reporting and Conformance.

• Authentication — DMARC checks whether an email was legitimately sent by the person who claims to have sent it.
• Conformance — If an email fails the DMARC test, it’s handled according to the policy you’ve set (more on that below).
• Reporting — DMARC lets receivers send reports back to you, describing how messages from your domain were handled.

All in all, DMARC allows email receivers to check if the incoming email matches what they know about the sender. If it doesn’t, it tells receiving servers exactly what to do with that message.

It’s not set up by default — you need to configure it yourself if you want this additional layer on top of your SPF and DKIM.

Why Does DMARC Matter?

There are three reasons why DMARC is valuable:

1. It’s a safety measure

On the sender’s end, DMARC protects your domain against unauthorized use — phishers, spoofers and anyone trying to impersonate you to steal personal information. On the receiver’s end, it makes it harder for fraudulent email to reach inboxes.

DMARC specifically protects against domain spoofing — when someone unauthorized sends email that appears to come from your domain to deceive recipients into handing over login credentials, payment details or other sensitive data.

2. It helps you control email deliverability

With DMARC in place, you gain visibility into which emails are reaching inboxes and which aren’t — including any unauthorized sends from your domain.

3. It protects your brand reputation

If someone is impersonating your domain to run scams, it damages trust in your brand even though you’re not responsible. DMARC helps stop that.

DMARC is published in DNS alongside SPF and DKIM. Here’s what a basic record looks like:

v=DMARC1; p=none; rua=mailto:[email protected];

How Does DMARC Work?

DMARC specifies what must pass for a message to reach the inbox and what happens if conditions aren’t met.

When an email is tested by DMARC, 4 things should happen:

1. DKIM pass — the signature in the header is validated: the private key matches the public key in DNS.
2. DKIM alignment — the parent domain matches the Header From domain.
3. SPF pass — the receiving server checks the domain in the Envelope From address and verifies the sending IP is listed in the SPF record.
4. SPF alignment — the domain in Envelope From matches the Header From domain.

A message fails DMARC if it fails both SPF and DKIM. If even one passes with proper alignment, the message gets through.

Keep in mind: if you forward a message, only the DKIM check stays aligned — SPF will break.

Why aren’t SPF and DKIM alone enough?

SPF and DKIM each work in isolation. There’s no universal rule about what a receiver should do when they fail — one receiver might redirect to spam, another might run extra tests, another might let it through. And the domain owner never gets any feedback on what happened.

DMARC solves this by letting you define your own rules and by generating reports so you can see exactly what’s happening with your email.

DMARC Policies and Reporting

There are three possible DMARC policies:

p=none

• What it does: All emails go through, even if they fail SPF/DKIM. You get reports only.
• Best for: Starting out — monitor without blocking anything

p=quarantine

• What it does: Emails that fail are redirected to spam/junk
• Best for: Intermediate stage once you’ve reviewed reports

p=reject

• What it does: Emails that fail are bounced entirely
• Best for: Full enforcement — use once you’re confident your legitimate mail passes

A few days after publishing your DMARC record, you’ll start receiving aggregate reports from ISPs. These reports include stats on all emails sent from your domain — including any you didn’t authorize.

If you see more emails than you’ve sent, someone else is using your domain. The report shows you where those emails came from and whether a quarantine or reject policy would stop them.

Reports can be read with tools like Postmark’s DMARC analyzer or dmarcian.

How to Set Up DMARC

Step 1 — Set up SPF and DKIM first. Make sure both records are correctly configured before touching DMARC. If you’ve followed the steps above, you’re ready.

Step 2 — Generate a DMARC record. Use a wizard like dmarcian’s DMARC record generator. Start with p=none so no mail is blocked while you gather data.

Step 3 — Add the DMARC record to your DNS. Add a new TXT record for the host _dmarc.yourdomain.com with the generated value.

Step 4 — Monitor reports and adjust the policy. After reviewing several weeks of reports, move from p=none → p=quarantine → p=reject as you confirm your legitimate mail is passing cleanly.

