{"id":2133,"date":"2026-02-24T12:27:03","date_gmt":"2026-02-24T11:27:03","guid":{"rendered":"https:\/\/woodpecker.co\/blog\/?p=2133"},"modified":"2026-06-17T11:07:19","modified_gmt":"2026-06-17T10:07:19","slug":"spf-dkim","status":"publish","type":"post","link":"https:\/\/woodpecker.co\/blog\/spf-dkim\/","title":{"rendered":"How to Set Up SPF, DKIM &#038; DMARC in 2026: 3-Step Email Authentication Guide (Updated)"},"content":{"rendered":"<h3><span style=\"font-weight: 400;\">TL;DR:\u00a0<\/span><\/h3>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">SPF, DKIM and DMARC are three DNS records that prove your emails are legitimate.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">SPF lists which servers can send on your behalf. DKIM adds a cryptographic signature to each message. DMARC tells receiving servers what to do when either check fails.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Google, Yahoo and Microsoft all require these for reliable inbox delivery \u2014 skipping them risks your emails going to spam or being rejected outright.\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">This is serious. This is about your email deliverability. I know from my own experience that these acronyms may sound unfamiliar, scary and may seem totally uninteresting. Or maybe they sound familiar, but you never cared enough to check what they really are.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Either way, it&#8217;s time to learn what SPF, DKIM and DMARC are and how to set them up in your<\/span> <a href=\"https:\/\/woodpecker.co\/blog\/what-is-dns\/\"><span style=\"font-weight: 400;\">DNS records<\/span><\/a><span style=\"font-weight: 400;\"> for your email server. They&#8217;re the baseline requirement for any sender who wants their emails to actually arrive. We&#8217;ll also show you where in Woodpecker you can check if they&#8217;re set up properly.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">What is SPF? How Does SPF Work?<\/span><\/h2>\n<p><b>SPF (Sender Policy Framework)<\/b><span style=\"font-weight: 400;\"> is a DNS record that specifies exactly which IP addresses are authorized to send email on behalf of your domain \u2014 and it&#8217;s the first thing a receiving mail server checks before deciding whether to trust your message.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Simply speaking, SPF is a security mechanism created to prevent the bad guys from sending emails on your behalf. The mechanism is all about communication between DNS servers \u2014 and this is the point when it all starts to sound scary. But don&#8217;t panic. I&#8217;ll try to keep it as simple as possible.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Let&#8217;s say you&#8217;ve sent an email to Bob. But how does Bob&#8217;s DNS server know that the email was in fact sent by you? The problem is, it doesn&#8217;t \u2014 unless you have SPF set on your DNS server.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">SPF defines which IP addresses can be used to send emails from your domain name. Let&#8217;s imagine two possible server &#8220;conversations&#8221;. To make it all easier, let&#8217;s assume your name is Mike.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Scenario 1 \u2013 You don&#8217;t have SPF set up.<\/span><\/h3>\n<p><b>Mike&#8217;s server:<\/b> <i><span style=\"font-weight: 400;\">Hey, Bob&#8217;s server. I&#8217;ve got a new message from Mike.<\/span><\/i> <span style=\"font-weight: 400;\"><br \/>\n<\/span><b>Bob&#8217;s server:<\/b> <i><span style=\"font-weight: 400;\">Hi Mike&#8217;s server. What&#8217;s your SPF?<\/span><\/i> <span style=\"font-weight: 400;\"><br \/>\n<\/span><b>Mike&#8217;s server:<\/b> <i><span style=\"font-weight: 400;\">Yeah, about the SPF\u2026 Who cares, really. I don&#8217;t have one. Trust me, it&#8217;s from Mike.<\/span><\/i> <span style=\"font-weight: 400;\"><br \/>\n<\/span><b>Bob&#8217;s server:<\/b> <i><span style=\"font-weight: 400;\">If you don&#8217;t have SPF, I can&#8217;t be sure it was Mike who sent this. Give me Mike&#8217;s allowed IPs, so I can compare it with yours.<\/span><\/i> <span style=\"font-weight: 400;\"><br \/>\n<\/span><b>Mike&#8217;s server:<\/b> <i><span style=\"font-weight: 400;\">I don&#8217;t have the list of Mike&#8217;s allowed IPs.<\/span><\/i> <span style=\"font-weight: 400;\"><br \/>\n<\/span><b>Bob&#8217;s server:<\/b> <i><span style=\"font-weight: 400;\">Then I don&#8217;t want your message. Delivery denied. Sorry, buddy\u2026<\/span><\/i><\/p>\n<h3><span style=\"font-weight: 400;\">Scenario 2 \u2013 You do have SPF set up.<\/span><\/h3>\n<p><b>Mike&#8217;s server:<\/b> <i><span style=\"font-weight: 400;\">Hey, Bob&#8217;s server. I&#8217;ve got a new message from Mike.<\/span><\/i> <span style=\"font-weight: 400;\"><br \/>\n<\/span><b>Bob&#8217;s server:<\/b> <i><span style=\"font-weight: 400;\">Hi Mike&#8217;s server. What&#8217;s your SPF?<\/span><\/i> <span style=\"font-weight: 400;\"><br \/>\n<\/span><b>Mike&#8217;s server:<\/b> <i><span style=\"font-weight: 400;\">There you go, here&#8217;s my SPF. There&#8217;s a whole list of IPs that Mike himself declared as the ones which can be used on his behalf.<\/span><\/i> <span style=\"font-weight: 400;\"><br \/>\n<\/span><b>Bob&#8217;s server:<\/b> <i><span style=\"font-weight: 400;\">Ok, let me see\u2026 And the message you have for me is sent from IP 64.233.160.19. Ok, it&#8217;s on the list. Everything looks fine. Gimme the message, I&#8217;ll show it to Bob. Thanks!<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400;\">The moral of those two short dialogues is: set your SPF. If you don&#8217;t, you risk having your email spoofed or you may look like a bad guy and not all your emails will be delivered.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">What Apps Should You Include in Your SPF?<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">The general idea is to make sure all applications that send emails on your behalf (and are using their own SMTP, not yours) are included in your SPF. For instance, if you&#8217;re using Google Workspace to send emails from your domain, you should put Google in your SPF. Here&#8217;s<\/span> <a href=\"https:\/\/support.google.com\/a\/answer\/178723?hl=en\"><span style=\"font-weight: 400;\">Google&#8217;s instruction on SPF setup<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">But it&#8217;s important to check whether Google is the only app you should &#8220;allow&#8221; in your SPF. For instance, if you use HelpScout to manage support emails and Mailchimp to send newsletters, you should include both of them in your SPF.