All Resources
Deliverability14 min read

SPF, DKIM, DMARC Setup: Complete Technical Guide

Master email authentication with this comprehensive guide to configuring SPF, DKIM, and DMARC records.

Key Takeaways

  • 1All three protocols (SPF, DKIM, DMARC) work together for maximum deliverability
  • 2SPF: Create ONE record listing all authorized senders
  • 3DKIM: Use 2048-bit keys and sign all outgoing mail
  • 4DMARC: Start with p=none and gradually increase to p=reject
  • 5Test everything with MXToolbox and Mail-Tester before sending
  • 6Monitor DMARC reports to catch authentication issues early

Understanding Email Authentication

Email authentication is a set of protocols that verify your emails are actually from you. Without proper authentication, your emails are more likely to be marked as spam or rejected entirely.

The Three Pillars:

  • SPF - Specifies who can send from your domain
  • DKIM - Digitally signs your emails
  • DMARC - Tells receivers how to handle failures

Why All Three Matter:

  • SPF alone: 30% deliverability improvement
  • SPF + DKIM: 50% improvement
  • SPF + DKIM + DMARC: 80%+ improvement

Think of them as layers of security. Each one validates a different aspect of your email's authenticity.

SPF (Sender Policy Framework)

What SPF Does

SPF tells receiving mail servers which IP addresses are authorized to send email on behalf of your domain. When email arrives, the receiver checks: "Is this server allowed to send for this domain?"

How SPF Works

  1. You publish a list of authorized senders in DNS
  2. Receiving server receives email from your domain
  3. Server queries DNS for your SPF record
  4. Server checks if sender IP matches your authorized list
  5. Pass = likely inbox, Fail = likely spam

SPF Record Syntax

Basic Structure:

v=spf1 [mechanisms] [qualifier]all

Key Mechanisms:

  • include: - Authorize another domain's SPF (most common)
  • ip4: - Authorize a specific IPv4 address
  • ip6: - Authorize a specific IPv6 address
  • a - Authorize your domain's A record IPs
  • mx - Authorize your MX server IPs

Qualifiers:

  • ~all (soft fail) - Accept but mark suspicious (recommended)
  • -all (hard fail) - Reject unauthorized senders
  • ?all (neutral) - No guidance (not recommended)

Common SPF Records

Google Workspace:

v=spf1 include:_spf.google.com ~all

Microsoft 365:

v=spf1 include:spf.protection.outlook.com ~all

Google + SendGrid:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Google + Mailchimp + Custom Server:

v=spf1 include:_spf.google.com include:servers.mcsv.net ip4:203.0.113.50 ~all

SPF Best Practices

  1. Only ONE SPF record per domain - Combine all includes
  2. Start with ~all - Less aggressive while testing
  3. Keep under 10 lookups - SPF has a lookup limit
  4. Include all legitimate senders - Cold email platforms, CRM, etc.
  5. Test after changes - Use MXToolbox to verify

SPF Troubleshooting

"Too many DNS lookups"

  • Solution: Flatten includes or remove unused services
  • Use an SPF flattening service

"SPF record not found"

  • Check record is at root (@), not a subdomain
  • Verify DNS propagation

"Multiple SPF records"

  • Combine into single record
  • Delete duplicates

DKIM (DomainKeys Identified Mail)

What DKIM Does

DKIM adds a cryptographic signature to your outgoing emails. Receiving servers can verify this signature to confirm the email wasn't modified in transit and came from an authorized source.

How DKIM Works

  1. Your email server signs each message with a private key
  2. The signature is added as a header in the email
  3. You publish the public key in DNS
  4. Receiving server retrieves your public key
  5. Server verifies the signature matches
  6. Valid signature = trusted sender

DKIM Record Structure

DNS Record:

Type: TXT
Host: [selector]._domainkey
Value: v=DKIM1; k=rsa; p=[public key]

Example (Google Workspace):

Host: google._domainkey
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

Setting Up DKIM

For Google Workspace:

  1. Go to Google Admin Console
  2. Apps → Google Workspace → Gmail
  3. Authenticate email → Generate new record
  4. Select 2048-bit key length
  5. Add the TXT record to DNS
  6. Start authentication in Google Admin

For Microsoft 365:

  1. Go to Microsoft 365 Defender
  2. Email & collaboration → Policies → DKIM
  3. Select your domain
  4. Copy the CNAME records provided
  5. Add to DNS
  6. Enable DKIM signing

DKIM Best Practices

  1. Use 2048-bit keys - 1024-bit is deprecated
  2. Rotate keys annually - Security best practice
  3. Sign all outgoing email - Consistency matters
  4. Use unique selectors - Different services, different selectors
  5. Monitor DKIM alignment - Check DMARC reports

DMARC (Domain-based Message Authentication)

What DMARC Does

DMARC tells receiving mail servers what to do when SPF or DKIM checks fail. It also provides reporting so you can monitor authentication results.

