SPF, DKIM, and DMARC: Why You Can Set Up All Three and Still Get Rejected
Since February 2024, Gmail and Yahoo have required every sender pushing 5,000 or more messages a day to authenticate with SPF, DKIM, and DMARC. In November 2025, Gmail moved from soft delays to permanent rejections for senders that keep failing. The trap most marketers miss: you can publish all three DNS records correctly and still fail DMARC, because passing a check and aligning to your domain are not the same thing.
So this is the part nobody warns you about when you copy three TXT records into your DNS panel and assume you are done. You are probably not done. The records are the easy 20%. The alignment and the lookup math are where real marketing senders quietly lose deliverability, usually without any error message loud enough to notice until open rates sag.
I want to walk through this the way a paid social or lifecycle manager actually needs it, not the way a mail server admin would. No certifications required. You do need to be willing to look at a DNS record and a report, and that is genuinely it.
The three records, in the order that actually matters to you
Forget the textbook order for a second. Here is the order you should care about as a marketer.
DKIM first. DKIM signs your mail with a cryptographic key, and that signature travels with the message even when it gets forwarded. For anyone sending through Mailchimp, Klaviyo, HubSpot, or Beehiiv, DKIM is the record that does the heavy lifting, because it survives the messy real world of forwarding and relays in a way SPF does not. Your email platform gives you the CNAME or TXT records to publish. Publish them on the exact subdomain they tell you, not a guess.
SPF second. SPF is a published list of who is allowed to send mail using your domain. The receiving server checks the connecting server against that list. It is simple, and it breaks in a specific way I will get to, but it is the second pillar. Note the rule that trips people up: you get exactly one SPF record per domain. Two SPF records is not double protection, it is an instant failure for both.
DMARC third, because it is the policy on top. DMARC tells receivers what to do when SPF or DKIM fails, and it asks them to send you reports. Its policy has three settings: p=none (monitor only), p=quarantine (send failures to spam), and p=reject (refuse them outright). DMARC is also where alignment gets enforced, which is the thing that quietly wrecks marketing senders.
Concrete benchmark to aim for on day one: DKIM signing on every sending platform you use, a single SPF record under 10 lookups, and a DMARC record live at p=none collecting reports. If you have those three, you have cleared the Gmail and Yahoo entry bar described in Google's sender guidelines. You have not yet cleared the harder bar, which is alignment.
Passing is not aligning, and alignment is where marketers lose
This is the single most important thing in this whole article, so I am going to slow down.
DMARC does not just ask "did SPF or DKIM pass." It asks "did SPF or DKIM pass for the domain in the visible From address." That second condition is alignment, and it is where third-party platforms betray you. When you send through a marketing tool, that platform often stamps its own domain into the return path. SPF passes for the platform's domain, your From address says yourbrand.com, the two do not match, and from DMARC's point of view SPF just failed. You did everything right and the math still says no.
You can pass an online SPF and DKIM checker, see three green checkmarks, and still be failing DMARC alignment on every campaign. The checker is testing whether the records are valid. It is not testing whether they align to your From domain on a live send. Those are different questions, and only one of them controls whether Gmail rejects you.
The fix is cleaner than it sounds, and it is mostly DKIM. As Valimail's own troubleshooting notes, DKIM alignment is the reliable path for third-party senders. In practice that means setting up a custom sending domain or custom DKIM signing inside each platform, so the signature is signed by yourbrand.com instead of the platform's shared domain. Most major ESPs have a setting for this, often labeled "authenticated domain," "dedicated sending domain," or "custom DKIM." Turn it on for every tool that sends on your behalf.
The action: send yourself a real campaign from each platform, open the message, and view the original or the headers. Look for "DMARC: PASS" and check that the signing domain (d=) matches your brand domain. If d= shows the platform's domain instead of yours, alignment is off, and you fix it inside that platform's domain settings. Do this for every sending tool, not just your main ESP. The CRM and the helpdesk count too. This is the same alignment reality that sits underneath the inbox-placement story we covered in the cold email warmup numbers: authentication is the floor, and below the floor nothing else you do matters.
The SPF 10-lookup limit will bite you the moment you add a fifth tool
Here is the landmine that takes down established senders, not beginners. The SPF specification caps DNS lookups at 10. Every include:, a, mx, and redirect in your record counts, including the nested lookups buried inside the records you reference. Cross 10, and SPF returns a PermError, which most receivers treat as an outright SPF failure.
