Your open rates dropped below 15%. A customer mentioned they never got your last campaign. Your marketing team is blaming "the algorithm." The real problem is technical, specific, and fixable in under an hour.
Email deliverability comes down to three DNS records: SPF, DKIM, and DMARC. If any of these are missing or misconfigured, receiving mail servers either send your emails to spam or reject them entirely. No amount of subject line optimization will fix a deliverability problem caused by missing authentication.
The 5-Minute Diagnostic
Check SPF: Go to MXToolbox.com → SPF Record Lookup. Enter your sending domain. If the result shows "Pass" and includes your email platform — SPF is working. If it shows "Fail," "SoftFail," or "None" — SPF is missing or broken.
Check DKIM: MXToolbox.com → DKIM Lookup. You'll need your DKIM selector (check your email platform's settings). If it returns a valid public key, DKIM is working.
Check DMARC: MXToolbox.com → DMARC Lookup. Enter your domain. If you see a record starting with v=DMARC1, note the policy. If "No DMARC record found" — you don't have one.
Most orgs we check are missing at least one of these three. Many are missing all three.
What Each Record Does (In Plain English)
SPF (Sender Policy Framework) tells receiving servers: "These are the only mail servers authorized to send email on behalf of our domain." Without it, anyone can send email that looks like it comes from your domain.
DKIM (DomainKeys Identified Mail) cryptographically signs every email you send. The receiving server checks the signature against a public key in your DNS. If DKIM is missing, receiving servers can't verify your emails are authentic.
DMARC ties SPF and DKIM together. It tells receiving servers what to do with emails that fail both checks, and sends you reports showing who's sending email as your domain.
How to Fix SPF
Add a TXT record to your domain's DNS. The format:
v=spf1 include:_spf.google.com include:et._spf.salesforce.com ~allCustomize the include: statements based on which services send email as your domain. Common includes:
- Google Workspace:
include:_spf.google.com - Salesforce / Marketing Cloud / Pardot:
include:et._spf.salesforce.com - Microsoft 365:
include:spf.protection.outlook.com - HubSpot:
include:spf.hubspot.com - SendGrid:
include:sendgrid.net
Critical rule: one SPF record per domain. Two separate SPF records will both fail — this is the most common SPF mistake.
Second critical rule: max 10 DNS lookups. Each include: statement counts as a lookup. SPF allows a maximum of 10.
How to Fix DKIM
For Salesforce Marketing Cloud: Setup → Email Studio → Admin → Account Settings → SAP/DKIM. Create a new signing key for your domain. Salesforce gives you a CNAME record to add to your DNS.
For Pardot: Setup → Pardot → Domain Management → Add your sending domain. Pardot provides a TXT record for DKIM.
For Google Workspace: Admin Console → Apps → Gmail → Authenticate email → Generate DKIM record.
How to Fix DMARC
Add a TXT record to your DNS with the hostname _dmarc:
_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:[email protected]"Start with p=none. This is monitoring mode — it doesn't affect delivery, but it starts sending you reports. Run in monitoring mode for 2–4 weeks, then upgrade to p=quarantine, then eventually p=reject.
After Authentication: List Hygiene
Bounce rate above 2%? Run a bounce report for the last 90 days. Export the hard bounces. Set those contacts to "Do Not Email" in Salesforce — don't delete them, suppress them.
Spam complaint rate above 0.1%? You have a permission or content problem.
Unengaged contacts (no opens in 6+ months)? Create a "re-engagement" segment. Send a 3-email re-engagement sequence. Anyone who doesn't engage gets suppressed.
The Quick Fix Priority List
- Add SPF record (15 minutes including DNS)
- Add DKIM record (15 minutes — depends on your platform)
- Add DMARC record in monitoring mode (5 minutes)
- Send a test email and verify all three pass (5 minutes)
- Run a bounce report and suppress hard bounces (20 minutes)
- Set up a re-engagement campaign for unengaged contacts (30 minutes)
That's about 90 minutes of work. Your deliverability will improve within days.