Skip to Main Content
Login

Do I Need SPF and DKIM for Business Email UK?

Running a business

Last updated:

UK small business owner at a laptop checking an email message header, with a printed list of DNS strings on the desk.

Do I Need SPF and DKIM for Business Email UK?

If you’re using a business email on your own domain, SPF and DKIM are now pretty much expected, and skipping them is one of the most common reasons emails quietly end up in spam. This catches a lot of small businesses out. Even if you’re only sending a handful of emails a day, providers still check for it. This article explains what they are, why they matter for UK small businesses in 2026, and how to test that yours are working.

Do I need SPF and DKIM if my business only sends a few emails a day?

Yes. Gmail and Outlook both factor SPF and DKIM into their spam filtering, no matter how many emails you send. Google’s bulk-sender rules apply to senders of 5,000 or more messages a day to Gmail, in force from 1 February 2024. Microsoft started parallel enforcement on 5 May 2025.

Those rules mainly apply to high-volume senders, the kind sending thousands of emails a day. For everyone else, the effect is simpler: if your email isn’t authenticated, it’s more likely to be treated as suspicious. Skip SPF and DKIM and your reply to a customer’s enquiry can end up in their Spam folder without you realising. The NCSC’s Small Business Guide already lists email authentication as a fundamental control for UK small business.

What does SPF do?

SPF (Sender Policy Framework) is one line of text in your domain’s DNS that lists who is allowed to send email “as” you. When Gmail receives a message claiming to come from yourname@yourbusiness.co.uk, it checks your SPF record. If the sending server is on the list, SPF passes. If it isn’t, Gmail treats the message with suspicion.

SPF helps stop someone else pretending to send emails from your domain, something that shows up regularly in spam and phishing attempts. It is also what tells Gmail your real Google Workspace mailbox is allowed to send. Without it, your own mail looks no more trustworthy than the spoofed kind.

What does DKIM do that SPF doesn’t?

DKIM (DomainKeys Identified Mail) adds a digital signature to each email, so the receiving server can check it hasn’t been altered on the way. SPF says “this server is allowed to send for me”. DKIM says “and this specific message wasn’t tampered with on the way”. Both checks are independent. Gmail and Outlook want both.

This becomes important when emails get forwarded internally or between accounts, which happens more often than you’d think. A forwarded message loses its SPF alignment, but the DKIM signature travels with the body. So, a properly signed email still carries a verifiable identity at its destination.

When using platforms like Google Workspace or Microsoft 365, DKIM is typically included in the setup, you’ll just need to add the record they provide.

Where do SPF and DKIM live, and who gives me the values?

SPF and DKIM are TXT records in your domain’s DNS, stored wherever your nameservers point. Your email provider gives you the exact values to paste in. Google Workspace serves them from the admin console. Microsoft 365 serves them from the Exchange admin centre. UK email-only hosts (Fasthosts, 123 Reg, Zen) produce them in their own panels.

You don’t need to build these yourself. Your email provider gives you the exact values to copy over, and most problems come down to small copy/paste errors, like an extra space, a missing quote mark, or pasting into the wrong field. If that happens, copy the value again and replace the existing record.

How do I check SPF and DKIM are passing?

Send a test email from your business address to a Gmail account and an Outlook.com account. Then read the message headers. In Gmail, click the three dots and choose “Show original”. In Outlook on the web, click the three dots and choose “View message source”. Look for two lines near the top: spf=pass and dkim=pass.

If both show as ‘pass’, you’re set up correctly and can stop worrying about this part. If either shows ‘fail’ or ‘none’, it’s usually down to something simple in your DNS, often a value that didn’t copy across properly. Re-check Step 3 of the Setting Up Business Email with Your Own Domain UK guide. Paste the values fresh, then wait an hour for DNS to update.

What about DMARC, do I need that too?

DMARC is the third record in the trio. It tells receivers what to do when SPF or DKIM fails: ignore, quarantine, or reject. Google’s bulk-sender rules require a DMARC record (with a policy of at least p=none) for senders of 5,000 or more messages a day. Most UK small businesses are well under that volume.

A basic DMARC record (set to p=none) takes a few minutes to add and doesn’t affect delivery. It simply gives you visibility, along with reporting on who is trying to send mail in your name. Both Google and Microsoft are gradually tightening their requirements, so it’s worth setting this up alongside SPF and DKIM.

One thing most setup guides won’t remind you about: legal compliance on the website. Whether you build it yourself or have it done for you, your site needs a privacy policy, a cookie notice, terms and conditions, and the right business information in the footer. Most DIY builders include templates, but they don’t tell you if something important is missing, like your company number in the footer or a properly worded privacy policy. Already have a website? Run it through our free compliance checker to see what’s there and what isn’t.

Want SPF, DKIM and DMARC set up without learning DNS?

If you would rather not touch DNS at all, Duport’s website build handles it. The package includes domain registration, a professional mailbox at your domain, and the SPF and DKIM records that stop your mail going to spam. We typically get everything live within 72 hours, and the setup on your side usually takes about 30 minutes. Duport’s website build starts from £360. Mention this article when you get in touch and we’ll honour the £144 rate. For those also registering a limited company, the full bundle is £244 upfront. That covers company formation, your website, email, and seven compliance tools together. Want a wider view first? Should I Hire Someone to Build My Website? covers the build vs hire decision in real numbers.

Understanding DKIM and your email setup

Most domains come with basic email hosting included, which is fine for day-to-day use like enquiries and quotes. As businesses grow, it’s common to move to platforms like Google Workspace or Microsoft 365, which include features like shared calendars, storage, and stronger email authentication.
Many businesses also choose to use these platforms from the very beginning and that works just as well alongside a domain registered with us.

We’re here to help

If you’re not familiar with DNS settings or DKIM, don’t worry. While we don’t manage third-party email platforms directly, our team is always on hand to help you add the required records to your domain and make sure everything is pointing in the right direction.

It’s all part of helping you get the most out of your domain, whether you’re just starting out or growing into a more advanced setup.

FAQs

  • Do I need SPF and DKIM for a free Gmail address (yourname@gmail.com)?

No. SPF and DKIM only apply to mail sent from your own domain. Gmail handles authentication for its own gmail.com addresses already.

  • Will my emails fail today if I don’t have SPF and DKIM set up?

Not all of them. Some emails will still get through, but you’ll likely see more of them drifting into spam, often without you realising. Set both up now rather than wait for a customer to tell you they didn’t get your reply. The deeper diagnostic is in Why Are My Business Emails Going to Spam UK? .

  • Can I use just SPF and skip DKIM?

You can technically. You shouldn’t. Both Google and Microsoft want both checks to pass on incoming mail. With only SPF, your spam-folder rate rises the moment your message gets forwarded.

  • Do I need to renew SPF or DKIM records each year?

No. Once added correctly, the records stay live as long as your domain does. The only time you’d revisit them is when you change email provider, in which case both records need updating.

  • Is my Wix or Squarespace website legally compliant in the UK?

Not automatically. UK law requires your website to include a privacy policy, a cookie notice, clear terms and conditions, and specific business information (such as your registered company name and number if you’re a limited company). Most website builders include template pages for some of these, but they don’t check whether your content is accurate or complete. Use our free website compliance checker to see what your site has and what it’s missing.

Check your website →

 

Rebecca

Running a business

Last updated: