Do SPF and DKIM work without proper DNS?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Short answer: no. SPF and DKIM don't live on your mail server. They live in DNS. When a receiving mail server checks your authentication, it goes to look up your DNS records in real time. If those records aren't there, or they're wrong, the check fails. Full stop.
Here's how each one works in practice. For SPF, the receiving server queries your DNS for a TXT record at your root domain (something like v=spf1 include:mailchimp.com ~all). If it finds nothing, or finds a record that doesn't include your sending IP, SPF fails. For DKIM, the receiver queries a specific subdomain (like selector._domainkey.yourdomain.com) looking for your public key. No key, or a mismatched key, means the signature verification fails.
One thing that trips people up: your server configuration and your DNS records are two separate things. You can have your ESP generating DKIM signatures perfectly, but if the public key was never actually published in DNS, receivers have nothing to verify against. Both sides have to be right.
So how do you check if your records are actually there and readable? The fastest way is to use our free SPF checker and DKIM Record Lookup. Pop in your domain and you'll see exactly what any mail server would find when it goes looking. No guessing.
If something looks off, here's where to start. For SPF, confirm the record exists at your root domain and that all your sending sources are listed. For DKIM, double-check that you're using the right selector (your ESP will tell you which one) and that the subdomain record was saved correctly in your DNS host. DNS propagation can also be a factor, new or changed records sometimes take a few hours to be visible globally, so if you just made changes, give it some time before assuming something is broken.
If you've checked all of that and things still aren't resolving cleanly, it's worth looking at the raw email headers from a test message. Our email header analyzer will show you exactly what authentication result receivers are seeing on the other end.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.