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Should you include Woodpecker in your SPF as well?<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">No. You should remember to put into your SPF record only the apps that send emails on your behalf using their own SMTP. Woodpecker uses your SMTP to send your emails, so it&#8217;s more of an online email client with superpowers than a mass email sending app.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">That said, the deliverability of emails sent from Woodpecker depends on the reputation of your domain. Setting SPF and DKIM authentication will help you protect that reputation and thus improve deliverability of your email.\u00a0<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">SPF Quick-Check: What to Include<\/span><\/h3>\n<ul>\n<li><strong>Google Workspace<\/strong>\n<ul>\n<li><strong>Include in SPF:<\/strong> Yes<\/li>\n<li><strong>Example SPF mechanism:<\/strong> <code>include:_spf.google.com<\/code><\/li>\n<\/ul>\n<\/li>\n<li><strong>Microsoft 365<\/strong>\n<ul>\n<li><strong>Include in SPF:<\/strong> Yes<\/li>\n<li><strong>Example SPF mechanism:<\/strong> <code>include:spf.protection.outlook.com<\/code><\/li>\n<\/ul>\n<\/li>\n<li><strong>Mailchimp<\/strong>\n<ul>\n<li><strong>Include in SPF:<\/strong> Yes<\/li>\n<li><strong>Example SPF mechanism:<\/strong> <code>include:servers.mcsv.net<\/code><\/li>\n<\/ul>\n<\/li>\n<li><strong>HelpScout<\/strong>\n<ul>\n<li><strong>Include in SPF:<\/strong> Yes<\/li>\n<li><strong>Example SPF mechanism:<\/strong> <code>include:helpscoutemail.com<\/code><\/li>\n<\/ul>\n<\/li>\n<li><strong>Woodpecker<\/strong>\n<ul>\n<li><strong>Include in SPF:<\/strong> No<\/li>\n<li><strong>Example SPF mechanism:<\/strong> Uses your own SMTP<\/li>\n<\/ul>\n<\/li>\n<li><strong>Mailgun<\/strong>\n<ul>\n<li><strong>Include in SPF:<\/strong> Yes<\/li>\n<li><strong>Example SPF mechanism:<\/strong> <code>include:mailgun.org<\/code><\/li>\n<\/ul>\n<\/li>\n<li><strong>SendGrid<\/strong>\n<ul>\n<li><strong>Include in SPF:<\/strong> Yes<\/li>\n<li><strong>Example SPF mechanism:<\/strong> <code>include:sendgrid.net<\/code><\/li>\n<\/ul>\n<\/li>\n<li><strong>Amazon SES<\/strong>\n<ul>\n<li><strong>Include in SPF:<\/strong> Yes<\/li>\n<li><strong>Example SPF mechanism:<\/strong> <code>include:amazonses.com<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">How to Set Up SPF Record on Your Server Step by Step<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">The first step is to check what your current SPF record is. You can do that using tools like:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"http:\/\/mxtoolbox.com\/SuperTool.aspx\"><span style=\"font-weight: 400;\">MxToolbox<\/span><\/a><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/toolbox.googleapps.com\/apps\/checkmx\/check\"><span style=\"font-weight: 400;\">Google Apps Toolbox<\/span><\/a><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">When you type in your domain (for instance: woodpecker.co), these tools will run some tests and show you your current SPF or a notification that it hasn&#8217;t been set yet.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Depending on your domain host, the exact steps will differ. Basically, it&#8217;s about pasting a properly structured line of text in the right place in your DNS console.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For instance, if you are using Google Workspace to send all emails from your domain, the line would look like this:<\/span><\/p>\n<p><b>v=spf1 include:_spf.google.com ~all<\/b><\/p>\n<p><span style=\"font-weight: 400;\">The <\/span><b>v=spf1<\/b><span style=\"font-weight: 400;\"> part is called the version and the parts that follow are called mechanisms:<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>v=spf1<\/b><span style=\"font-weight: 400;\"> \u2014 identifies the record as an SPF record<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>include:_spf.google.com<\/b><span style=\"font-weight: 400;\"> \u2014 authorizes Google&#8217;s mail servers to send on your behalf<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>~all<\/b><span style=\"font-weight: 400;\"> \u2014 emails from unauthorized servers are tagged as soft fail (can be flagged as spam but not necessarily blocked)<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">If you&#8217;re using more apps than just Google, the record will be longer \u2014 you&#8217;ll need to chain them all together. For example:<\/span><\/p>\n<p><b>v=spf1 include:_spf.google.com include:servers.mcsv.net include:helpscoutemail.com ~all<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Here&#8217;s how to set up SPF for the most common domain hosts:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/support.google.com\/a\/answer\/33786?hl=en\"><span style=\"font-weight: 400;\">Google Workspace<\/span><\/a><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/docs.microsoft.com\/pl-pl\/microsoft-365\/security\/office-365-security\/set-up-spf-in-office-365-to-help-prevent-spoofing\"><span style=\"font-weight: 400;\">Microsoft 365<\/span><\/a><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/www.zoho.com\/mail\/help\/adminconsole\/spf-configuration.html\"><span style=\"font-weight: 400;\">Zoho Mail<\/span><\/a><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/www.namecheap.com\/support\/knowledgebase\/article.aspx\/317\/2237\/how-do-i-add-txtspfdkimdmarc-records-for-my-domain\"><span style=\"font-weight: 400;\">Namecheap<\/span><\/a><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/pl.godaddy.com\/help\/add-an-spf-record-19218\"><span style=\"font-weight: 400;\">GoDaddy<\/span><\/a><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/docs.aws.amazon.com\/ses\/latest\/DeveloperGuide\/spf.html\"><span style=\"font-weight: 400;\">Amazon SES<\/span><\/a><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">If you&#8217;re using Woodpecker and aren&#8217;t sure if your SPF is properly set, check it directly in the app: go to <\/span><b>Settings \u2192 Email Accounts \u2192 gear icon \u2192 Domain Check-Up<\/b><span style=\"font-weight: 400;\"> or reach out to the Woodpecker support team for individual help.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">What is DKIM?<\/span><\/h2>\n<p><b>DomainKeys Identified Mail (DKIM) is an email authentication standard that adds a cryptographic digital signature to every outgoing message \u2014 letting the recipient&#8217;s server verify that the email genuinely came from your domain and hasn&#8217;t been tampered with in transit.