How do TXT records interact with DMARC, SPF, and DKIM?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Picture an email arriving at Gmail. In the background, Gmail's servers do three quick lookups before deciding whether to deliver that message. Each one hits a different TXT record in your DNS. Here's what's actually happening.

SPF lives at your domain's root. When your email arrives, the receiving server looks up the TXT record at yourdomain.com and checks whether the IP address that sent the message is listed there. It's checking the envelope sender, not the From address your subscribers see. If the sending IP is on the list, SPF passes.

DKIM lives at a selector subdomain, something like s1._domainkey.yourdomain.com. The sending server added a cryptographic signature to the email's headers before it left. The receiving server grabs the public key from that TXT record and uses it to verify the signature hasn't been tampered with. If the math checks out, DKIM passes.

DMARC lives at _dmarc.yourdomain.com. It's the policy layer that sits on top of both checks. It asks two questions about the results it just received. Did SPF pass AND does the domain used in that check align with the From address? Same question for DKIM. If either one passes alignment, DMARC passes. If neither does, DMARC instructs the receiving server to follow your policy (none, quarantine, or reject).

So the records aren't checking the same thing at all. Think of it this way:

  • SPF answers "did this message come from an approved server?"
  • DKIM answers "was this message signed and unaltered?"
  • DMARC answers "do those results connect back to the domain in the From address, and what should happen if they don't?"

They're independent checks, but DMARC is what ties the results together into a final decision. You can have SPF pass and DKIM pass and still fail DMARC if neither one is aligned to your From domain. That's the part that trips people up most often.

Receiving servers don't check them in a strict sequence either. The SPF check happens during the SMTP transaction, before the full message is received. DKIM and DMARC are checked after the full message arrives. So there's a slight timing difference, though it's all invisible to you and your subscribers.

If you want to see exactly what a real email returned for all three checks at once, paste the raw headers into our free Email Header Analyzer. It'll show you the pass or fail result for each protocol in plain English.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Paste your records and From domain above

I'm setting up email authentication for your domain and I want to make sure SPF, DKIM, and DMARC are all configured correctly. Can you check the following details and tell me if anything looks misaligned or missing? 1. My SPF record (paste it here) 2. My DKIM selector name and the domain it's published on 3. My DMARC record (paste it here) 4. The From address domain my emails use For each one, tell me: (1) whether the record looks valid, (2) whether the domains align with my From address, and (3) what to fix first if something is off.

Edit the yellow boxes, then send to the AI of your choice.