🔧 More free tools: MX Checker·SPF/DKIM/DMARC·Bounce Rate·Disposable Detector

SPF, DKIM & DMARC Setup

Protect your domain from spoofing and fix deliverability by setting up all three authentication records correctly.

Mailchimp email marketing platform

What each record does

Email authentication consists of three DNS records that together prove messages from your domain are genuine:

  • SPF (Sender Policy Framework) — lists IPs authorized to send as your domain
  • DKIM (DomainKeys Identified Mail) — cryptographically signs each message
  • DMARC — instructs receivers what to do when SPF/DKIM fails

Since Feb 2024, Gmail and Yahoo require all three for bulk senders (5,000+/day). Without them, emails land in spam — or are rejected outright.

Step 1: Set up SPF

SPF is a single TXT record on your root domain. The value starts with v=spf1 followed by mechanisms listing authorized senders, ending with an all rule.

Example for Google Workspace only:

v=spf1 include:_spf.google.com -all

Example for Google Workspace + Mailchimp:

v=spf1 include:_spf.google.com include:servers.mcsv.net -all

Tags explained:

  • include: — delegate authorization to another domain's SPF
  • ip4: / ip6: — specific IPs
  • a, mx — the domain's A or MX records
  • -all — reject others (strict). ~all — softfail (monitor first)
Watch out: Only one SPF record per domain. Multiple SPF records = broken SPF. Combine all senders into one record.
Email campaign builder

Step 2: Set up DKIM

DKIM requires your email provider to generate a keypair. You publish the public key as a DNS TXT record; the provider signs outgoing mail with the private key.

The record lives at: {selector}._domainkey.yourdomain.com

The "selector" is assigned by your provider — google for Google Workspace, selector1 and selector2 for Microsoft 365, k1 for Mailchimp, etc.

Example for Mailchimp: record at k1._domainkey.yourdomain.com:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD...

Your email provider's admin panel will tell you the exact selector and key to publish. Most providers offer a one-click "DKIM setup" wizard that generates this for you.

Step 3: Set up DMARC

DMARC is a TXT record at _dmarc.yourdomain.com. It tells receiving servers what to do when SPF or DKIM fails, and where to send reports.

Recommended starting policy (monitor-only):

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1

Run this for at least 2 weeks. Review the rua reports (XML files emailed daily) to find misconfigured senders.

Once your reports look clean, tighten to quarantine:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

Maximum protection (after 1-2 months):

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100
Freelance web developers

Step 4: Test everything

After publishing the records, verify with our free SPF/DKIM/DMARC checker. Or manually:

# Check SPF
dig TXT yourdomain.com +short

# Check DMARC
dig TXT _dmarc.yourdomain.com +short

# Check DKIM (need selector)
dig TXT selector._domainkey.yourdomain.com +short

Send a test email to check-auth@verifier.port25.com. It replies with a full authentication report — SPF, DKIM, DMARC, and extras like reverse-DNS.

Common setup mistakes

  • Two SPF records — must combine into one
  • Using +all — allows anyone to spoof you. Never do this
  • Forgetting the include: for transactional senders (SendGrid, Amazon SES, Mailgun)
  • DMARC without SPF or DKIM aligned — DMARC requires at least one to pass with the From-domain aligned
  • Jumping straight to p=reject — always start with p=none to catch issues first
  • Hosting newsletter on a subdomain without its own DMARC — the sp= tag controls subdomain policy

Quick reference

Goal state:
  • SPF with -all covering every legitimate sender
  • DKIM selectors published for every email provider
  • DMARC at p=quarantine (minimum) or p=reject
  • DMARC reports (rua) going to an inbox you actually read
DD
About the Author

Daniel Dorfer worked for nearly four years in technical support at GMX, one of Germany’s largest email providers, and for almost two years at united domains, a leading domain hoster and registrar. He is a founding member of the KIBC (KI Business Club). This website was built entirely with the help of Claude Code (Opus 4.6) by Anthropic.

Email marketing suite