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">DKIM was created for the same reason as SPF: to prevent bad actors from impersonating you as an email sender. By setting DKIM on your DNS server, you&#8217;re adding an additional layer of proof that says &#8220;yes, it&#8217;s really me sending this.&#8221;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The whole idea is based on encrypting and decrypting an additional signature placed in the header of your message. To make that possible, you need two keys:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The <\/span><b>private key<\/b><span style=\"font-weight: 400;\"> \u2014 unique to your domain, available exclusively to you. It encrypts your signature in the header of outgoing messages.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The <\/span><b>public key<\/b><span style=\"font-weight: 400;\"> \u2014 added to your DNS records using the DKIM standard, so the recipient&#8217;s server can retrieve it and decrypt your signature.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Think of it like the wax seal in Game of Thrones. Ned Stark&#8217;s direwolf seal is public knowledge (the public key) \u2014 anyone can verify a message came from House Stark. But only Ned has the original signet ring (the private key) to set that seal on outgoing messages.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Setting DKIM means placing your public key information into DNS records for your domain. Once done, every email you send carries a hidden signature. When the recipient&#8217;s server decrypts it successfully using your public key, your message is authenticated \u2014 boosting deliverability.\u00a0<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">How to Set Up DKIM Record on Your Server Step by Step<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">First, generate the public key by logging in to your email provider&#8217;s admin console.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">If you&#8217;re using Google Workspace: note that DKIM signatures are <\/span><b>off by default<\/b><span style=\"font-weight: 400;\"> \u2014 you need to turn them on manually in your<\/span> <a href=\"https:\/\/support.google.com\/a\/answer\/174124?hl=en\"><span style=\"font-weight: 400;\">Google Admin console<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Once you have the public key, paste the generated TXT record into the right place in your DNS records.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Finally, turn on email signing so outgoing messages include your signature. Here&#8217;s<\/span> <a href=\"https:\/\/support.google.com\/a\/answer\/180504\"><span style=\"font-weight: 400;\">how to enable email signing in Google Workspace<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Setup guides for other providers:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/docs.microsoft.com\/pl-pl\/microsoft-365\/security\/office-365-security\/use-dkim-to-validate-outbound-email\"><span style=\"font-weight: 400;\">Microsoft 365<\/span><\/a><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/www.zoho.com\/mail\/help\/adminconsole\/dkim-configuration.html\"><span style=\"font-weight: 400;\">Zoho Mail<\/span><\/a><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/www.namecheap.com\/support\/knowledgebase\/article.aspx\/317\/2237\/how-do-i-add-txtspfdkimdmarc-records-for-my-domain\"><span style=\"font-weight: 400;\">Namecheap<\/span><\/a><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">If you&#8217;re using Woodpecker and don&#8217;t have an IT person handy, check your DKIM status directly in the app: <\/span><b>Settings \u2192 Email Accounts \u2192 gear icon \u2192 Domain Check-Up<\/b><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Set Up SPF &amp; DKIM and Improve Your Deliverability<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">If you&#8217;re sending lots of emails \u2014 whether for cold outreach,<\/span> <a href=\"https:\/\/woodpecker.co\/blog\/inbound-outbound\/\"><span style=\"font-weight: 400;\">inbound or outbound sales<\/span><\/a><span style=\"font-weight: 400;\"> or newsletters \u2014 the reputation of your domain is crucial. You don&#8217;t want your domain to get blacklisted or your emails to land in spam.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Setting SPF and DKIM records properly is a necessary step toward the security of your email service domain and high deliverability. In 2026, this is no longer just best practice \u2014 it&#8217;s a hard requirement enforced by Google, Yahoo and Microsoft.\u00a0<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">SPF vs DKIM: Key Differences at a Glance<\/span><\/h3>\n<p><strong>What it does<\/strong><\/p>\n<ul>\n<li><strong>SPF:<\/strong> Authorizes sending IP addresses<\/li>\n<li><strong>DKIM:<\/strong> Digitally signs the message content<\/li>\n<\/ul>\n<p><strong>Where it lives<\/strong><\/p>\n<ul>\n<li><strong>SPF:<\/strong> DNS TXT record<\/li>\n<li><strong>DKIM:<\/strong> DNS TXT record<\/li>\n<\/ul>\n<p><strong>What it protects against<\/strong><\/p>\n<ul>\n<li><strong>SPF:<\/strong> IP spoofing<\/li>\n<li><strong>DKIM:<\/strong> Content tampering and domain impersonation<\/li>\n<\/ul>\n<p><strong>Survives email forwarding?<\/strong><\/p>\n<ul>\n<li><strong>SPF:<\/strong> No<\/li>\n<li><strong>DKIM:<\/strong> Yes<\/li>\n<\/ul>\n<p><strong>Required by Google\/Yahoo 2024+?<\/strong><\/p>\n<ul>\n<li><strong>SPF:<\/strong> Yes<\/li>\n<li><strong>DKIM:<\/strong> Yes<\/li>\n<\/ul>\n<p><strong>Best for<\/strong><\/p>\n<ul>\n<li><strong>SPF:<\/strong> Controlling which servers can send<\/li>\n<li><strong>DKIM:<\/strong> Verifying message integrity<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Check these posts on email deliverability for deeper reading:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/woodpecker.co\/blog\/cold-email\/boost-cold-email-deliverability\/\"><span style=\"font-weight: 400;\">What Can We Do to Boost Our Cold Email Deliverability?<\/span><\/a><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/woodpecker.co\/blog\/cold-email\/mailbox-for-outbound\/\"><span style=\"font-weight: 400;\">Why We Set up a Separate Mailbox for Outbound Campaigns<\/span><\/a><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/woodpecker.co\/blog\/deliverability-checks\/\"><span style=\"font-weight: 400;\">14 Deliverability Checks to Carry Out Before Sending Your Cold Email Campaign<\/span><\/a><\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">What is DMARC?<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">In a nutshell \u2014 DMARC is an email security measure that protects your domain against being used by bad actors and gives you better control over your email deliverability. It builds on top of SPF and DKIM.