arrow_backAll posts
email-deliverabilityspfdkimdmarctutorial

SPF, DKIM, and DMARC Explained: Email Authentication for Non-Technical Teams

P
Prashant Jadon
· 3 views

Why Your Emails Land in Spam

You wrote a perfectly professional email, hit send, and it landed in spam. Or worse — it bounced. The reason isn't your content. It's that your domain doesn't prove you're allowed to send email from it.

Email authentication is how you prove to Gmail, Outlook, and other providers that emails from @yourdomain.com are legitimate — not spoofed by a scammer.

The Three Records, Explained Simply

SPF (Sender Policy Framework)

What it does: Tells the world which servers are allowed to send email for your domain.

Analogy: It's like a guest list at a venue. If a server isn't on the list, its emails get rejected.

The DNS record:

TXT  @  "v=spf1 include:amazonses.com include:mail.rokmail.in ~all"

This says: "Amazon SES and RokMail's mail server can send email for us. Soft-fail everything else."

DKIM (DomainKeys Identified Mail)

What it does: Adds a digital signature to every email you send. The recipient's mail server verifies the signature against a public key in your DNS.

Analogy: It's like a wax seal on a letter. If someone tampers with the email in transit, the seal breaks.

The DNS records: Three CNAME records that AWS SES provides when you verify your domain. They look like:

CNAME  abc123._domainkey  abc123.dkim.amazonses.com

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

What it does: Tells receiving servers what to do when SPF or DKIM fails — nothing, quarantine (spam folder), or reject entirely. Also sends you reports about who's trying to send email from your domain.

Analogy: It's the security policy. SPF is the guest list, DKIM is the wax seal, DMARC is what happens when someone shows up without either.

The DNS record:

TXT  _dmarc  "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com"

Setting Up All Three in RokMail

  1. Go to Dashboard → Settings → Custom Domain Sending
  2. Enter your domain — RokMail generates the required DNS records
  3. Add the records to your DNS provider (GoDaddy, Cloudflare, Route 53, etc.)
  4. Click Verify — RokMail checks that all records resolve correctly
  5. Once verified, all outbound email uses your domain with full authentication

The Result

With all three records in place, your emails pass authentication checks at every major provider. Gmail shows your domain name (not "via amazonses.com"), Outlook doesn't flag you as suspicious, and your deliverability rate jumps from ~70% to 95%+.

SPF, DKIM, DMARC Explained for Non-Technical Teams | RokMail