Deliverability & Authentication (SPF, DKIM, DMARC)
A brilliant email is worthless if it lands in spam. Authentication and a good sender reputation are what get you into the inbox.
What you will learn
- Explain SPF, DKIM and DMARC in plain words
- Describe sender reputation, list hygiene and domain warm-up
- Avoid the common spam triggers that hurt inbox placement
Getting into the inbox is its own skill
You already met deliverability — whether your email reaches the inbox instead of spam. This lesson goes deeper, because top courses treat it as a whole subject. The big idea: email providers (Gmail, Outlook) only trust senders they can verify and who have a good track record. Proving who you are is called authentication.
The three authentication records, in plain words
These three live in your domain’s settings (your tech person or email tool sets them up once). Each answers a different trust question:
| Record | The question it answers | In plain words |
|---|---|---|
| SPF | Is this server allowed to send for your domain? | A guest list of approved senders |
| DKIM | Was the email changed in transit? | A tamper-proof seal on the envelope |
| DMARC | What to do if SPF/DKIM fail? | Your instructions: reject or quarantine fakes |
In short: SPF says “these servers may send as me”, DKIM adds a digital signature that proves the email was not altered, and DMARC tells the receiver “if a message claiming to be me fails those checks, here is what to do with it.” Together they stop scammers from faking your address and tell Gmail you are the real sender.
How a receiving server checks your email:
1. SPF -> Is the sending server on this domain's guest list?
2. DKIM -> Does the email's signature match (untampered)?
3. DMARC -> If 1 or 2 fail, follow the domain's instructions
(e.g. send to spam, or reject)
All pass -> strong chance of landing in the INBOX
Some fail -> likely SPAM or rejectedNote: Read it as a security gate: SPF checks the sender is allowed, DKIM checks nothing was changed, and DMARC decides the fate of anything that fails. Pass all three and Gmail treats you as a trusted sender — the foundation of good deliverability.
Sender reputation: your email credit score
Authentication proves who you are; sender reputation is whether providers like you. Think of it like a credit score for email. It goes up when people open and reply, and down when people mark you as spam or your emails bounce.
| Raises your reputation | Lowers your reputation |
|---|---|
| People open and click your emails | Spam complaints |
| Low bounce rate | Many dead/invalid addresses (bounces) |
| Steady, consistent sending | Sudden huge blasts from a cold domain |
| People reply to you | People ignore or delete unopened |
Domain warm-up and list hygiene
Two practical habits protect your reputation:
- Domain (and IP) warm-up — when a brand-new domain starts sending, do not blast 10,000 emails on day one. Start small (a few hundred), then slowly grow the volume so providers learn to trust you. Blasting from a cold domain looks exactly like a spammer.
- List hygiene — regularly remove addresses that bounce or never open. A clean, engaged list keeps your bounce and complaint rates low, which keeps your reputation high.
Common spam triggers to avoid
Even authenticated emails can trip spam filters. Avoid these:
- Spammy words and ALL CAPS in the subject (“FREE!!! BUY NOW!!!”).
- One giant image with almost no text (filters cannot read it).
- Misleading subject lines that do not match the email.
- No unsubscribe link (also illegal — see the compliance lesson).
- Sending to people who never opted in (the fastest way to get complaints).
Note: Notice the pattern: spam filters reward honesty and punish tricks. Clear subject lines, real text, a genuine unsubscribe link, and a permission-based list keep you in the inbox.
Tip: You do not have to write SPF/DKIM/DMARC by hand. Modern tools like Mailchimp or Brevo give you the exact records to paste into your domain settings, and many “verify your domain” for you with a few clicks.
Watch out: Skipping authentication is no longer optional. Gmail and Yahoo now require SPF, DKIM and DMARC for anyone sending in bulk — without them, your emails can be silently rejected before anyone sees them.
Q. What does DKIM mainly prove about an email?
✍️ Practice
- In your own words, write one sentence each explaining SPF, DKIM and DMARC to a shop owner.
- List 4 things you would do to warm up a brand-new sending domain and keep its reputation high.
🏠 Homework
- Write a one-page “deliverability checklist” a beginner could follow: authentication, list hygiene, warm-up, and spam triggers to avoid.