Email DNS records (MX, SPF, DKIM, DMARC)
An overview of the four DNS record types that make your business email work correctly and land in inboxes rather than spam.
Getting your domain's email to work reliably — and to reach inboxes rather than spam folders — depends on four types of DNS records. This guide introduces all four and explains how they work together. For a deeper dive into each one, follow the links to the dedicated guides.
Quick summary
Four DNS records power your business email: MX records route incoming mail to your email provider, SPF tells servers which senders are authorized to send on your behalf, DKIM cryptographically signs outgoing email, and DMARC sets a policy for handling messages that fail those checks. All four need to be set up correctly.
Why email DNS records matter
Email fraud is widespread. Spammers "spoof" legitimate-looking email addresses to trick people. Email providers like Gmail and Outlook use your DNS records to verify that emails claiming to come from @yourbusiness.com are actually authorized by you.
If your DNS records are missing or incorrect:
- Your emails may land in recipients' spam folders
- Email providers may refuse to deliver your messages at all
- Fraudsters may be able to impersonate your email address more easily
Setting up all four record types is one of the most important things you can do for email reliability.
The four records at a glance
| Record | Type | What it does |
|---|---|---|
| MX | MX | Routes incoming email to your mail server |
| SPF | TXT | Lists servers authorized to send email from your domain |
| DKIM | TXT | Adds a cryptographic signature to prove emails are genuine |
| DMARC | TXT | Sets the policy for handling email that fails SPF or DKIM |
MX records
MX (Mail Exchange) records tell the internet which servers handle incoming email for your domain. When someone sends an email to you@yourbusiness.com, their email system looks up your MX records to find out where to deliver it.
Your email provider (Google Workspace, Microsoft 365, Zoho, etc.) provides the MX record values when you set up your account. If these records are wrong or missing, incoming email won't arrive.
Each MX record has a priority number — lower numbers have higher priority. Providers usually supply at least two MX records for reliability.
See SPF records, explained for more.
SPF records
SPF (Sender Policy Framework) is a TXT record that lists all the mail servers and services authorized to send email from your domain. When someone receives an email claiming to be from @yourbusiness.com, their server checks your SPF record to see if the sending server is on the list.
If the sending server isn't listed, the email may be flagged as suspicious. A typical SPF record looks like:
v=spf1 include:_spf.google.com ~allThis tells receivers: "Emails from our domain should come from Google's servers. Be suspicious of others."
See SPF records, explained for a full guide.
DKIM records
DKIM (DomainKeys Identified Mail) uses cryptography to sign outgoing emails. Your email provider creates a digital signature that's attached to every email. Receiving servers use a public key (stored in your DNS as a TXT record) to verify the signature.
If the signature matches, the email is verified as genuine. If it doesn't match — or there's no signature — receivers may treat the email with suspicion.
DKIM records are created by your email provider and usually look like a long string of random characters in DNS.
See DKIM records, explained for a full guide.
DMARC records
DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together and sets a policy: what should receiving servers do with email that fails one or both checks?
Options include:
none— take no action, just report (good for monitoring)quarantine— send failing emails to spamreject— refuse to deliver failing emails entirely
DMARC also provides email reports sent to an address you specify, so you can monitor who is sending email from your domain.
See DMARC records, explained for a full guide.
How they work together
You send an email from you@yourbusiness.com via Google Workspace.
The recipient's server checks MX records — not relevant for outgoing email, but confirms your domain is set up.
SPF is checked — is Google's server on your authorized list? Yes.
DKIM is verified — does the signature on the email match the public key in DNS? Yes.
DMARC policy is applied — both checks passed, so email is delivered normally.
If either SPF or DKIM fails, DMARC's policy determines what happens to the email.
Common questions
Related guides
- SPF records, explained
- DKIM records, explained
- DMARC records, explained
- DNS records explained (A, CNAME, MX, TXT)
- Why your emails land in spam (deliverability)
Need a hand?
Learn more
Who owns your domain (and why it matters)
Why domain ownership should be in your name, how to check who the registrant is, and what to do if someone else holds your domain.
SPF records, explained
What an SPF record is, how it works, and why setting it up correctly is essential for keeping your business email out of spam folders.