SPF, DKIM & DMARC Setup

What each record does

Email authentication consists of three DNS records that together prove messages from your domain are genuine:

• SPF (Sender Policy Framework) — lists IPs authorized to send as your domain
• DKIM (DomainKeys Identified Mail) — cryptographically signs each message
• DMARC — instructs receivers what to do when SPF/DKIM fails

Since Feb 2024, Gmail and Yahoo require all three for bulk senders (5,000+/day). Without them, emails land in spam — or are rejected outright.

Step 1: Set up SPF

SPF is a single TXT record on your root domain. The value starts with v=spf1 followed by mechanisms listing authorized senders, ending with an all rule.

Example for Google Workspace only:

v=spf1 include:_spf.google.com -all

Example for Google Workspace + Mailchimp:

v=spf1 include:_spf.google.com include:servers.mcsv.net -all

Tags explained:

• include: — delegate authorization to another domain's SPF
• ip4: / ip6: — specific IPs
• a, mx — the domain's A or MX records
• -all — reject others (strict). ~all — softfail (monitor first)

Step 2: Set up DKIM

DKIM requires your email provider to generate a keypair. You publish the public key as a DNS TXT record; the provider signs outgoing mail with the private key.

The record lives at: {selector}._domainkey.yourdomain.com

The "selector" is assigned by your provider — google for Google Workspace, selector1 and selector2 for Microsoft 365, k1 for Mailchimp, etc.

Example for Mailchimp: record at k1._domainkey.yourdomain.com:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD...

Your email provider's admin panel will tell you the exact selector and key to publish. Most providers offer a one-click "DKIM setup" wizard that generates this for you.

Step 3: Set up DMARC

DMARC is a TXT record at _dmarc.yourdomain.com. It tells receiving servers what to do when SPF or DKIM fails, and where to send reports.

Recommended starting policy (monitor-only):

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1

Run this for at least 2 weeks. Review the rua reports (XML files emailed daily) to find misconfigured senders.

Once your reports look clean, tighten to quarantine:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

Maximum protection (after 1-2 months):

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100

Step 4: Test everything

After publishing the records, verify with our free SPF/DKIM/DMARC checker. Or manually:

# Check SPF
dig TXT yourdomain.com +short

# Check DMARC
dig TXT _dmarc.yourdomain.com +short

# Check DKIM (need selector)
dig TXT selector._domainkey.yourdomain.com +short

Send a test email to check-auth@verifier.port25.com. It replies with a full authentication report — SPF, DKIM, DMARC, and extras like reverse-DNS.

Common setup mistakes

• Two SPF records — must combine into one
• Using +all — allows anyone to spoof you. Never do this
• Forgetting the include: for transactional senders (SendGrid, Amazon SES, Mailgun)
• DMARC without SPF or DKIM aligned — DMARC requires at least one to pass with the From-domain aligned
• Jumping straight to p=reject — always start with p=none to catch issues first
• Hosting newsletter on a subdomain without its own DMARC — the sp= tag controls subdomain policy

Quick reference