Why SPF, DKIM, and DMARC Matter for Your Business Email
If you send emails from your business domain, whether it is newsletters, invoices, or day-to-day communication, you need to prove to receiving mail servers that those emails are legitimate. Without proper authentication, your messages can land in spam folders or, worse, someone else can send emails pretending to be you.
That is exactly what SPF, DKIM, and DMARC solve. These three DNS-based protocols work together to authenticate your outbound email, protect your brand from spoofing, and dramatically improve your deliverability rates.
In this guide, we will walk you through each protocol, explain what it does in plain language, and give you step-by-step instructions to configure them on your domain using popular DNS providers like Cloudflare, Namecheap, GoDaddy, and Google Domains. We will also include practical examples for Google Workspace and Microsoft 365.
Quick Overview: SPF vs. DKIM vs. DMARC
Before diving into the setup, here is a quick comparison of what each record does:
| Protocol | What It Does | Record Type |
|---|---|---|
| SPF (Sender Policy Framework) | Specifies which mail servers are allowed to send email on behalf of your domain | TXT |
| DKIM (DomainKeys Identified Mail) | Adds a cryptographic signature to outgoing emails so the recipient can verify the message was not altered | TXT (or CNAME) |
| DMARC (Domain-based Message Authentication, Reporting & Conformance) | Tells receiving servers what to do when SPF or DKIM checks fail, and sends you reports about authentication results | TXT |
Think of them as three layers of security. SPF checks the sender’s IP address. DKIM checks the message integrity. DMARC ties them together with a policy and gives you visibility through reports.
What You Need Before You Start
Make sure you have the following ready:
- Access to your domain’s DNS settings (through your registrar or DNS provider such as Cloudflare, Namecheap, GoDaddy, etc.)
- Admin access to your email platform (Google Workspace, Microsoft 365, or another provider)
- A list of all services that send email on your behalf (marketing tools, CRM, transactional email services, etc.)
- A dedicated email address or group to receive DMARC reports
Step 1: Set Up Your SPF Record
What an SPF Record Looks Like
An SPF record is a TXT record added to the root of your domain. It lists the mail servers and IP addresses authorized to send email for your domain.
Here is a basic example:
v=spf1 include:_spf.google.com ~allLet us break that down:
- v=spf1 – declares this is an SPF record (version 1)
- include:_spf.google.com – authorizes Google Workspace mail servers
- ~all – soft fail for any server not listed (emails may still be delivered but flagged)
SPF Records for Common Email Providers
| Email Provider | SPF Include Value |
|---|---|
| Google Workspace | include:_spf.google.com |
| Microsoft 365 | include:spf.protection.outlook.com |
| Mailchimp | include:servers.mcsv.net |
| SendGrid | include:sendgrid.net |
| Brevo (formerly Sendinblue) | include:sendinblue.com |
| Zoho Mail | include:zoho.com |
How to Combine Multiple Services in One SPF Record
If you use Google Workspace for daily email and Mailchimp for newsletters, your SPF record would look like this:
v=spf1 include:_spf.google.com include:servers.mcsv.net ~allImportant rules to remember:
- You can only have one SPF record per domain. If you add a second one, both will break.
- SPF has a 10 DNS lookup limit. Each “include” counts as one or more lookups. Keep your record lean.
- Use ~all (soft fail) while testing. Switch to -all (hard fail) once you are confident everything is working.
Adding the SPF Record to Your DNS
- Log in to your DNS provider (Cloudflare, Namecheap, GoDaddy, etc.).
- Navigate to your domain’s DNS management or Advanced DNS section.
- Add a new TXT record with these values:
- Host / Name:
@(or leave blank, depending on the provider) - Type: TXT
- Value: your SPF string (e.g.,
v=spf1 include:_spf.google.com ~all) - TTL: 3600 (or Auto)
- Host / Name:
- Save the record and wait for DNS propagation (usually a few minutes to a few hours).
Step 2: Set Up DKIM Signing
How DKIM Works
DKIM uses a pair of cryptographic keys. Your email provider signs each outgoing message with a private key. The receiving server looks up the corresponding public key in your DNS and uses it to verify the signature. If the message was modified in transit, the check fails.
Setting Up DKIM in Google Workspace
- Go to the Google Admin console (admin.google.com).
- Navigate to Apps > Google Workspace > Gmail > Authenticate email.
- Select your domain and click Generate new record.
- Choose a DKIM key bit length (2048-bit is recommended).
- Google will display a TXT record value. Copy it.