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The acronym stands for <\/span><b>Domain-based Message Authentication, Reporting and Conformance<\/b><span style=\"font-weight: 400;\">.<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Authentication<\/b><span style=\"font-weight: 400;\"> \u2014 DMARC checks whether an email was legitimately sent by the person who claims to have sent it.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Conformance<\/b><span style=\"font-weight: 400;\"> \u2014 If an email fails the DMARC test, it&#8217;s handled according to the policy you&#8217;ve set (more on that below).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Reporting<\/b><span style=\"font-weight: 400;\"> \u2014 DMARC lets receivers send reports back to you, describing how messages from your domain were handled.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">All in all, DMARC allows email receivers to check if the incoming email matches what they know about the sender. If it doesn&#8217;t, it tells receiving servers exactly what to do with that message.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">It&#8217;s not set up by default \u2014 you need to configure it yourself if you want this additional layer on top of your SPF and DKIM.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Why Does DMARC Matter?<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">There are three reasons why DMARC is valuable:<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">1. It&#8217;s a safety measure<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">On the sender&#8217;s end, DMARC protects your domain against unauthorized use \u2014 phishers, spoofers and anyone trying to impersonate you to steal personal information. On the receiver&#8217;s end, it makes it harder for fraudulent email to reach inboxes.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">DMARC specifically protects against <\/span><b>domain spoofing<\/b><span style=\"font-weight: 400;\"> \u2014 when someone unauthorized sends email that appears to come from your domain to deceive recipients into handing over login credentials, payment details or other sensitive data.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">2. It helps you control email deliverability<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">With DMARC in place, you gain visibility into which emails are reaching inboxes and which aren&#8217;t \u2014 including any unauthorized sends from your domain.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">3. It protects your brand reputation<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">If someone is impersonating your domain to run scams, it damages trust in your brand even though you&#8217;re not responsible. DMARC helps stop that.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">DMARC is published in DNS alongside SPF and DKIM. Here&#8217;s what a basic record looks like:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">v=DMARC1; p=none; rua=mailto:youremail@yourdomain.com;<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">How Does DMARC Work?<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">DMARC specifies what must pass for a message to reach the inbox and what happens if conditions aren&#8217;t met.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">When an email is tested by DMARC, 4 things should happen:<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>DKIM pass<\/b><span style=\"font-weight: 400;\"> \u2014 the signature in the header is validated: the private key matches the public key in DNS.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>DKIM alignment<\/b><span style=\"font-weight: 400;\"> \u2014 the parent domain matches the Header From domain.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>SPF pass<\/b><span style=\"font-weight: 400;\"> \u2014 the receiving server checks the domain in the Envelope From address and verifies the sending IP is listed in the SPF record.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>SPF alignment<\/b><span style=\"font-weight: 400;\"> \u2014 the domain in Envelope From matches the Header From domain.<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">A message fails DMARC if it fails <\/span><b>both<\/b><span style=\"font-weight: 400;\"> SPF and DKIM. If even one passes with proper alignment, the message gets through.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Keep in mind: if you forward a message, only the DKIM check stays aligned \u2014 SPF will break.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Why aren&#8217;t SPF and DKIM alone enough?<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">SPF and DKIM each work in isolation. There&#8217;s no universal rule about what a receiver should do when they fail \u2014 one receiver might redirect to spam, another might run extra tests, another might let it through. And the domain owner never gets any feedback on what happened.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">DMARC solves this by letting you define your own rules and by generating reports so you can see exactly what&#8217;s happening with your email.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">DMARC Policies and Reporting<\/span><\/h2>\n<p>There are three possible DMARC policies:<\/p>\n<p><strong>p=none<\/strong><\/p>\n<ul>\n<li><strong>What it does:<\/strong> All emails go through, even if they fail SPF\/DKIM. You get reports only.<\/li>\n<li><strong>Best for:<\/strong> Starting out \u2014 monitor without blocking anything<\/li>\n<\/ul>\n<p><strong>p=quarantine<\/strong><\/p>\n<ul>\n<li><strong>What it does:<\/strong> Emails that fail are redirected to spam\/junk<\/li>\n<li><strong>Best for:<\/strong> Intermediate stage once you\u2019ve reviewed reports<\/li>\n<\/ul>\n<p><strong>p=reject<\/strong><\/p>\n<ul>\n<li><strong>What it does:<\/strong> Emails that fail are bounced entirely<\/li>\n<li><strong>Best for:<\/strong> Full enforcement \u2014 use once you\u2019re confident your legitimate mail passes<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">A few days after publishing your DMARC record, you&#8217;ll start receiving aggregate reports from ISPs. These reports include stats on all emails sent from your domain \u2014 including any you didn&#8217;t authorize.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">If you see more emails than you&#8217;ve sent, someone else is using your domain. The report shows you where those emails came from and whether a <\/span><span style=\"font-weight: 400;\">quarantine<\/span><span style=\"font-weight: 400;\"> or <\/span><span style=\"font-weight: 400;\">reject<\/span><span style=\"font-weight: 400;\"> policy would stop them.