Uncategorized

Why SPF, DKIM, and DMARC Matter for Your Business Email If you send emails from your business domain, whether it is newsletters, invoices, or day-to-day communication, you need to prove to receiving mail servers that those emails are legitimate. Without proper authentication, your messages can land in spam folders or, worse, someone else can send emails pretending to be you. That is exactly what SPF, DKIM, and DMARC solve. These three DNS-based protocols work together to authenticate your outbound email, protect your brand from spoofing, and dramatically improve your deliverability rates. In this guide, we will walk you through each protocol, explain what it does in plain language, and give you step-by-step instructions to configure them on your domain using popular DNS providers like Cloudflare, Namecheap, GoDaddy, and Google Domains. We will also include practical examples for Google Workspace and Microsoft 365. Quick Overview: SPF vs. DKIM vs. DMARC Before diving into the setup, here is a quick comparison of what each record does: Protocol What It Does Record Type SPF (Sender Policy Framework) Specifies which mail servers are allowed to send email on behalf of your domain TXT DKIM (DomainKeys Identified Mail) Adds a cryptographic signature to outgoing emails so the recipient can verify the message was not altered TXT (or CNAME) DMARC (Domain-based Message Authentication, Reporting & Conformance) Tells receiving servers what to do when SPF or DKIM checks fail, and sends you reports about authentication results TXT Think of them as three layers of security. SPF checks the sender’s IP address. DKIM checks the message integrity. DMARC ties them together with a policy and gives you visibility through reports. What You Need Before You Start Make sure you have the following ready: Access to your domain’s DNS settings (through your registrar or DNS provider such as Cloudflare, Namecheap, GoDaddy, etc.) Admin access to your email platform (Google Workspace, Microsoft 365, or another provider) A list of all services that send email on your behalf (marketing tools, CRM, transactional email services, etc.) A dedicated email address or group to receive DMARC reports Step 1: Set Up Your SPF Record What an SPF Record Looks Like An SPF record is a TXT record added to the root of your domain. It lists the mail servers and IP addresses authorized to send email for your domain. Here is a basic example: v=spf1 include:_spf.google.com ~all Let us break that down: v=spf1 – declares this is an SPF record (version 1) include:_spf.google.com – authorizes Google Workspace mail servers ~all – soft fail for any server not listed (emails may still be delivered but flagged) SPF Records for Common Email Providers Email Provider SPF Include Value Google Workspace include:_spf.google.com Microsoft 365 include:spf.protection.outlook.com Mailchimp include:servers.mcsv.net SendGrid include:sendgrid.net Brevo (formerly Sendinblue) include:sendinblue.com Zoho Mail include:zoho.com How to Combine Multiple Services in One SPF Record If you use Google Workspace for daily email and Mailchimp for newsletters, your SPF record would look like this: v=spf1 include:_spf.google.com include:servers.mcsv.net ~all Important rules to remember: You can only have one SPF record per domain. If you add a second one, both will break. SPF has a 10 DNS lookup limit. Each “include” counts as one or more lookups. Keep your record lean. Use ~all (soft fail) while testing. Switch to -all (hard fail) once you are confident everything is working. Adding the SPF Record to Your DNS Log in to your DNS provider (Cloudflare, Namecheap, GoDaddy, etc.). Navigate to your domain’s DNS management or Advanced DNS section. Add a new TXT record with these values: Host / Name: @ (or leave blank, depending on the provider) Type: TXT Value: your SPF string (e.g., v=spf1 include:_spf.google.com ~all) TTL: 3600 (or Auto) Save the record and wait for DNS propagation (usually a few minutes to a few hours). Step 2: Set Up DKIM Signing How DKIM Works DKIM uses a pair of cryptographic keys. Your email provider signs each outgoing message with a private key. The receiving server looks up the corresponding public key in your DNS and uses it to verify the signature. If the message was modified in transit, the check fails. Setting Up DKIM in Google Workspace Go to the Google Admin console (admin.google.com). Navigate to Apps > Google Workspace > Gmail > Authenticate email. Select your domain and click Generate new record. Choose a DKIM key bit length (2048-bit is recommended). Google will display a TXT record value. Copy it. Go to your DNS provider and create a new TXT record: Host / Name: google._domainkey Type: TXT Value: the string provided by Google Save the DNS record and wait for propagation. Return to the Google Admin console and click Start authentication. Setting Up DKIM in Microsoft 365 Go to the Microsoft Defender portal (security.microsoft.com). Navigate to Email & collaboration > Policies & rules > Threat policies > Email authentication settings > DKIM. Select your domain. Microsoft will provide two CNAME records that you need to add to your DNS: selector1._domainkey.yourdomain.com pointing to selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com selector2._domainkey.yourdomain.com pointing to selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com After DNS propagation, return to the Defender portal and enable DKIM signing for the domain. DKIM for Third-Party Senders If you use tools like Mailchimp, SendGrid, or HubSpot, each of them will have their own DKIM setup instructions. Typically, they will ask you to add one or two CNAME or TXT records to your DNS. Always check the documentation of each tool and verify the records are live before activating DKIM on their platform. Step 3: Set Up Your DMARC Record DMARC is the final piece. It tells receiving servers what to do when an email fails SPF and DKIM checks, and it gives you reporting so you can monitor what is happening with your domain’s email. Important: Before setting up DMARC, make sure both SPF and DKIM are properly configured and working. DMARC depends on at least one of them passing and being aligned with your From address. Understanding the DMARC Policy Options Policy Tag Value What It Does p=none Monitor only No action is taken on failing