Live Direct Marketing logo
Inbox Placement Test
Authentication8 min read

SPF, DKIM, DMARC: the complete authentication checklist

Fifteen items. Every one of them matters. This is the pre-send authentication audit to run before any campaign — the sequence we run on every customer’s domain before they pay for a placement test.

"We're authenticated" is the most common sentence we hear right before someone's inbox test returns 40% Spam. Most of the time they have an SPF record and DKIM enabled, and that's where it stops. Complete authentication means fifteen separate checks, not two. Run through this list before every new sending domain and before every campaign on an old one.

TL;DR

Five SPF checks, four DKIM checks, four DMARC checks, two alignment checks. Any failing item kills or weakens authentication. If all fifteen pass, you're authenticated at the level Gmail and Yahoo expect from bulk senders in 2026.

SPF checklist (5 items)

  1. An SPF record exists at the domain apex. Verify with dig +short TXT example.com | grep spf1. Absence means no SPF at all.
  2. Exactly one SPF record. Two records = permerror = no SPF. If the dig output contains more than one v=spf1 line, merge them into one.
  3. Every sending service is included. Google Workspace, Microsoft 365, every transactional ESP, every marketing ESP, any custom mail server. Missing even one service means its mail softfails.
  4. Under 10 DNS lookups. Count include:, a, mx, exists:, redirect= — including nested ones from each include. Use MXToolbox SPF checker if in doubt.
  5. Ends with ~all or -all. Never +all, never ?all, never missing. Fresh rollouts use ~all; mature setups use -all.

DKIM checklist (4 items)

  1. DKIM selector published at the right name. Verify with dig +short TXT selector._domainkey.example.com. The result should start with v=DKIM1 and contain a p= public key.
  2. Key is 2048-bit, not 1024. 1024 still works but is weak. 2048 is the modern default across Gmail, Microsoft and every major ESP.
  3. d= domain matches or aligns with From domain. Open any received message and check the DKIM-Signature header. If From is you@brand.com and the signature says d=mailgun.org, DMARC will fail. Configure the ESP to sign with d=brand.com.
  4. Every sending service signs with DKIM. Not just the main ESP — transactional, marketing, support ticketing, invoicing, any tool that sends from your domain. An unsigned message from one vendor breaks DMARC alignment for that stream.

DMARC checklist (4 items)

  1. DMARC record exists. dig +short TXT _dmarc.example.com should return a v=DMARC1 record.
  2. Policy is at least p=none with rua=. No rua= means no reports means no visibility. A policy with no reporting address barely counts.
  3. Policy is at p=quarantine or stricter after 2 weeks. p=none forever signals laziness to receivers. Gmail has started weighting p=none records lower.
  4. Alignment is verified in actual reports. Pull your latest aggregate report and confirm spf_aligned=1 or dkim_aligned=1 (or both) for every legitimate sending source.

Alignment checklist (2 items)

  1. Return-Path domain aligns with From domain (SPF). If From is you@brand.com, Return-Path should be bounces@brand.com or a subdomain like bounces.brand.com under relaxed alignment. Inspect the Return-Path: header of a received message.
  2. d= domain aligns with From domain (DKIM). Same domain or subdomain under relaxed alignment. This is the most commonly broken alignment and the reason most DMARC failures happen.

Tools for the audit

  • dig +short TXT — the fastest, most reliable way to read records. Equivalent on Windows: nslookup -type=TXT.
  • dmarcian SPF Surveyor — expands includes, counts lookups, flags problems.
  • MXToolbox — SPF, DKIM, DMARC lookups in one UI with health grades.
  • Mail-Tester.com — send a test email, get a score plus all three authentication results in one view.
  • Postmark DMARC Monitoring — free, ongoing report aggregation once you publish rua=.
  • Our free placement test — sends through 20+ real seed mailboxes and surfaces SPF/DKIM/DMARC per provider, alongside actual folder placement.

Fixing each red flag

If a check fails, here's where to go:

  • SPF record missing, wrong or over 10 lookups: see the full SPF record setup guide and SPF too many lookups article.
  • DKIM missing, wrong selector, or d= misaligned: see DKIM explained. For Google Workspace specifics, the Google Workspace DKIM walk-through.
  • DMARC missing, p=none forever, no reports: the DMARC for beginners article covers the full rollout.
  • Alignment failing: DMARC alignment failures is the deep dive. Short version: configure custom Return-Path and custom DKIM domain at each ESP.
DNS commands to run right now
dig +short TXT example.com | grep spf1
dig +short TXT selector1._domainkey.example.com
dig +short TXT _dmarc.example.com

# Windows equivalent:
nslookup -type=TXT example.com
nslookup -type=TXT selector1._domainkey.example.com
nslookup -type=TXT _dmarc.example.com

Re-running the checklist

Run this entire checklist every time you:

  • Add a new ESP or transactional mail service.
  • Change DNS providers.
  • Migrate mail platforms (Google Workspace ↔ Microsoft 365).
  • Add a subdomain for a new sending stream.
  • Rotate DKIM keys.
  • Tighten DMARC policy.

Even without changes, run it quarterly. Vendors silently change their SPF includes, rotate IPs, and occasionally break their own DKIM setups. An annual audit catches the slow drift before a campaign does.

Frequently asked questions

If I pass all 15 checks, will my email always land in Inbox?

No. Authentication is necessary, not sufficient. Reputation, engagement, content and sending volume all still matter. But without all 15 passing, you're capped below what your content and list quality could otherwise achieve.

What about BIMI — is it part of this checklist?

BIMI is a layer on top of DMARC, not a replacement for any of the 15 items. It requires DMARC at p=quarantine or stricter plus a verified logo. Consider it after the 15 are clean, not before.

Can I skip SPF if I have DKIM set up?

Technically DMARC passes with either SPF or DKIM aligned. In practice, missing SPF is still a signal filters use — publish both. The cost is 15 minutes; the benefit is better reputation.

What if one of my vendors refuses to support custom DKIM alignment?

Route bulk mail from that vendor through a subdomain like tx.brand.com, and publish a separate SPF/DKIM setup for the subdomain. The visible From address changes, but at least DMARC aligns correctly.
Related reading

Check your deliverability across 20+ providers

Gmail, Outlook, Yahoo, Mail.ru, Yandex, GMX, ProtonMail and more. Real inbox screenshots, SPF/DKIM/DMARC, spam engine verdicts. Free, no signup.

Run Free Test →

Unlimited tests · 20+ seed mailboxes · Live results · No account required