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Reports can be read with tools like<\/span><a href=\"https:\/\/dmarc.postmarkapp.com\/\"> <span style=\"font-weight: 400;\">Postmark&#8217;s DMARC analyzer<\/span><\/a><span style=\"font-weight: 400;\"> or<\/span><a href=\"https:\/\/dmarcian.com\/xml-to-human-converter\/\"> <span style=\"font-weight: 400;\">dmarcian<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">How to Set Up DMARC<\/span><\/h2>\n<p><b>Step 1 \u2014 Set up SPF and DKIM first.<\/b><span style=\"font-weight: 400;\"> Make sure both records are correctly configured before touching DMARC. If you&#8217;ve followed the steps above, you&#8217;re ready.<\/span><\/p>\n<p><b>Step 2 \u2014 Generate a DMARC record.<\/b><span style=\"font-weight: 400;\"> Use a wizard like<\/span><a href=\"https:\/\/dmarcian.com\/dmarc-record-wizard\/\"> <span style=\"font-weight: 400;\">dmarcian&#8217;s DMARC record generator<\/span><\/a><span style=\"font-weight: 400;\">. Start with <\/span><span style=\"font-weight: 400;\">p=none<\/span><span style=\"font-weight: 400;\"> so no mail is blocked while you gather data.<\/span><\/p>\n<p><b>Step 3 \u2014 Add the DMARC record to your DNS.<\/b><span style=\"font-weight: 400;\"> Add a new TXT record for the host <\/span><span style=\"font-weight: 400;\">_dmarc.yourdomain.com<\/span><span style=\"font-weight: 400;\"> with the generated value.<\/span><\/p>\n<p><b>Step 4 \u2014 Monitor reports and adjust the policy.<\/b><span style=\"font-weight: 400;\"> After reviewing several weeks of reports, move from <\/span><span style=\"font-weight: 400;\">p=none<\/span><span style=\"font-weight: 400;\"> \u2192 <\/span><span style=\"font-weight: 400;\">p=quarantine<\/span><span style=\"font-weight: 400;\"> \u2192 <\/span><span style=\"font-weight: 400;\">p=reject<\/span><span style=\"font-weight: 400;\"> as you confirm your legitimate mail is passing cleanly.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">DMARC Setup Checklist<\/span><\/h3>\n<p><strong>Step 1:<\/strong> SPF record configured in DNS<\/p>\n<p><strong>Step 2:<\/strong> DKIM record configured in DNS<\/p>\n<p><strong>Step 3:<\/strong> DKIM signing enabled in your email admin console<\/p>\n<p><strong>Step 4:<\/strong> DMARC TXT record added at <code>_dmarc.yourdomain.com<\/code><\/p>\n<p><strong>Step 5:<\/strong> DMARC policy starts at <code>p=none<\/code><\/p>\n<p><strong>Step 6:<\/strong> Reporting email set in <code>rua=<\/code> tag<\/p>\n<p><strong>Step 7:<\/strong> Reports reviewed after 2\u20134 weeks<\/p>\n<p><strong>Step 8:<\/strong> Policy tightened to <code>p=quarantine<\/code> or <code>p=reject<\/code><\/p>\n<h2><span style=\"font-weight: 400;\">Google, Yahoo &amp; Microsoft Policy Changes in 2024\u20132026: What Every Sender Must Know<\/span><\/h2>\n<p><b>This is the biggest shift in email authentication enforcement in over a decade and it directly affects your inbox placement right now.<\/b><\/p>\n<h3><span style=\"font-weight: 400;\">What Changed in 2024<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Starting in <\/span><b>February 2024<\/b><span style=\"font-weight: 400;\">, Google and Yahoo rolled out new mandatory authentication requirements for bulk email senders:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Senders dispatching 5,000+ emails per day<\/b><span style=\"font-weight: 400;\"> to Gmail or Yahoo must have valid SPF, DKIM and DMARC all configured. Non-compliant senders face bulk deferrals or outright rejection.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>All senders<\/b><span style=\"font-weight: 400;\"> (even below the 5,000\/day threshold) must have at least SPF or DKIM in place \u2014 or their emails face increased spam filtering.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>One-click unsubscribe<\/b><span style=\"font-weight: 400;\"> is now required for marketing and subscription emails sent to Gmail.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Microsoft followed in <\/span><b>2024\u20132025<\/b><span style=\"font-weight: 400;\">, enforcing similar requirements for Outlook, Hotmail and Live.com inboxes.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">What This Means in 2026<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">By mid-2026, authentication failures are among the fastest ways to get a domain deferred or blacklisted \u2014 regardless of your send volume. Gmail&#8217;s spam filters have grown significantly more aggressive at flagging unauthenticated sends, even from domains with no prior deliverability issues.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">The Enforcement Timeline<\/span><\/h3>\n<ul>\n<li><strong>February 2024<\/strong><\/li>\n<\/ul>\n<p>Google &amp; Yahoo announce bulk sender requirements<\/p>\n<ul>\n<li><strong>April 2024<\/strong><\/li>\n<\/ul>\n<p>Google begins enforcing \u2014 non-compliant senders see deferrals<\/p>\n<ul>\n<li><strong>June 2024<\/strong><\/li>\n<\/ul>\n<p>Google escalates to rejection for persistent non-compliance<\/p>\n<ul>\n<li><strong>Q3 2024<\/strong><\/li>\n<\/ul>\n<p>Microsoft rolls out similar enforcement for Outlook\/Hotmail<\/p>\n<ul>\n<li><strong>2025<\/strong><\/li>\n<\/ul>\n<p>DMARC at <code>p=none<\/code> minimum becomes a de facto industry standard<\/p>\n<ul>\n<li><strong>2026<\/strong><\/li>\n<\/ul>\n<p>ISPs increasingly use DMARC alignment, not just presence, as a signal<\/p>\n<h3><span style=\"font-weight: 400;\">Cold Email Senders: Extra Rules Apply<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">If you&#8217;re doing cold outreach (even at low volumes), these practical rules apply in 2026:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Use a separate sending domain<\/b><span style=\"font-weight: 400;\"> \u2014 don&#8217;t cold email from your primary business domain.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Set SPF, DKIM and DMARC on every sending domain<\/b><span style=\"font-weight: 400;\">, including aliases and secondary domains.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Start with <\/b><b>p=none<\/b><b> DMARC<\/b><span style=\"font-weight: 400;\"> but plan to move to <\/span><span style=\"font-weight: 400;\">p=quarantine<\/span><span style=\"font-weight: 400;\"> within 30\u201360 days of monitoring.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Check your domain health before every campaign<\/b><span style=\"font-weight: 400;\"> \u2014 Woodpecker&#8217;s Domain Check-Up (Settings \u2192 Email Accounts \u2192 gear icon) shows your authentication status at a glance.