How to Set Up SPF, DKIM and DMARC
Step-by-step guide to SPF, DKIM and DMARC — email authentication so your emails stop going to spam.
Why Do You Need Email Authentication?
Every time you send an email, the recipient's mail server asks: "Is this email really from who it claims to be?" Without email authentication, the answer is simply "we don't know" — and mail servers react by routing it to spam or rejecting it entirely.
The three protocols SPF, DKIM and DMARC together form the complete email authentication solution. Each one solves a different piece of the puzzle:
- SPF: "Which mail servers are allowed to send on my behalf?"
- DKIM: "Was this email genuinely sent by me and not altered in transit?"
- DMARC: "What should you do if SPF or DKIM fail?"
Step 1 — Set Up SPF
SPF (Sender Policy Framework) is a DNS TXT record that declares which mail servers are authorised to send email for your domain.
How does it work?
When a mail server receives an email "from" your domain, it looks up your SPF record in DNS. If the sending server's IP is not listed there, the email may be flagged as spam or rejected.
Example SPF record:
v=spf1 include:_spf.google.com include:mailgun.org -all
Meaning: Google Workspace and Mailgun servers are allowed to send email for my domain. Anyone else (-all) is strictly rejected.
| Qualifier | Meaning | Recommendation |
|---|---|---|
-all | Hard fail — reject | ✅ Ideal |
~all | Soft fail — mark as suspicious | ⚠️ Transitional |
+all | Allow everything | ❌ Dangerous |
v=spf1, SPF will fail.
Step 2 — Set Up DKIM
DKIM (DomainKeys Identified Mail) adds a digital signature to every email. The recipient verifies this signature using the public key stored in your DNS.
How is it configured?
The process varies by email provider, but generally:
- Your email provider (Google Workspace, Microsoft 365, Mailgun, etc.) generates a key pair (public + private)
- You retrieve the public key from the provider's admin panel
- You add it as a TXT record in your DNS in the form:
selector._domainkey.example.com
google._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."
The "selector" (e.g. google, mail, s1) is provided by your email provider.
Step 3 — Set Up DMARC
DMARC (Domain-based Message Authentication, Reporting and Conformance) ties together SPF and DKIM and defines what happens when they fail. It also sends you reports so you can see who is sending email on your behalf.
Example DMARC record:
_dmarc.example.com TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100"
Policy (p=) | Result | When to use |
|---|---|---|
p=none | Monitoring only — no action | Initially, to collect reports |
p=quarantine | Spam folder | After 2–4 weeks of monitoring |
p=reject | Full rejection | Final goal for complete protection |
Recommended DMARC rollout strategy:
- Weeks 1–4:
p=none; rua=mailto:dmarc@yourdomain.com— collect reports, see who sends email on your behalf - Weeks 5–8:
p=quarantine; pct=25— start with 25% enforcement, monitor results - Long term:
p=reject; pct=100— full protection
How to Verify Everything Is Working
After configuring, check that SPF, DKIM and DMARC are present and correct:
Check your domain's SPF, DKIM and DMARC right now — free:
→ SPF / DKIM / DMARC CheckerTroubleshooting Common Issues
SPF: "None" or "Fail"
The SPF record doesn't exist or doesn't include your mail server. Add or fix the TXT record according to your email provider's instructions.
DKIM: selector not found
The selector your email provider uses doesn't exist in DNS. Check the provider dashboard (Google Workspace, Microsoft 365, etc.) for the correct selector and TXT record value.
DMARC alignment failure
SPF or DKIM pass but DMARC fails? This usually means the From: domain doesn't match what SPF/DKIM are verifying. Common with email forwarding or third-party senders.
Frequently Asked Questions
v=spf1 include:_spf.google.com include:mailgun.org -all. Never create two separate SPF records — DNS only accepts one.