Home/Knowledge Hub/MX, SPF, DKIM, DMARC: Your Email’s Delivery and Security Foundation
← Back to Knowledge Hub

MX, SPF, DKIM, DMARC: Your Email’s Delivery and Security Foundation

EmailEmail SecurityDNS & Network·June 3, 2026·6 min read

Understand how MX, SPF, DKIM, and DMARC work together to get your emails delivered, protect your domain from fraud, and keep your business communications …

What Are Email Delivery Basics?

You sent the quarterly report. Your client says it never arrived. You check your sent folder—it went out. So where’d it go?

The answer often sits in a handful of text entries that every domain has, but few business owners know about: DNS records. These four small pieces of public data decide whether your emails land in inboxes, disappear into spam folders, or bounce back entirely.

Each entry plays a distinct role:

When these four work together, your email is trusted, delivered, and your business reputation stays intact.

  • MX (Mail Exchange) tells the world where to deliver emails coming to your domain.
  • SPF (Sender Policy Framework) lists which email servers are allowed to send mail from your domain.
  • DKIM (DomainKeys Identified Mail) puts a tamper-proof digital seal on every outgoing message.
  • DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving servers what to do when SPF or DKIM checks fail.

Real-World Analogy

Think of your domain like a corporate headquarters building. The building’s mailroom has a clearly labeled slot for incoming mail (your MX record)—that’s how letters reach the right floor. When your staff sends out mail, they flash an employee badge (your SPF record) proving they’re authorized. Every outgoing envelope has a unique, machine-embedded seal (your DKIM signature) that can’t be forged. And there’s a policy posted at the front desk (your DMARC record) explaining exactly what to do if someone shows up without a badge or with a broken seal.

How Email Delivery Basics Work

Layer 1 — Plain English

Email delivery is a two‑way street, and the receiving side does most of the checking.

When someone sends an email to you, their email provider glances at your domain’s public paperwork to find the right delivery address. Your MX record is that address—it says, “Send all mail to this specific server.” Without it, no one can reach you.

When you send an email, your outgoing server automatically attaches two things: a list of authorized senders (your SPF record, tucked into your domain’s public directory) and a one‑of‑a‑kind digital signature (your DKIM seal). As the message arrives, the recipient’s server pulls up those records and asks, “Is this server on the guest list?” and “Does the signature match the public key on file?”

If everything checks out, great—the email heads to the inbox. If something looks off, the receiver looks up your domain’s DMARC instructions. That policy might say “quarantine it” (send to spam), “reject it” (bounce), or “just keep an eye on things for now.” Those instructions exist because you created them in your domain’s only‑you‑can‑touch DNS.

The entire conversation happens in milliseconds, before you ever see an “Email sent” confirmation.

Layer 2 — Technical Detail

Technical Details
MX record – sets where incoming mail is delivered, with a priority number. Example: (lower number = preferred).
SPF record – a TXT record at your domain’s apex that lists authorized sending servers. Structure: . The means strict fail; is softfail (mark suspicious).
DKIM record – a TXT record placed at a subdomain like . It holds a public key: (the long key). The selector (e.g., “default”) matches what your email provider stamps into the message header.
DMARC record – a TXT record at . Example: . This policy tells receivers what to do with failures and where to send aggregate reports.
All these records live in your domain’s DNS zone, usually managed by your domain registrar or hosting provider.

Why It Matters for Your Business

When these records are absent or misconfigured, your email gets a reputation problem. Gmail, Microsoft Outlook, and corporate spam filters may start placing your messages in recipients’ junk folders—or rejecting them outright. That means purchase confirmations, support replies, and sales quotes silently vanish.

A bigger risk is impersonation. Without SPF, DKIM, and a DMARC policy that says “reject,” anyone on the internet can forge emails that appear to come from your domain. Scammers can send fake invoices to your clients, and it will look legitimate. That damages trust, and recovering from a spoofed domain takes far more work than preventing it.

This isn’t just an IT problem. Marketing campaigns depend on deliverability. Support teams need customers to receive password resets. Executives’ mailboxes must be reachable for partnership deals. Every department benefits when email flows reliably and securely.

Common Issues and Warning Signs

Problems often surface quietly—an uptick in “I didn’t get your email” complaints, a bounce message you don’t recognize, or a client forwarding a phishing attempt that uses your company name. Sometimes your email might suddenly stop being delivered to Gmail users after they tighten their requirements.

Most of these root issues show up as missing or incomplete DNS records. A TechSpy scan can surface them instantly.

Common Issues

Emails to clients go to spam or bounce – Often missing SPF or DKIM. Gmail and others require at least one of them.
Customers report phishing messages from your domain – No DMARC enforcement (p=reject) means criminals can spoof you freely.
Inbound email suddenly stops after a server migration – MX records still point to the old mail host.
Your email provider says setup is complete, but something’s still off – DKIM public key not yet copied into DNS, or a typo in the TXT value.
TechSpy shows a warning for your domain’s email records – A direct sign that one or more essential pieces are missing or malformed.

How to Fix or Improve Your Email Delivery Records

The good news: fixing these records usually takes less than 30 minutes and the changes are free. You only need access to your domain’s DNS control panel and the exact values from your email provider (Microsoft 365, Google Workspace, or whoever handles your business email).

Once you’ve made the changes, run TechSpy again to confirm everything is in place. Your email will be on a much stronger foundation—and you’ll have one less thing to worry about.

<!-- self-check: layer1_readable=true | fix_doable=true | no_padding=true | jargon_expanded=true -->

1Run a TechSpy scan on your domain to see exactly which records are missing or misconfigured.
2Log in to your domain’s DNS management area (where your domain is registered, or where your DNS is hosted).
3Set your MX records to match your email provider’s recommended servers (e.g., Microsoft 365 might use with priority 0).
4Add an SPF TXT record at your domain’s root. Use the include: value your provider supplies, and end with . For Google Workspace: .
5Enable DKIM in your email provider’s admin panel, then create the DKIM TXT record they give you at the exact subdomain they specify (usually ).
6Create a DMARC record at to start monitoring. A safe first record: . That won’t block anything, but will send you reports.
7If someone else manages your DNS (IT agency, web developer, hosting provider), forward them your email provider’s setup instructions along with the TechSpy scan results.

See how your domain's configuration stacks up.

Get a free scan — no sign-up, no credit card.

Scan Your Domain Free →