SPF, DKIM and DMARC Explained in Plain Language (And Why You Cannot Send Marketing Email Without Them in 2026)

If you run a local service business and you send email to your customers, there are three short words you have probably seen and quietly ignored: SPF, DKIM and DMARC. They look like technical jargon meant for engineers, and for years you could get away with not understanding them. That time is over. Since 2024, Gmail and Yahoo require any business that sends a meaningful volume of email to set up all three, and in 2026 the enforcement has become strict. Get them wrong and your appointment reminders, your promotions and your newsletters quietly land in spam, or never arrive at all. At Mailmundo we built our platform to walk you through this setup step by step, but I want you to actually understand what is happening. This article explains all three in plain language, with no shortcuts and no errors.

The problem these three things solve: anyone can pretend to be you

Email was invented in a more trusting era. The original design lets any computer on the internet claim to be sending from any address. There is nothing built into basic email that stops a stranger from sending a message that says it comes from you@yourbusiness.com when it absolutely does not. This is called spoofing, and it is the root of most phishing and scam email.

Imagine a criminal sends a fake invoice to your customers using your business name and your domain. Your customers trust you, so some of them pay. The damage to your reputation is immediate, and the mailbox providers like Gmail get blamed for delivering the fraud. To protect their users, those providers decided they would no longer trust email that cannot prove who sent it. SPF, DKIM and DMARC are the three tools that let your domain prove its identity. Together they answer one question for the receiving server: is this message really authorized by the domain it claims to come from?

SPF: the guest list of approved senders

SPF stands for Sender Policy Framework. Think of it as a guest list. You publish a small public note attached to your domain that says which servers are allowed to send email on your behalf. When you use Mailmundo, our sending servers need to be on that list. When you use Google Workspace for your normal mail, Google's servers need to be on it too.

Technically, SPF is a single line of text published in your domain's DNS settings, in a record type called a TXT record. The DNS is the public address book of the internet; anyone can look up what you have published there. Your SPF record lists the approved sending sources, usually by referencing each provider with an entry like an include statement. When a message arrives, the receiving mail server reads the address it claims to come from, looks up your SPF record, and checks whether the server that actually delivered the message is on your approved list. If it is, SPF passes. If it is not, SPF fails.

SPF has one important limitation. It checks the hidden technical sender address used during delivery, not the friendly From address your customer actually sees. That is why SPF alone is not enough, and why the second tool exists.

DKIM: a tamper-proof seal on every message

DKIM stands for DomainKeys Identified Mail. If SPF is a guest list, DKIM is a wax seal that proves a letter is genuine and was not opened or altered along the way.

Here is how it works. Your sending platform holds a secret private key. Every time it sends a message, it uses that key to add an invisible digital signature to the message headers. You publish the matching public key in your DNS, again as a TXT record, under a small label called a selector. When the message arrives, the receiving server fetches your public key from your DNS and uses it to verify the signature. If the signature checks out, two things are proven at once: the message genuinely came from a system that holds your private key, and the content was not tampered with in transit. If even one character was changed by a malicious party, the signature breaks and DKIM fails.

The beauty of DKIM is that the signature travels with the message. Even if your email is forwarded several times, the seal can still be verified. This is the strongest of the three building blocks.

DMARC: the policy that ties it all together

SPF and DKIM each do useful work, but on their own they leave a gap. They do not tell the receiving server what to do when a check fails, and they do not, by themselves, protect the visible From address that customers actually read. DMARC closes both gaps.

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It is, once more, a TXT record in your DNS, published at a special address that begins with the label _dmarc in front of your domain. It does two jobs.

Job one: alignment

DMARC introduces a rule called alignment. It requires that the domain proven by SPF or DKIM matches the domain in the visible From address your customer sees. A message passes DMARC if it passes SPF with an aligned domain, or passes DKIM with an aligned domain. This is the crucial step, because it finally protects the From line that a human reads. A scammer might pass SPF using their own domain, but they cannot make that domain match your From address, so DMARC fails and the fraud is caught.

Job two: telling receivers what to do

Your DMARC record carries a policy instruction, written as p=, with three possible values. p=none means take no special action; deliver the message normally but send me reports. p=quarantine means treat failing messages as suspicious and route them to the spam folder. p=reject means do not deliver failing messages at all. DMARC also lets you receive aggregate reports by adding an address with the rua tag, so you can see who is sending email under your name.

How the three work together in one delivery

Picture a single newsletter you send through Mailmundo. The receiving server runs all three checks in sequence. It reads your SPF record to confirm our servers are approved. It verifies the DKIM signature using your published public key to confirm the message is genuine and untouched. Then it applies DMARC to confirm that the domain which passed SPF or DKIM aligns with your visible From address, and it follows your DMARC policy for anything that fails. When all of this lines up, the message is treated as trusted mail from a real, accountable business, and it has the best possible chance of reaching the inbox.

Why you genuinely cannot skip this in 2026

On October 3, 2023, Google and Yahoo announced new rules for bulk senders. Starting in February 2024, any sender delivering more than 5,000 messages per day to Gmail accounts was required to set up SPF and DKIM, publish a DMARC policy, and ensure alignment. At first, a starter policy of p=none was enough to satisfy the rule. The important change is that in 2026 this is no longer a polite suggestion. Enforcement has tightened, and non-compliant messages are now being rejected outright at the connection level rather than merely filtered. Yahoo applies equivalent requirements.

The 5,000-per-day line is the official threshold, but do not let it lull you. Mailbox providers reward authenticated mail and penalize unauthenticated mail across the board, regardless of volume. A small local business that sends a few hundred emails a week still benefits enormously from getting this right, and still suffers when it does not.

What policy should you actually use

My honest recommendation is to start at p=none with reporting turned on. This satisfies the Gmail and Yahoo requirement immediately while you watch the reports to confirm that all your legitimate mail, including anything sent by your booking software or your accountant's tools, is passing correctly. Once you are confident, move up to p=quarantine, and finally to p=reject, which gives you the full protection of stopping anyone who tries to impersonate your domain. Climbing this ladder gradually means you never accidentally block your own legitimate email.

How to check what you have today

You do not need to be technical to inspect your current setup. Free public tools let you type in your domain and see whether your SPF, DKIM and DMARC records exist and whether they are valid. Lookup services such as the widely used MXToolbox checker will report each record and flag obvious mistakes. If you send through Mailmundo, our setup screens show you the exact records to add and then verify them for you automatically, so you can see a clear green confirmation rather than guessing.

What happens if you skip them

The consequences are quiet but serious. Your messages get filtered into spam, where customers never see them. Your sender reputation steadily erodes, which drags down even the messages that do get through. With strict 2026 enforcement, a growing share of your email is rejected before it ever reaches the inbox. And without DMARC at an enforcing policy, your domain remains open for criminals to impersonate, putting your customers and your name at risk. None of this announces itself. You simply notice that your email stops working, with no error message to explain why.

The bottom line

SPF is your guest list of approved senders. DKIM is a tamper-proof seal proving each message is genuine. DMARC ties them to your visible From address and tells receivers what to do when something fails. Together they prove that your email is really yours, which is exactly what Gmail and Yahoo now demand before they will trust you. This is no longer optional, and it is no longer something you can leave for later. At Mailmundo we guide you through every record, verify it for you, and keep watch so your email keeps reaching real inboxes. Set it up once, correctly, and it quietly protects your business and your customers for years.