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Woodpecker now also offers pre-configured domains with SPF, DKIM and DMARC already set up \u2014 removing the risk of misconfiguration for new outreach domains.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">SPF, DKIM and DMARC Compared<\/span><\/h3>\n<p><strong>What it authenticates<\/strong><\/p>\n<ul>\n<li><strong>SPF:<\/strong> Sending server IP<\/li>\n<li><strong>DKIM:<\/strong> Message content and sender<\/li>\n<li><strong>DMARC:<\/strong> Alignment of both<\/li>\n<\/ul>\n<p><strong>DNS record type<\/strong><\/p>\n<ul>\n<li><strong>SPF:<\/strong> TXT<\/li>\n<li><strong>DKIM:<\/strong> TXT<\/li>\n<li><strong>DMARC:<\/strong> TXT<\/li>\n<\/ul>\n<p><strong>Required since<\/strong><\/p>\n<ul>\n<li><strong>SPF:<\/strong> Best practice since 2006<\/li>\n<li><strong>DKIM:<\/strong> Best practice since 2011<\/li>\n<li><strong>DMARC:<\/strong> Required by Google\/Yahoo since 2024<\/li>\n<\/ul>\n<p><strong>Survives forwarding<\/strong><\/p>\n<ul>\n<li><strong>SPF:<\/strong> No<\/li>\n<li><strong>DKIM:<\/strong> Yes<\/li>\n<li><strong>DMARC:<\/strong> Depends on DKIM alignment<\/li>\n<\/ul>\n<p><strong>Gives you reports<\/strong><\/p>\n<ul>\n<li><strong>SPF:<\/strong> No<\/li>\n<li><strong>DKIM:<\/strong> No<\/li>\n<li><strong>DMARC:<\/strong> Yes<\/li>\n<\/ul>\n<p><strong>Stops spoofing alone<\/strong><\/p>\n<ul>\n<li><strong>SPF:<\/strong> Partially<\/li>\n<li><strong>DKIM:<\/strong> Partially<\/li>\n<li><strong>DMARC:<\/strong> Yes, with <code>p=reject<\/code><\/li>\n<\/ul>\n<p><strong>Complexity to set up<\/strong><\/p>\n<ul>\n<li><strong>SPF:<\/strong> Low<\/li>\n<li><strong>DKIM:<\/strong> Medium<\/li>\n<li><strong>DMARC:<\/strong> Low, once SPF\/DKIM are done<\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">Over to You<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">SPF, DKIM and DMARC together form the gold standard of email authentication. In 2026, they&#8217;re not optional \u2014 they&#8217;re the entry ticket to reliable inbox delivery on Gmail, Yahoo and Outlook.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">SPF and DKIM are the foundation while DMARC ties them together to give you visibility and policy enforcement. Since each of these records requires a DNS lookup to verify your identity, having them correctly configured is essential for mail servers to trust your domain. If you have been putting off DMARC, now is the time to set it to p=none and start monitoring. You can always tighten it later \u2014 but you can&#8217;t fix deliverability problems you don&#8217;t know about.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">If I were you, I&#8217;d go to my Woodpecker account and run a Domain Check-Up right now. And if anything is missing, I&#8217;d get it fixed before the next campaign goes out.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">FAQ<\/span><\/h2>\n<h3><span style=\"font-weight: 400;\">What is the difference between SPF, DKIM and DMARC?<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">SPF (Sender Policy Framework) specifies which IP addresses are allowed to send email from your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic digital signature to verify the message hasn&#8217;t been altered and genuinely comes from your domain. DMARC (Domain-based Message Authentication, Reporting and Conformance) sits on top of both \u2014 it tells receiving servers what to do when SPF or DKIM fails and sends you reports on how your domain&#8217;s email is being handled. You need all three for comprehensive email authentication in 2026.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Do I need SPF, DKIM and DMARC for cold email?<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Yes. Google, Yahoo and Microsoft all require SPF and DKIM for any sender. DMARC is required for bulk senders (5,000+ emails\/day to Gmail or Yahoo), but even at lower volumes, not having DMARC means receiving servers have no policy to follow when authentication fails \u2014 which increases the risk of spam filtering. For cold email specifically, you should use a separate sending domain with all three records configured.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">How do I know if my SPF and DKIM are set up correctly?<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Use a free tool like<\/span> <a href=\"http:\/\/mxtoolbox.com\/SuperTool.aspx\"><span style=\"font-weight: 400;\">MxToolbox<\/span><\/a><span style=\"font-weight: 400;\"> or<\/span> <a href=\"https:\/\/toolbox.googleapps.com\/apps\/checkmx\/check\"><span style=\"font-weight: 400;\">Google&#8217;s Admin Toolbox<\/span><\/a><span style=\"font-weight: 400;\"> to check your SPF record. For DKIM, send a test email to a Gmail address and open the original message \u2014 if you see <\/span><span style=\"font-weight: 400;\">DKIM: PASS<\/span><span style=\"font-weight: 400;\"> in the headers, you&#8217;re set. Woodpecker users can also check directly in the app: Settings \u2192 Email Accounts \u2192 gear icon \u2192 Domain Check-Up.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">What happens if I don&#8217;t have SPF or DKIM set up?<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Without SPF and DKIM, receiving mail servers have no way to verify your emails are legitimate. This leads to higher spam rates, email deferrals, potential blacklisting and \u2014 since Google and Yahoo&#8217;s 2024 enforcement \u2014 outright rejection for senders above the bulk threshold. It also leaves your domain vulnerable to spoofing and phishing attacks.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">What is the best DMARC policy to start with?<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Start with <\/span><span style=\"font-weight: 400;\">p=none<\/span><span style=\"font-weight: 400;\">. This &#8220;monitor only&#8221; mode generates DMARC reports without blocking or quarantining any mail. After reviewing 2\u20134 weeks of reports and confirming your legitimate mail is passing SPF and DKIM cleanly, upgrade to <\/span><span style=\"font-weight: 400;\">p=quarantine<\/span><span style=\"font-weight: 400;\"> (sends failing mail to spam) and eventually <\/span><span style=\"font-weight: 400;\">p=reject<\/span><span style=\"font-weight: 400;\"> (blocks failing mail entirely).<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Can I have multiple SPF records on one domain?<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">No \u2014 you can only have one SPF TXT record per domain. If you use multiple email sending tools, combine them all into a single SPF record. For example: <\/span><span style=\"font-weight: 400;\">v=spf1 include:_spf.google.com include:servers.mcsv.net include:sendgrid.net ~all<\/span><span style=\"font-weight: 400;\">. Having two separate SPF records will cause SPF to fail.