DMARC Setup Checklist

Step 1: SPF record configured in DNS

Step 2: DKIM record configured in DNS

Step 3: DKIM signing enabled in your email admin console

Step 4: DMARC TXT record added at _dmarc.yourdomain.com

Step 5: DMARC policy starts at p=none

Step 6: Reporting email set in rua= tag

Step 7: Reports reviewed after 2–4 weeks

Step 8: Policy tightened to p=quarantine or p=reject

Google, Yahoo & Microsoft Policy Changes in 2024–2026: What Every Sender Must Know

This is the biggest shift in email authentication enforcement in over a decade and it directly affects your inbox placement right now.

What Changed in 2024

Starting in February 2024, Google and Yahoo rolled out new mandatory authentication requirements for bulk email senders:

• Senders dispatching 5,000+ emails per day to Gmail or Yahoo must have valid SPF, DKIM and DMARC all configured. Non-compliant senders face bulk deferrals or outright rejection.
• All senders (even below the 5,000/day threshold) must have at least SPF or DKIM in place — or their emails face increased spam filtering.
• One-click unsubscribe is now required for marketing and subscription emails sent to Gmail.

Microsoft followed in 2024–2025, enforcing similar requirements for Outlook, Hotmail and Live.com inboxes.

What This Means in 2026

By mid-2026, authentication failures are among the fastest ways to get a domain deferred or blacklisted — regardless of your send volume. Gmail’s spam filters have grown significantly more aggressive at flagging unauthenticated sends, even from domains with no prior deliverability issues.

The Enforcement Timeline

• February 2024

Google & Yahoo announce bulk sender requirements

• April 2024

Google begins enforcing — non-compliant senders see deferrals

• June 2024

Google escalates to rejection for persistent non-compliance

• Q3 2024

Microsoft rolls out similar enforcement for Outlook/Hotmail

• 2025

DMARC at p=none minimum becomes a de facto industry standard

• 2026

ISPs increasingly use DMARC alignment, not just presence, as a signal

Cold Email Senders: Extra Rules Apply

If you’re doing cold outreach (even at low volumes), these practical rules apply in 2026:

• Use a separate sending domain — don’t cold email from your primary business domain.
• Set SPF, DKIM and DMARC on every sending domain, including aliases and secondary domains.
• Start with p=none DMARC but plan to move to p=quarantine within 30–60 days of monitoring.
• Check your domain health before every campaign — Woodpecker’s Domain Check-Up (Settings → Email Accounts → gear icon) shows your authentication status at a glance.

Woodpecker now also offers pre-configured domains with SPF, DKIM and DMARC already set up — removing the risk of misconfiguration for new outreach domains.

SPF, DKIM and DMARC Compared

What it authenticates

• SPF: Sending server IP
• DKIM: Message content and sender
• DMARC: Alignment of both

DNS record type

• SPF: TXT
• DKIM: TXT
• DMARC: TXT

Required since

• SPF: Best practice since 2006
• DKIM: Best practice since 2011
• DMARC: Required by Google/Yahoo since 2024

Survives forwarding

• SPF: No
• DKIM: Yes
• DMARC: Depends on DKIM alignment

Gives you reports

• SPF: No
• DKIM: No
• DMARC: Yes

Stops spoofing alone

• SPF: Partially
• DKIM: Partially
• DMARC: Yes, with p=reject

Complexity to set up

• SPF: Low
• DKIM: Medium
• DMARC: Low, once SPF/DKIM are done

Over to You

SPF, DKIM and DMARC together form the gold standard of email authentication. In 2026, they’re not optional — they’re the entry ticket to reliable inbox delivery on Gmail, Yahoo and Outlook.

SPF and DKIM are the foundation while DMARC ties them together to give you visibility and policy enforcement. Since each of these records requires a DNS lookup to verify your identity, having them correctly configured is essential for mail servers to trust your domain. If you have been putting off DMARC, now is the time to set it to p=none and start monitoring. You can always tighten it later — but you can’t fix deliverability problems you don’t know about.

