Published: April 3, 2026 | Reading time: 14 min | Category: Email Marketing, Deliverability
Why Email Deliverability Matters More Than Ever
In 2026, inbox providers (Gmail, Outlook, Apple Mail, Yahoo) have become aggressively sophisticated at filtering unwanted email. Average inbox placement rates have dropped to 79% for commercial senders—and for new senders without proper authentication, it can be as low as 40%. Setting up SPF, DKIM, and DMARC correctly is no longer optional.
The Three Pillars of Email Authentication
1. SPF (Sender Policy Framework)
SPF specifies which mail servers are authorized to send email on behalf of your domain. Without it, your emails can be easily spoofed—and inbox providers notice.
How to set up SPF:
v=spf1 include:_spf.your-email-provider.com ~allCommon include statements:
include:_spf.google.com— Google Workspaceinclude:sendgrid.net— SendGridinclude:mailgun.org— Mailguninclude:servers.mcsv.net— Mailchimp
Best practice: If using multiple email providers, include all in a single SPF record separated by spaces. Having multiple SPF records causes authentication failures.
2. DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to your emails that verifies the email hasn't been modified in transit and confirms it was sent from your domain.
How it works: Your mail server generates a private key, and the corresponding public key is published in your DNS. When an email is sent, the server uses the private key to create a signature. The receiving server uses the public key to verify it.
Setup: DKIM is typically enabled through your email provider's dashboard—they'll provide you with a DNS record to add. For example, Google Workspace DKIM setup involves adding a TXT record with a 2048-bit public key.
3. DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It also provides reporting so you can monitor authentication results.
DMARC policy levels (p=):
| Policy | What it does | When to use |
|---|---|---|
p=none |
Monitor only, no action taken | Initial setup and testing phase |
p=quarantine |
Failed emails sent to spam/junk | When you're confident authentication is working |
p=reject |
Failed emails completely blocked | Full protection mode; requires thorough testing first |
Basic DMARC record:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100Add ruf for forensic reports (detailed failure info):
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensics@yourdomain.com; pct=100Always start withp=noneand monitor reports for 2-4 weeks before moving top=quarantine. Jumping straight top=rejectrisks blocking legitimate email if your SPF/DKIM isn't fully configured.
Common Deliverability Issues and How to Fix Them
| Problem | Solution |
|---|---|
| Emails going to spam | Check all three authentication records; run seed tests; review content for spam signals |
| SPF softfail (~all) | Replace ~all with -all once you've verified all legitimate senders are included |
| DKIM signature invalid | Verify DNS record matches exactly; check for email header modifications in transit |
| DMARC authentication failures | Ensure SPF aligns with From domain; DKIM must sign the header domain matching DMARC |
| Low engagement rates | Clean your list; improve subject lines; send more relevant content |
Additional 2026 Deliverability Best Practices
- Use a dedicated sending domain — separate your marketing email domain (e.g.,
mail.brand.com) from your primary domain to protect reputation - Warm up new domains gradually — start with 50-100 emails/day, increase over 4-6 weeks
- Monitor your sender reputation — use tools like Google Postmaster Tools, Microsoft SNDS, and third-party services
- Maintain list hygiene — remove hard bounces immediately; re-engage inactive subscribers or remove them
- Authenticate your subdomains — any subdomain sending email should have its own SPF/DKIM/DMARC
- Enable BIMI — Brand Indicators for Message Identification displays your logo in supported email clients (requires DMARC at quarantine or reject level and a verified logo)
- Use double opt-in — reduces spam complaints and improves list quality
Testing Your Setup
Before launching or after making changes, test your authentication:
- MXToolbox — free SPF, DKIM, DMARC record lookup
- Google Admin Toolbox — check MX and DKIM verification
- Mail-tester.com — send a test email to get a comprehensive deliverability score
- Litmus — email testing across 90+ clients
- Send test emails to Gmail, Outlook, Yahoo accounts and check headers for authentication results
The Bottom Line
SPF, DKIM, and DMARC aren't just technical requirements—they're essential for email deliverability in 2026. Without proper authentication, even the best email content ends up in spam or not delivered at all. Start with SPF and DKIM, add DMARC in monitoring mode, review your reports, then gradually enforce stricter policies.
Your email sender reputation is built over time—protect it with proper authentication from day one.