How to Read SPF, DKIM, and DMARC Results (What “pass” Really Means)
November 7, 2025 • InboxGreenEmail Team
🚨 DKIM issues can silently kill replies.
If opens dropped, replies disappeared, or bounces increased, treat it as an incident. Run the scan and get a fix path.
No signup required. Works on any domain.
You ran the InboxGreen checker (or opened Gmail’s “Show original”) and saw lines like
spf=pass, dkim=fail, or dmarc=none. Now the question is: does this actually affect inbox placement?
This post explains which results matter and what to fix first.
1. The 3 things you’re looking at
Every modern inbox is checking the same trio:
- SPF - did this come from a server that’s allowed to send for this domain?
- DKIM - was this email cryptographically signed by the sender?
- DMARC - do SPF or DKIM match the visible “From:” domain, and what should we do if not?
If SPF and DKIM both pass and align with DMARC, you look trustworthy. If one of them fails, you still might be OK. If both fail and DMARC is strict, mail can be quarantined or rejected.
2. Reading SPF results
Typical values you’ll see:
spf=pass→ good. The sending IP was in your SPF record.spf=softfail→ the sender wasn’t fully authorized; often caused by~all.spf=fail→ the sender is not in SPF. This is what you fix first.
If you see spf=fail right after switching ESPs or adding a new tool, it’s almost always because the new
service’s include was not added to your domain SPF. Go to
SPF Generator, add the service, and republish the TXT record.
3. Reading DKIM results
DKIM is per sender. That means Gmail, Microsoft 365, your SMTP provider, and your marketing tool can each have their own key.
dkim=pass→ the message was signed and the public key was found in DNS.dkim=neutralordkim=none→ no DKIM signature was present.dkim=fail→ the signature didn’t match (often because DNS was changed or the key expired).
If you get dkim=none from a tool like Mailchimp, Brevo, ConvertKit, etc., that usually means
“you didn’t add our DKIM records to your DNS yet.” Go into that tool’s domain/authentication screen and copy the
TXT/CNAME records they give you.
4. Reading DMARC results
DMARC is the referee. It looks at SPF and DKIM and says “do either of these match the From domain?”. If yes → DMARC passes. If no → DMARC applies your policy.
DMARC results you’ll see:
dmarc=pass→ at least one of SPF or DKIM matched the From: domain.dmarc=none→ you don’t have DMARC published (_dmarc.yourdomain.commissing).dmarc=fail→ neither SPF nor DKIM aligned with the From: domain and your policy may quarantine/reject.
If you see dmarc=none, that’s an easy win: publish a TXT at _dmarc.yourdomain.com - use
the DMARC Generator you already have on the site.
5. Which one should I fix first?
In most real world cases, fix order is:
- Make SPF pass for the sender you actually used.
- Turn on DKIM in your sending platform and publish its DNS records.
- Add DMARC with
p=noneso receivers start reporting.
Doing it in this order lets you get out of “why did it go to spam?” mode quickly, and then you can tighten DMARC later.
6. Common gotchas we keep seeing
- Multiple SPF records → should be just one, combined.
- DKIM selector published on the wrong host (extra domain on the end).
- DMARC set to
p=rejecttoo early, so legit mail gets quarantined. - Sending from
app.example.combut authenticatingexample.comand wondering about alignment.
7. Automate the checking
Because InboxGreen already exposes /api, you don’t have to log into Gmail and “show original” every time. You can have a cron or CI job call:
GET https://inboxgreen.email/api/check?domain=yourdomain.com
If the JSON says "dmarc": {"status":"fail"} or "spf": {"status":"fail"}, you can alert yourself or your client.
That’s exactly what we built the monitoring around.
Run a Check Now Fix SPF Fix DMARC
Free Deliverability Scan
Check SPF, DKIM, DMARC and List-Unsubscribe for your domain in seconds.