Deliverability & Anti-Spoofing

DNS Trust Records: The Final Say on Deliverability

If your emails are hitting spam, the issue isn't your copy—it's your DNS configuration. We cover the three non-negotiable protocols: SPF, DKIM, and DMARC.

Author Avatar By Sarah White | November 12, 2025 | 5 min read

If your welcome emails, password resets, and marketing campaigns are going straight to the spam folder, the problem isn't your content—it's your Domain Name System (DNS) Trust Records. DMARC, DKIM, and SPF are the essential protocols that major mail providers (like Gmail and Outlook) use to verify that an email really came from your domain. If these records are missing or misconfigured, recipient servers treat your messages with suspicion.

Failing to implement these records correctly is not just a deliverability failure; it’s a critical security vulnerability that allows phishers to easily spoof your brand, which can devastate your reputation and lead to costly support issues.

The Three Pillars of Email Trust

1. SPF (Sender Policy Framework)

SPF lists all servers authorized to send mail for your domain. It prevents spammers from sending emails that look like they came from you. It is implemented as a TXT record in your DNS.

2. DKIM (DomainKeys Identified Mail)

DKIM provides a cryptographic signature to prove the email hasn't been tampered with in transit. This signature verifies the sender's identity and ensures message integrity. This is also typically a TXT record associated with a selector.

3. DMARC (Message Authentication, Reporting, and Conformance)

DMARC tells the recipient server what to do if the email fails SPF or DKIM (e.g., quarantine or reject) and, critically, sends you reports on failed authentication. It acts as the orchestration layer, connecting SPF and DKIM validation outcomes with a defined policy.

Example DNS Trust Record Set

The following shows basic examples of how these records appear as TXT records in your DNS zone file. You must replace the placeholders with your actual mailing service values.

Sample DNS TXT Records for `yourdomain.com`

// SPF Record (Host: @ or yourdomain.com)
v=spf1 include:sendgrid.net include:_spf.google.com ~all
// DKIM Record (Example Host: s1._domainkey.yourdomain.com)
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD...
// DMARC Record (Host: _dmarc.yourdomain.com)
v=DMARC1; p=none; rua=mailto:reports@yourdomain.com; fo=1; pct=100

Action: The DMARC policy is currently set to `p=none` (monitoring mode) to safely gather reports before enforcing `p=quarantine` or `p=reject`.

Proper implementation requires checking all services that send email on your behalf (Marketing, CRM, transactional apps) and updating your DNS accordingly. This is a vital step in maintaining brand reputation and ensuring high deliverability rates.

Tired of troubleshooting DNS records?

Our automated auditor scans your domain, checks all three protocols against major email providers, and provides specific fix instructions.

Audit Your Email Trust Status