MailboHelp CenterOpen the app

Verify your domain (SPF, DKIM, DMARC)

The DNS records that prove you own your domain — and keep you out of spam.

Before any provider will let you send freely — and before inboxes will trust you — you add a few DNS records to your domain. They prove the email really comes from you. Your provider generates the exact values; this page explains what each one is.

The three records, in plain English

  • SPF — a TXT record that lists which servers are allowed to send email for your domain. "These senders are approved."
  • DKIM — a digital signature on every email, checked against a key in your DNS. "This email really came from us and wasn't tampered with."
  • DMARC — a policy that tells inboxes what to do if SPF/DKIM fail, and where to send reports. "If a message fails the checks, here's how to handle it."

Why you can't skip this (2024+ rules)

Since 2024, Gmail and Yahoo require anyone sending in bulk (5,000+ emails/day) to have all three — SPF, DKIM, and DMARC — plus:

  • a one-click unsubscribe link (Mailbo adds this automatically), and
  • a spam-complaint rate under 0.3%.

Even below 5,000/day, having all three dramatically improves whether you reach the inbox. It's worth doing from day one.

How to set them up

  1. Get the records from your provider. When you add your domain (in SES, Mailgun, etc.), it shows the exact SPF, DKIM, and sometimes Return-Path/tracking records.
  2. Add them at your DNS host (where you bought your domain — GoDaddy, Namecheap, Cloudflare, etc.), copying each Type / Name / Value exactly.
  3. Verify back in your provider. DNS can take a few minutes up to 24–48 hours.

Add DMARC (do this once)

Most providers set up SPF and DKIM but leave DMARC to you. Add one TXT record:

  • Type: TXT
  • Name: _dmarc.yourdomain.com
  • Value (safe starting point): v=DMARC1; p=none; rua=mailto:you@yourdomain.com

p=none just monitors (no mail is blocked) and sends you reports. Once you're confident everything passes, you can tighten to p=quarantine then p=reject.

Common mistakes

  • Two SPF records. You may only have one v=spf1 TXT record — merge your provider's include: into the existing one.
  • Editing the wrong domain. Add records to the exact domain you send from.
  • Impatience. If verification fails, wait for DNS to propagate and re-check later.

Next: What is a tracking domain? · Why emails go to spam

Still have a question?
Can't find what you need in this guide? We're happy to help.
Contact us
Last updated 6/15/2026← More in Sending & Deliverability