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Does DMARC require both SPF and DKIM to pass?<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">No. DMARC passes if either SPF or DKIM passes with proper alignment to your From domain. However, since SPF breaks when a message is forwarded, DKIM alignment is generally more reliable. Best practice is to have both configured correctly so you&#8217;re protected in any scenario.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">What is an SPF record and why is it important?<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">An SPF (Sender Policy Framework) record is a DNS TXT record that specifies which IP addresses are authorized to send email on behalf of your domain. It&#8217;s important because it helps prevent email spoofing and phishing attacks and is now required by major email providers including Google and Yahoo for reliable inbox delivery.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">What role do IP addresses play in SPF and DKIM?<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">In SPF, specific IP addresses (or references to other domains&#8217; SPF records) are listed to authorize which mail servers can send on your behalf. DKIM doesn&#8217;t use IP addresses directly \u2014 instead it uses cryptographic keys. The private key signs outgoing messages and the public key (published in DNS) lets receiving servers verify that signature, regardless of which IP the message came from.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Why might email messages end up in the spam folder and how can SPF, DKIM and DMARC help?<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Emails land in spam for many reasons: failing authentication checks, being sent from an IP with a bad reputation, containing spammy content or having no DMARC policy. SPF and DKIM prove your emails are legitimate. DMARC tells receiving servers how to handle failures and gives you reports to spot problems early. Together, they&#8217;re the most effective technical measures you can take to keep your emails out of spam.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is serious. This is about your email deliverability. I know from my own experience that these acronyms may sound unfamiliar, scary and may seem totally uninteresting. Or maybe they sound familiar, but you never cared enough to check what they really are. Either way, it&#8217;s time to learn a bit about what SPF, DKIM and DMARC are and how to set them up in your DNS records for your mail server, if you want to have better control over your email deliverability.<\/p>\n","protected":false},"author":17,"featured_media":9215,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[13],"tags":[],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.11 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to Set Up SPF, DKIM &amp; DMARC in 2026<\/title>\n<meta name=\"description\" content=\"Learn how to set up SPF, DKIM and DMARC in 2026. Step-by-step guide for every major email provider, plus a quick-check table.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/woodpecker.co\/blog\/spf-dkim\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to Set Up SPF, DKIM &amp; DMARC in 2026\" \/>\n<meta property=\"og:description\" content=\"Learn how to set up SPF, DKIM and DMARC in 2026. Step-by-step guide for every major email provider, plus a quick-check table.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/woodpecker.co\/blog\/spf-dkim\/\" \/>\n<meta property=\"og:site_name\" content=\"Woodpecker Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/business.facebook.com\/woodpeckerapp\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-24T11:27:03+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-17T10:07:19+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/woodpecker.co\/blog\/app\/uploads\/2020\/07\/What_is_DKIM__SPF_And_How_to_Set_It_Up__2.png\" \/>\n\t<meta property=\"og:image:width\" content=\"650\" \/>\n\t<meta property=\"og:image:height\" content=\"391\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Margaret Sikora\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@woodpeckerapp\" \/>\n<meta name=\"twitter:site\" content=\"@woodpeckerapp\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/woodpecker.co\/blog\/spf-dkim\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/woodpecker.co\/blog\/spf-dkim\/\"},\"author\":{\"name\":\"Margaret Sikora\",\"@id\":\"https:\/\/woodpecker.co\/blog\/#\/schema\/person\/dbd5fae1eeb41a0caf2e2c7bda48059f\"},\"headline\":\"How to Set Up SPF, DKIM &#038; DMARC in 2026: 3-Step Email Authentication Guide (Updated)\",\"datePublished\":\"2026-02-24T11:27:03+00:00\",\"dateModified\":\"2026-06-17T10:07:19+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/woodpecker.co\/blog\/spf-dkim\/\"},\"wordCount\":3813,\"commentCount\":11,\"publisher\":{\"@id\":\"https:\/\/woodpecker.co\/blog\/#organization\"},\"articleSection\":[\"Deliverability\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/woodpecker.co\/blog\/spf-dkim\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/woodpecker.co\/blog\/spf-dkim\/\",\"url\":\"https:\/\/woodpecker.co\/blog\/spf-dkim\/\",\"name\":\"How to Set Up SPF, DKIM & DMARC in 2026\",\"isPartOf\":{\"@id\":\"https:\/\/woodpecker.co\/blog\/#website\"},\"datePublished\":\"2026-02-24T11:27:03+00:00\",\"dateModified\":\"2026-06-17T10:07:19+00:00\",\"description\":\"Learn how to set up SPF, DKIM and DMARC in 2026. Step-by-step guide for every major email provider, plus a quick-check table.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/woodpecker.co\/blog\/spf-dkim\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/woodpecker.co\/blog\/#website\",\"url\":\"https:\/\/woodpecker.co\/blog\/\",\"name\":\"Woodpecker Blog\",\"description\":\"Woodpecker Blog - Pro Tips on Cold Emails, Follow-ups, Sales &amp; Growth\",\"publisher\":{\"@id\":\"https:\/\/woodpecker.co\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/woodpecker.co\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/woodpecker.co\/blog\/#organization\",\"name\":\"Woodpecker.co\",\"url\":\"https:\/\/woodpecker.co\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/woodpecker.co\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/woodpecker.co\/blog\/app\/uploads\/2015\/06\/WP_Logo_WersjaPodstawowa_Pionowa_CzarneTlo_RGB.jpg\",\"contentUrl\":\"https:\/\/woodpecker.co\/blog\/app\/uploads\/2015\/06\/WP_Logo_WersjaPodstawowa_Pionowa_CzarneTlo_RGB.jpg\",\"width\":1240,\"height\":874,\"caption\":\"Woodpecker.co\"},\"image\":{\"@id\":\"https:\/\/woodpecker.co\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/business.facebook.com\/woodpeckerapp\",\"https:\/\/twitter.com\/woodpeckerapp\",\"https:\/\/www.instagram.com\/woodpeckerapp\/\",\"https:\/\/www.linkedin.com\/company\/woodpecker-co\/\",\"https:\/\/www.youtube.com\/channel\/UCNN9wM55yaNI-KEZCfh66_A\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/woodpecker.co\/blog\/#\/schema\/person\/dbd5fae1eeb41a0caf2e2c7bda48059f\",\"name\":\"Margaret Sikora\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/woodpecker.co\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/285df23338966e859f136eed9706c0a6?