SPF, DKIM, and DMARC for Real Estate Agents, Explained
Key Takeaways
- SPF, DKIM, and DMARC are DNS records that prove to Gmail and others that your email is legitimately from your domain.
- Without them, your newsletters are more likely to land in spam — especially when sent from an email platform.
- Setup takes 20–30 minutes in your domain registrar and is free — your email tool provides the exact records to add.
- DMARC at 'none' policy is safe to start with; you don't need to go straight to 'reject.'
Short answer: SPF, DKIM, and DMARC are three DNS records that tell Gmail, Outlook, and other inbox providers that your emails are actually from you. Without them, your newsletters are more likely to be filtered as spam — especially once your list grows past a few hundred people. Setup takes about 30 minutes and is free.
You don’t need to understand how these records work at a protocol level to set them up. This guide explains just enough to know what you’re doing, then gives you the steps.
What These Three Records Actually Do
Think of your domain (yourname.com) as your professional letterhead. Anyone could theoretically print letterhead with your name on it and send a fake letter. SPF, DKIM, and DMARC are the systems that prove the letter actually came from you.
SPF (Sender Policy Framework) is a list of servers allowed to send email on behalf of your domain. When you use an email marketing platform like Mailchimp or Kit to send newsletters, you’re sending from their infrastructure. Without an SPF record, inbox providers see that the email claims to come from your domain but wasn’t sent from your domain’s own mail servers — which looks suspicious.
DKIM (DomainKeys Identified Mail) adds a digital signature to each email you send. The receiving server checks that signature against a public key in your DNS records. If the signature matches, the email wasn’t tampered with in transit and genuinely came from an authorized source.
DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together and tells inbox providers what to do if an email fails those checks — ignore it, quarantine it, or reject it outright. It also gives you a reporting mechanism so you can see if anyone is spoofing your domain.
In practice: Gmail and Yahoo have both tightened authentication requirements for bulk senders. If you’re sending newsletters from a custom domain without these records, some of your emails are going to spam — and you may not know it.
What You Need Before You Start
- A custom domain (e.g.,
mikejohnson.comormikejohnsonrealty.ca) - Access to your domain registrar’s DNS settings (GoDaddy, Namecheap, Google Domains, Squarespace, etc.)
- An email marketing platform you’ve connected to your domain (Mailchimp, Kit, Beehiiv, Klaviyo, etc.)
If you’re still sending from a free Gmail address, you don’t need to do any of this — Google handles it. Authentication setup is only required when you’re sending bulk email from a custom domain.
Step 1: Get Your Records From Your Email Platform
Every major email marketing platform provides you the exact DNS records you need. Log in and find the domain authentication section — it’s usually in Settings > Sending Domains, or Account > Domains.
The platform will show you:
- An SPF record (a TXT record for your domain)
- One or two DKIM records (CNAME or TXT records, typically with names like
mailchimpkey1._domainkey)
Copy these exactly. They’re long strings and must be entered character-for-character.
Step 2: Add the SPF Record to Your DNS
Log into your domain registrar. Go to DNS Management (sometimes called DNS Zone or Advanced DNS).
Add a new TXT record:
- Host/Name:
@(meaning your root domain) - Value: The SPF string from your email platform. It will look something like:
v=spf1 include:servers.mailingplatform.com ~all - TTL: 3600 (or default)
If you already have an SPF record for your domain (check before adding), you need to merge them — you can’t have two SPF records. Add the new include: directive to the existing record rather than creating a second one.
Step 3: Add the DKIM Records
Add each DKIM record your platform provided. These are typically CNAME or TXT records:
- Host/Name: The subdomain string your platform gave you (e.g.,
k1._domainkeyormailchimpkey1._domainkey.yoursite) - Value: The long string your platform provided
- TTL: 3600 (or default)
Add all DKIM records your platform specifies. Some platforms require two.
After adding, go back to your email platform’s domain settings and click Verify. DNS changes propagate within minutes to a few hours — if verification fails, wait 30 minutes and try again.
Step 4: Add a DMARC Record
Once SPF and DKIM are verified, add a DMARC record. This is a TXT record with:
- Host/Name:
_dmarc - Value:
v=DMARC1; p=none; rua=mailto:youremail@yourdomain.com - TTL: 3600
The p=none means DMARC is in monitoring mode — it won’t block or quarantine anything, it will just report. This is the right starting point. You’ll receive aggregated reports at the email address you specify, which let you see if there are any authentication failures.
Once you’ve run on p=none for a few weeks and confirmed everything is working, you can optionally change to p=quarantine — which sends failing emails to spam rather than inbox. Most solo agents don’t need to go further than none unless they have specific concerns about domain spoofing.
How to Verify Everything Is Working
Two tools worth bookmarking:
- MXToolbox (mxtoolbox.com) — paste your domain and run SPF, DKIM, and DMARC lookups to confirm the records exist and are formatted correctly
- Mail-Tester (mail-tester.com) — send a test email to their temporary address and get a deliverability score with specific feedback on what’s passing and failing
If all three records are in place and your email platform shows them as verified, you’re in good shape. The best real estate email marketing tools comparison covers which platforms make domain authentication easiest to configure.
Do You Need Help With This?
For most agents, the above steps take 20–30 minutes with the instructions open. But DNS management can feel unfamiliar, and a typo in a record means nothing works.
If the thought of editing DNS records makes you anxious, there are two good options: ask your web hosting provider’s support team (they do this constantly), or use a newsletter service that handles authentication setup for you as part of onboarding. That’s one of the practical things to look for when evaluating a real estate newsletter service — whether authentication is included or left to you.
Authentication is a one-time task. Once it’s done correctly, you don’t touch it again unless you switch email platforms. It’s 30 minutes that protects months of deliverability work. Do it before your list gets big enough for it to matter, not after.
For the broader picture of deliverability and email marketing best practices for agents, the real estate email marketing guide covers everything authentication supports.
Frequently Asked Questions
Do I need SPF, DKIM, and DMARC if I send from Gmail for free?
What happens if I skip authentication and just start sending?
Can I break my email by setting up DMARC wrong?
Start your newsletter today
Custom-designed for your brand and market. We handle everything.
Get Started