Setting up SPF, DKIM, and DMARC is the most important step you can take to ensure your Noptin newsletters actually reach your subscribers’ inboxes. Without these records, major providers like Gmail and Outlook are much more likely to flag your emails as spam.
This guide will walk you through what these records do and how to add them to your domain.
Why Email Authentication Matters
When Noptin sends an email, the recipient’s mail server checks if the email is truly from you and not fake. Without proper authentication, your emails may appear suspicious, even if the content is valid.
The three standards that solve this are:
- SPF — specifies which mail servers are allowed to send email for your domain
- DKIM — adds a cryptographic signature to outgoing emails so recipients can verify they haven’t been tampered with
- DMARC — tells receiving servers what to do when SPF or DKIM checks fail, and lets you receive reports about email activity on your domain
Together, these three records protect your domain’s reputation and keep your emails out of the spam folder.
Tip:
You can use Mailtester to verify your SPF and DKIM records.
Before You Begin
You need access to your domain’s DNS settings, usually managed through your domain registrar (such as Namecheap, GoDaddy, Cloudflare, or Google Domains) or your hosting provider’s control panel.
You’ll also need to know how you’re sending email from WordPress. The most common setups are:
- An SMTP plugin (e.g., WP Mail SMTP) connected to an external email service like SendGrid, Mailgun, Postmark, Amazon SES, or Brevo.
- Your web host’s mail server (not recommended for bulk sending).
The SPF and DKIM values you add will depend on which service actually delivers your emails. Check your ESP’s documentation for the exact DNS records they require — this guide covers the general process.
Step 1: Set Up SPF
SPF (Sender Policy Framework) is a DNS TXT record that lists the mail servers authorized to send email from your domain.
How to Create an SPF Record
- Log in to your DNS provider and navigate to your domain’s DNS settings.
- Next, create a new TXT record for your root domain (@ or yourdomain.com).
- Finally, set the value based on your email sending service.
If you’re using your server to send emails, you can use its IP address instead.
Common SPF Record Examples
If you’re sending through Google Workspace:
v=spf1 include:_spf.google.com ~all
Mailgun:
v=spf1 include:mailgun.org ~all
SendGrid:
v=spf1 include:sendgrid.net ~all
You should only ever have one SPF record per domain. If you use multiple sending services, you must merge them into a single line.
v=spf1 include:sendgrid.net include:mailgun.org ~all
Understanding the ~all vs -all Ending:-
~all(softfail) — Emails from unauthorized servers are accepted but marked as suspicious. Recommended while getting started.-all(hardfail) — Emails from unauthorized servers are rejected outright. Use this once you’re confident your SPF record is complete.
Tip:
After adding the record, wait a few minutes for DNS to propagate, then use a tool like MXToolbox SPF Lookup to confirm it’s set up correctly.
Step 2: Set Up DKIM
DKIM adds a “digital signature” to every email you send. This signature is hidden in the email header and allows the receiving server to verify that the email’s content wasn’t intercepted or changed during transit.
Your email service provider generates the DKIM keys for you.
Adding the DKIM Record
- In your DNS settings, create a new TXT record.
- Set the Name/Host to the value provided by your ESP (e.g.,
smtp._domainkeyordefault._domainkey). - Paste the full Value from your ESP into the record value field.
- Save the record.
Some providers (like SendGrid) use CNAME records instead of TXT records for DKIM. Follow your ESP’s specific instructions.
Tip:
Use MXToolbox DKIM Lookup or your ESP’s built-in verification tool to confirm the record is resolving correctly. DNS propagation can take up to 48 hours, though it’s usually much faster.
Step 3: Set Up DMARC
DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM. It tells receiving mail servers what to do when an email fails authentication checks, and it enables you to receive reports about who’s sending email on behalf of your domain.
DMARC Record Format
DMARC is also a DNS TXT record, added at _dmarc.yourdomain.com.
A basic DMARC record looks like this:
v=DMARC1; p=none; rua=mailto:[email protected]
The p=none policy only monitors email activity without rejecting messages. After confirming it works correctly, you can change the policy to quarantine or reject.
p=none— monitor only, no action taken. Use this to start collecting reports without affecting email delivery.p=quarantine— Deliver emails that fail DMARC checks to the spam or junk folder.p=reject— Rejects all emails failing DMARC checks. This is the most secure setting.
Tip:
Use a free tool like Postmark’s DMARC reports to monitor these reports.
Verify Everything Is Working
Once all three records are in place, send a test email and check the email headers in your mail client. Look for lines like:
Authentication-Results: mx.google.com;
dkim=pass ...
spf=pass ...
dmarc=pass ...
All three should show pass. You can also use Mail Tester to get a detailed deliverability score and spot any remaining issues.
Summary
| Record | DNS Type | Host | Purpose |
|---|---|---|---|
| SPF | TXT | @ | Authorizes sending servers |
| DKIM | TXT or CNAME | selector._domainkey | Signs outgoing emails |
| DMARC | TXT | _dmarc | Enforces policy, enables reporting |
If you haven’t configured an SMTP plugin, WordPress sends email using PHP’s mail() function through your hosting server. This method has poor deliverability and limited authentication support. Connect an SMTP plugin to a dedicated email sending service for best results.
Authentication is one piece of the puzzle. Spam filters also look at your sending reputation, list hygiene, email content, and engagement rates. Make sure you’re only sending to subscribers who have opted in, and use Noptin’s list management tools to keep your list clean.
Leave a Reply