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/285df23338966e859f136eed9706c0a6?s=96&d=mm&r=g\",\"caption\":\"Margaret Sikora\"},\"description\":\"Product Manager and DPO at Woodpecker. A lawyer who gets the SaaS business, understands customers' needs, and speaks the language of IT guys.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/margaretsikora\/\",\"https:\/\/www.instagram.com\/margaret.sikora.official\"],\"url\":\"https:\/\/woodpecker.co\/blog\/author\/gosia-sikora\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Set Up SPF, DKIM & DMARC in 2026","description":"Learn how to set up SPF, DKIM and DMARC in 2026. Step-by-step guide for every major email provider, plus a quick-check table.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/woodpecker.co\/blog\/spf-dkim\/","og_locale":"en_US","og_type":"article","og_title":"How to Set Up SPF, DKIM & DMARC in 2026","og_description":"Learn how to set up SPF, DKIM and DMARC in 2026. Step-by-step guide for every major email provider, plus a quick-check table.","og_url":"https:\/\/woodpecker.co\/blog\/spf-dkim\/","og_site_name":"Woodpecker Blog","article_publisher":"https:\/\/business.facebook.com\/woodpeckerapp","article_published_time":"2026-02-24T11:27:03+00:00","article_modified_time":"2026-06-17T10:07:19+00:00","og_image":[{"width":650,"height":391,"url":"https:\/\/woodpecker.co\/blog\/app\/uploads\/2020\/07\/What_is_DKIM__SPF_And_How_to_Set_It_Up__2.png","type":"image\/png"}],"author":"Margaret Sikora","twitter_card":"summary_large_image","twitter_creator":"@woodpeckerapp","twitter_site":"@woodpeckerapp","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/woodpecker.co\/blog\/spf-dkim\/#article","isPartOf":{"@id":"https:\/\/woodpecker.co\/blog\/spf-dkim\/"},"author":{"name":"Margaret Sikora","@id":"https:\/\/woodpecker.co\/blog\/#\/schema\/person\/dbd5fae1eeb41a0caf2e2c7bda48059f"},"headline":"How to Set Up SPF, DKIM &#038; DMARC in 2026: 3-Step Email Authentication Guide (Updated)","datePublished":"2026-02-24T11:27:03+00:00","dateModified":"2026-06-17T10:07:19+00:00","mainEntityOfPage":{"@id":"https:\/\/woodpecker.co\/blog\/spf-dkim\/"},"wordCount":3813,"commentCount":11,"publisher":{"@id":"https:\/\/woodpecker.co\/blog\/#organization"},"articleSection":["Deliverability"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/woodpecker.co\/blog\/spf-dkim\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/woodpecker.co\/blog\/spf-dkim\/","url":"https:\/\/woodpecker.co\/blog\/spf-dkim\/","name":"How to Set Up SPF, DKIM & DMARC in 2026","isPartOf":{"@id":"https:\/\/woodpecker.co\/blog\/#website"},"datePublished":"2026-02-24T11:27:03+00:00","dateModified":"2026-06-17T10:07:19+00:00","description":"Learn how to set up SPF, DKIM and DMARC in 2026. Step-by-step guide for every major email provider, plus a quick-check table.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/woodpecker.co\/blog\/spf-dkim\/"]}]},{"@type":"WebSite","@id":"https:\/\/woodpecker.co\/blog\/#website","url":"https:\/\/woodpecker.co\/blog\/","name":"Woodpecker Blog","description":"Woodpecker Blog - Pro Tips on Cold Emails, Follow-ups, Sales &amp; Growth","publisher":{"@id":"https:\/\/woodpecker.co\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/woodpecker.co\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/woodpecker.co\/blog\/#organization","name":"Woodpecker.co","url":"https:\/\/woodpecker.co\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/woodpecker.co\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/woodpecker.co\/blog\/app\/uploads\/2015\/06\/WP_Logo_WersjaPodstawowa_Pionowa_CzarneTlo_RGB.jpg","contentUrl":"https:\/\/woodpecker.co\/blog\/app\/uploads\/2015\/06\/WP_Logo_WersjaPodstawowa_Pionowa_CzarneTlo_RGB.jpg","width":1240,"height":874,"caption":"Woodpecker.co"},"image":{"@id":"https:\/\/woodpecker.co\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/business.facebook.com\/woodpeckerapp","https:\/\/twitter.com\/woodpeckerapp","https:\/\/www.instagram.com\/woodpeckerapp\/","https:\/\/www.linkedin.com\/company\/woodpecker-co\/","https:\/\/www.youtube.com\/channel\/UCNN9wM55yaNI-KEZCfh66_A"]},{"@type":"Person","@id":"https:\/\/woodpecker.co\/blog\/#\/schema\/person\/dbd5fae1eeb41a0caf2e2c7bda48059f","name":"Margaret Sikora","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/woodpecker.co\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/285df23338966e859f136eed9706c0a6?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/285df23338966e859f136eed9706c0a6?s=96&d=mm&r=g","caption":"Margaret Sikora"},"description":"Product Manager and DPO at Woodpecker. A lawyer who gets the SaaS business, understands customers' needs, and speaks the language of IT guys.","sameAs":["https:\/\/www.linkedin.com\/in\/margaretsikora\/","https:\/\/www.instagram.com\/margaret.sikora.official"],"url":"https:\/\/woodpecker.co\/blog\/author\/gosia-sikora\/"}]}},"_links":{"self":[{"href":"https:\/\/woodpecker.co\/blog\/wp-json\/wp\/v2\/posts\/2133"}],"collection":[{"href":"https:\/\/woodpecker.co\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/woodpecker.co\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/woodpecker.co\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/woodpecker.co\/blog\/wp-json\/wp\/v2\/comments?post=2133"}],"version-history":[{"count":36,"href":"https:\/\/woodpecker.co\/blog\/wp-json\/wp\/v2\/posts\/2133\/revisions"}],"predecessor-version":[{"id":50560,"href":"https:\/\/woodpecker.co\/blog\/wp-json\/wp\/v2\/posts\/2133\/revisions\/50560"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/woodpecker.co\/blog\/wp-json\/wp\/v2\/media\/9215"}],"wp:attachment":[{"href":"https:\/\/woodpecker.co\/blog\/wp-json\/wp\/v2\/media?parent=2133"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/woodpecker.co\/blog\/wp-json\/wp\/v2\/categories?post=2133"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/woodpecker.co\/blog\/wp-json\/wp\/v2\/tags?post=2133"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}