- Go to your DNS provider and create a new TXT record:
- Host / Name:
google._domainkey - Type: TXT
- Value: the string provided by Google
- Host / Name:
- Save the DNS record and wait for propagation.
- Return to the Google Admin console and click Start authentication.
Setting Up DKIM in Microsoft 365
- Go to the Microsoft Defender portal (security.microsoft.com).
- Navigate to Email & collaboration > Policies & rules > Threat policies > Email authentication settings > DKIM.
- Select your domain.
- Microsoft will provide two CNAME records that you need to add to your DNS:
selector1._domainkey.yourdomain.compointing toselector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.comselector2._domainkey.yourdomain.compointing toselector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
- After DNS propagation, return to the Defender portal and enable DKIM signing for the domain.
DKIM for Third-Party Senders
If you use tools like Mailchimp, SendGrid, or HubSpot, each of them will have their own DKIM setup instructions. Typically, they will ask you to add one or two CNAME or TXT records to your DNS. Always check the documentation of each tool and verify the records are live before activating DKIM on their platform.
Step 3: Set Up Your DMARC Record
DMARC is the final piece. It tells receiving servers what to do when an email fails SPF and DKIM checks, and it gives you reporting so you can monitor what is happening with your domain’s email.
Important: Before setting up DMARC, make sure both SPF and DKIM are properly configured and working. DMARC depends on at least one of them passing and being aligned with your From address.
Understanding the DMARC Policy Options
| Policy Tag | Value | What It Does |
|---|---|---|
| p=none | Monitor only | No action is taken on failing emails. You just receive reports. Start here. |
| p=quarantine | Quarantine | Failing emails are sent to the recipient’s spam/junk folder. |
| p=reject | Reject | Failing emails are completely blocked. The ultimate goal. |
Creating Your DMARC Record
A basic DMARC record for monitoring looks like this:
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100Here is what each tag means:
- v=DMARC1 – declares this is a DMARC record
- p=none – the policy (start with none)
- rua= – the email address where aggregate (summary) reports are sent
- ruf= – the email address where forensic (detailed failure) reports are sent (optional, not all providers send these)
- pct=100 – the percentage of messages the policy applies to
Adding the DMARC Record to DNS
- Set up a mailbox or group to receive DMARC reports (e.g., [email protected]).
- Log in to your DNS provider.
- Add a new TXT record:
- Host / Name:
_dmarc - Type: TXT
- Value:
v=DMARC1; p=none; rua=mailto:[email protected]; pct=100 - TTL: 3600 (or Auto)
- Host / Name:
- Save and wait for DNS propagation.
The Recommended DMARC Rollout Path
Do not jump straight to p=reject. Follow this gradual approach:
- Week 1-4: Set
p=noneand monitor your DMARC reports to identify all legitimate email sources. - Week 5-8: Once all legitimate sources pass SPF/DKIM, move to
p=quarantine; pct=25(apply to 25% of traffic). - Week 9-12: Increase to
p=quarantine; pct=100. - Week 13+: Upgrade to
p=reject; pct=100for full protection.
This phased rollout ensures you do not accidentally block legitimate emails from services you forgot to authenticate.
DNS Provider-Specific Instructions
The core records are the same regardless of your DNS provider, but the interface differs. Here is a quick reference for the most popular platforms:
Cloudflare
- Log in to your Cloudflare dashboard.
- Select your domain, then go to DNS > Records.
- Click Add Record.
- Choose TXT as the record type.
- Enter the name (
@for SPF,_dmarcfor DMARC, or the DKIM selector for DKIM). - Paste the value and save.
Namecheap
- Log in to your Namecheap account.
- Go to Domain List and click Manage next to your domain.
- Navigate to the Advanced DNS tab.
- Under Host Records, click Add New Record.
- Select TXT Record, fill in the host and value fields, then save.
GoDaddy
- Log in to your GoDaddy account and go to My Products.
- Click DNS next to your domain.
- Scroll to the Records section and click Add.
- Select TXT as the type, enter the name and value, then save.
Google Domains (now via Squarespace)
- Log in to your Squarespace Domains dashboard.
- Select your domain and go to DNS > DNS Settings.
- Click Add Record, choose TXT, and enter the required details.
How to Verify Your Records Are Working
After adding all three records, you should verify them. Here are reliable free tools you can use:
- MXToolbox (mxtoolbox.com) – check SPF, DKIM, and DMARC records individually
- Google Admin Toolbox (toolbox.googleapps.com/apps/checkmx) – great for Google Workspace users
- Mail Tester (mail-tester.com) – send a test email and get a full deliverability score
- DMARC Analyzer or Postmark DMARC – for parsing and understanding your DMARC aggregate reports
You can also send a test email to a Gmail address and click Show Original in Gmail to see if SPF, DKIM, and DMARC all show PASS.