If I were you, I’d go to my Woodpecker account and run a Domain Check-Up right now. And if anything is missing, I’d get it fixed before the next campaign goes out.

FAQ

What is the difference between SPF, DKIM and DMARC?

SPF (Sender Policy Framework) specifies which IP addresses are allowed to send email from your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic digital signature to verify the message hasn’t been altered and genuinely comes from your domain. DMARC (Domain-based Message Authentication, Reporting and Conformance) sits on top of both — it tells receiving servers what to do when SPF or DKIM fails and sends you reports on how your domain’s email is being handled. You need all three for comprehensive email authentication in 2026.

Do I need SPF, DKIM and DMARC for cold email?

Yes. Google, Yahoo and Microsoft all require SPF and DKIM for any sender. DMARC is required for bulk senders (5,000+ emails/day to Gmail or Yahoo), but even at lower volumes, not having DMARC means receiving servers have no policy to follow when authentication fails — which increases the risk of spam filtering. For cold email specifically, you should use a separate sending domain with all three records configured.

How do I know if my SPF and DKIM are set up correctly?

Use a free tool like MxToolbox or Google’s Admin Toolbox to check your SPF record. For DKIM, send a test email to a Gmail address and open the original message — if you see DKIM: PASS in the headers, you’re set. Woodpecker users can also check directly in the app: Settings → Email Accounts → gear icon → Domain Check-Up.

What happens if I don’t have SPF or DKIM set up?

Without SPF and DKIM, receiving mail servers have no way to verify your emails are legitimate. This leads to higher spam rates, email deferrals, potential blacklisting and — since Google and Yahoo’s 2024 enforcement — outright rejection for senders above the bulk threshold. It also leaves your domain vulnerable to spoofing and phishing attacks.

What is the best DMARC policy to start with?

Start with p=none. This “monitor only” mode generates DMARC reports without blocking or quarantining any mail. After reviewing 2–4 weeks of reports and confirming your legitimate mail is passing SPF and DKIM cleanly, upgrade to p=quarantine (sends failing mail to spam) and eventually p=reject (blocks failing mail entirely).

Can I have multiple SPF records on one domain?

No — you can only have one SPF TXT record per domain. If you use multiple email sending tools, combine them all into a single SPF record. For example: v=spf1 include:_spf.google.com include:servers.mcsv.net include:sendgrid.net ~all. Having two separate SPF records will cause SPF to fail.

Does DMARC require both SPF and DKIM to pass?

No. DMARC passes if either SPF or DKIM passes with proper alignment to your From domain. However, since SPF breaks when a message is forwarded, DKIM alignment is generally more reliable. Best practice is to have both configured correctly so you’re protected in any scenario.

What is an SPF record and why is it important?

An SPF (Sender Policy Framework) record is a DNS TXT record that specifies which IP addresses are authorized to send email on behalf of your domain. It’s important because it helps prevent email spoofing and phishing attacks and is now required by major email providers including Google and Yahoo for reliable inbox delivery.

What role do IP addresses play in SPF and DKIM?

In SPF, specific IP addresses (or references to other domains’ SPF records) are listed to authorize which mail servers can send on your behalf. DKIM doesn’t use IP addresses directly — instead it uses cryptographic keys. The private key signs outgoing messages and the public key (published in DNS) lets receiving servers verify that signature, regardless of which IP the message came from.

Why might email messages end up in the spam folder and how can SPF, DKIM and DMARC help?

Emails land in spam for many reasons: failing authentication checks, being sent from an IP with a bad reputation, containing spammy content or having no DMARC policy. SPF and DKIM prove your emails are legitimate. DMARC tells receiving servers how to handle failures and gives you reports to spot problems early. Together, they’re the most effective technical measures you can take to keep your emails out of spam.