The reason this hits marketers specifically: stacks grow. Google Workspace alone eats around 4 lookups. Add an email platform, a transactional sender, a CRM, and a support tool, and you are over the line before you finish onboarding the last vendor. Nobody removes the old includes either, so the ESP you stopped using last year is still sitting in your record burning a lookup it no longer earns.
What makes it nasty is the silence. There is no bounce that says "you have 11 lookups." Mail just starts failing SPF, and if your DMARC sits at quarantine or reject and your DKIM alignment is shaky, that failure turns into spam-foldering or rejection. You find out from a metrics dip, not an alert.
The action with a benchmark: run your domain through any free SPF lookup-count checker and confirm you are at 8 or below, not 10. Treat 10 as the cliff edge, not the target, because vendors change their own includes and you want headroom. If you are over, the first move is removing dead includes from tools you no longer use. If you are still over after that, SPF flattening or a hosted SPF service collapses the lookups, though honestly the cleaner long-term answer is leaning harder on DKIM alignment, which has no equivalent lookup ceiling.
Start at p=none, but put an actual calendar date on moving up
Almost everyone gets the start right and the follow-through wrong. You publish DMARC at p=none, the reports start flowing, and then nothing happens for eight months because p=none is comfortable and nobody owns the next step.
p=none does not protect anyone. It tells receivers to do nothing and just report. That is the correct first move, because it lets you watch which senders are failing before you start enforcing, and you will almost always find a legitimate tool you forgot about. But it is a starting line, not a resting place. The plan that works: sit at p=none for 30 days while you read reports and fix every legitimate source, then move to p=quarantine, watch for another few weeks, then go to p=reject. Quarantine and reject are where the actual anti-spoofing protection lives.
The stakes got real in late 2025. Gmail escalated enforcement in November 2025, shifting from temporary delays toward permanent rejections for non-compliant bulk traffic, and Microsoft began rejecting non-compliant bulk mail to Outlook addresses back on May 5, 2025. The grace period that existed in early 2024 is closing. Senders who treated p=none as the finish line are the ones most exposed now.
While you are in there, the authentication records are necessary but they are not the whole compliance picture. Google also wants your spam complaint rate under 0.10% and never spiking to 0.30%, a working one-click unsubscribe, and unsubscribes honored within two days. Authentication gets you past the gate. Engagement and complaint rates decide whether you stay inside, which is the same uncomfortable truth behind how Gmail's AI inbox is reshaping what "delivered" even means.
A few questions marketers actually ask
Do I need a dedicated email security vendor for this? For SPF, DKIM, and a basic DMARC rollout, no. Your ESP's documentation plus your DNS panel covers it. Where paid DMARC tools earn their keep is reading the reports at scale and managing SPF lookups across a sprawling stack. If you send from three tools, you can do this yourself. If you send from fifteen across multiple business units, a reporting tool pays for itself in a week of saved confusion.
How long until it works after I publish the records? DNS changes generally propagate within a few hours, though full global propagation can take 24 to 48 hours. Do not panic if a checker disagrees with itself for the first day. Verify again after a full day before you conclude anything is broken.
If DKIM is the strong one, can I skip SPF? Technically DMARC passes on either aligned SPF or aligned DKIM, so DKIM alone can satisfy it. But the bulk sender guidelines expect both set up, and some receivers weigh them differently, so set up both and lean on DKIM for alignment. Belt and suspenders is the right instinct here.
Where to actually start tomorrow morning
If you only do one thing this week, send yourself a live campaign from your main email platform and read the headers for the DMARC result and the signing domain. That single check tells you more than any record validator, because it tests alignment on a real send instead of testing whether your DNS is syntactically tidy. Everything else, the SPF lookup audit, the p=none to reject ramp, the secondary tools, flows from knowing whether your biggest sender actually aligns today.
I will be honest, none of this is thrilling work, and it photographs badly in a marketing deck. But it is the rare deliverability task with a clear finish line and no algorithmic guesswork. You either align or you do not, and the senders who sort it out this quarter will be quietly landing in inboxes while the ones still treating three green checkmarks as proof keep wondering why a clean list stopped converting.
Notice Me Senpai Editorial