Common Mistakes to Avoid
We see these errors regularly when auditing client domains:
- Multiple SPF records: You can only have one. If you need to add a new service, merge it into your existing record.
- Exceeding the 10 DNS lookup limit for SPF: Use tools like MXToolbox to count your lookups. If you are over the limit, consider flattening your SPF record.
- Forgetting third-party senders: If Mailchimp or your CRM sends email from your domain and is not included in SPF/DKIM, those emails will fail DMARC checks.
- Jumping straight to p=reject: This can block legitimate email. Always start with
p=noneand monitor first. - Not monitoring DMARC reports: The reports are the whole point of DMARC at the beginning. Use a free or paid tool to parse them.
- Wrong DKIM selector name: Double-check the exact host name your email provider specifies. A typo will break the entire signature.
What Happens After Setup: Reading DMARC Reports
Once your DMARC record is live with rua= configured, you will start receiving XML reports from major mailbox providers like Google, Yahoo, and Microsoft. These reports tell you:
- Which IP addresses are sending email using your domain
- Whether those emails passed or failed SPF and DKIM
- Whether DMARC alignment was achieved
Raw XML reports are hard to read. We recommend using a DMARC report analysis tool such as:
- Postmark DMARC (free weekly digests)
- DMARC Analyzer
- Valimail
- dmarcian
Review these reports for at least 2 to 4 weeks before tightening your policy from none to quarantine or reject.
Complete Example: Full DNS Setup for Google Workspace
Here is what a complete set of email authentication records looks like for a domain using Google Workspace:
| Record Type | Host / Name | Value |
|---|---|---|
| TXT (SPF) | @ | v=spf1 include:_spf.google.com ~all |
| TXT (DKIM) | google._domainkey | v=DKIM1; k=rsa; p=MIIBIjANBgkqh... (your unique key from Google Admin) |
| TXT (DMARC) | _dmarc | v=DMARC1; p=none; rua=mailto:[email protected]; pct=100 |
Complete Example: Full DNS Setup for Microsoft 365
| Record Type | Host / Name | Value |
|---|---|---|
| TXT (SPF) | @ | v=spf1 include:spf.protection.outlook.com ~all |
| CNAME (DKIM) | selector1._domainkey | selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com |
| CNAME (DKIM) | selector2._domainkey | selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com |
| TXT (DMARC) | _dmarc | v=DMARC1; p=none; rua=mailto:[email protected]; pct=100 |
Frequently Asked Questions
Do I need all three records (SPF, DKIM, and DMARC)?
Yes. While SPF and DKIM can work independently, DMARC requires at least one of them to be in place. For the best protection and deliverability, you should have all three configured. Major email providers like Google and Yahoo now require SPF, DKIM, and DMARC for bulk senders.
How long does it take for DNS records to propagate?
Typically between a few minutes and 48 hours, depending on your DNS provider and the TTL (Time To Live) of existing records. In most cases, records become active within 1 to 4 hours.
Can I use DMARC without DKIM?
Technically yes, DMARC only requires one of SPF or DKIM to pass and be aligned. However, we strongly recommend having both. DKIM survives email forwarding better than SPF does, making it an important backup.
What is DMARC alignment?
Alignment means the domain in the From header matches (or is a subdomain of) the domain checked by SPF or DKIM. For example, if your From address is [email protected], then SPF must validate yourdomain.com (not a third-party domain), or DKIM must sign with yourdomain.com.
Will setting up these records guarantee my emails reach the inbox?
Authentication is a critical factor, but not the only one. Inbox placement also depends on your sender reputation, email content quality, list hygiene, and engagement rates. However, without SPF, DKIM, and DMARC, your chances of reaching the inbox are significantly lower.
I use multiple email services. How do I handle that?
For SPF, combine all authorized senders into a single record using multiple include: statements. For DKIM, each service will have its own selector and key, so you add separate DNS records for each. DMARC covers the entire domain with one record.
How often should I review my DMARC reports?
During the initial setup and monitoring phase (first 4 to 8 weeks), review them weekly. Once you have moved to a reject policy and all sources are authenticated, a monthly check is usually sufficient.
Need Help Setting Up Email Authentication?
Configuring SPF, DKIM, and DMARC correctly is essential but can get complex, especially when multiple sending services are involved. At Magnetik Agency, we help businesses secure their email infrastructure, improve deliverability, and protect their brand from spoofing attacks.
Get in touch with our team for a free email authentication audit of your domain.