How DMARC Works

  1. You publish a DMARC policy in DNS
  2. Receiving server checks SPF and DKIM
  3. Server follows your policy for failures
  4. Server sends you reports (optional)

DMARC Record Structure

Basic Format:

v=DMARC1; p=[policy]; rua=mailto:[email]

Full Format:

v=DMARC1; p=[policy]; sp=[subdomain policy]; pct=[percentage]; rua=mailto:[aggregate reports]; ruf=mailto:[forensic reports]; adkim=[alignment]; aspf=[alignment]

DMARC Policies

p=none (Monitor Only)

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
  • No action on failures
  • Collect reports to understand traffic
  • Start here

p=quarantine (Soft Enforcement)

v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@yourdomain.com
  • Failed emails go to spam
  • pct=50 applies to 50% of traffic
  • Transition phase

p=reject (Full Enforcement)

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com
  • Failed emails are rejected
  • Maximum protection
  • Final goal

DMARC Rollout Strategy

Phase 1: Monitoring (4-6 weeks)

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
  • Identify all legitimate senders
  • Fix SPF/DKIM issues
  • Review aggregate reports

Phase 2: Quarantine at 25% (2-4 weeks)

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com
  • Test impact on mail flow
  • Monitor for issues

Phase 3: Quarantine at 100% (2-4 weeks)

v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@yourdomain.com
  • Full quarantine enforcement
  • Continue monitoring

Phase 4: Reject (Ongoing)

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com
  • Maximum protection achieved
  • Maintain monitoring

Reading DMARC Reports

DMARC aggregate reports are XML files sent to your rua email. They contain:

  • Which IPs sent email for your domain
  • SPF and DKIM results
  • DMARC policy actions

Tools for DMARC Reports:

  • DMARC Analyzer
  • Postmark DMARC
  • Valimail
  • dmarcian

Verification and Testing

Testing Your Setup

MXToolbox Checks:

  1. Go to mxtoolbox.com/SuperTool
  2. Enter your domain
  3. Run: SPF Record Lookup, DKIM Lookup, DMARC Lookup
  4. All should show "Pass"

Mail-Tester:

  1. Go to mail-tester.com
  2. Send email to provided address
  3. Get detailed score and recommendations
  4. Aim for 9/10 or higher

Google Admin Toolbox:

  1. Visit toolbox.googleapps.com
  2. Use Check MX to verify DNS
  3. Review SPF and DKIM settings

Common Authentication Issues

SPF: "PermError too many DNS lookups"

  • Each 'include' causes DNS lookups
  • Maximum is 10 lookups
  • Solution: Flatten SPF or remove unused includes

DKIM: "No key for this selector"

  • Selector name doesn't match
  • Key not published yet
  • DNS propagation still in progress

DMARC: "Alignment failure"

  • From domain doesn't match SPF/DKIM domain
  • Check Return-Path and DKIM d= tag
  • May need to configure third-party services

Complete Setup Checklist

Before You Start:

  • Access to domain DNS management
  • Admin access to email provider
  • List of all services that send email

SPF Setup:

  • Identify all legitimate sending services
  • Create single SPF record with all includes
  • Verify with MXToolbox
  • Test by sending email

DKIM Setup:

  • Generate DKIM keys in email provider
  • Add TXT record to DNS
  • Enable DKIM signing
  • Verify signature on outgoing mail

DMARC Setup:

  • Start with p=none policy
  • Set up report collection
  • Monitor for 4-6 weeks
  • Gradually increase enforcement

Recommended Tools

MXToolbox

Comprehensive DNS and email verification

Mail-Tester

Test email deliverability score

DMARC Analyzer

Parse and understand DMARC reports

Google Admin Toolbox

Google-specific email diagnostics

Frequently Asked Questions

Do I need all three (SPF, DKIM, DMARC)?

Yes. While each protocol provides value independently, they work together synergistically. Major email providers expect to see all three configured properly for legitimate senders.

How long does DNS propagation take?

Typically 15 minutes to 4 hours, though full global propagation can take up to 48 hours. You can use whatsmydns.net to check propagation status across different regions.

Why is my email still going to spam with authentication set up?

Authentication is necessary but not sufficient. Content quality, sender reputation, list hygiene, and sending patterns all affect deliverability. Authentication removes one barrier but doesn't guarantee inbox placement.

Should I use -all or ~all for SPF?

Start with ~all (soft fail) which is less aggressive. Once you've verified all legitimate senders are included, you can switch to -all (hard fail) for stricter enforcement.

Related Resources

Setup

Cold Email Domain Setup: Complete Guide

Learn how to properly set up domains for cold email outreach to maximize deliverability and protect your main domain.

Deliverability

Email Warmup Best Practices for Cold Outreach

Master the art of email warmup to build sender reputation and maximize inbox placement rates.

Start Your Cold Email Setup

Generate dedicated domains and professional inboxes for your outreach campaigns.

Cold Email DomainsInbox Generator