How to Set Up SPF, DKIM and DMARC

Why Do You Need Email Authentication?

Every time you send an email, the recipient's mail server asks: "Is this email really from who it claims to be?" Without email authentication, the answer is simply "we don't know" — and mail servers react by routing it to spam or rejecting it entirely.

The three protocols SPF, DKIM and DMARC together form the complete email authentication solution. Each one solves a different piece of the puzzle:

• SPF: "Which mail servers are allowed to send on my behalf?"
• DKIM: "Was this email genuinely sent by me and not altered in transit?"
• DMARC: "What should you do if SPF or DKIM fail?"

Step 1 — Set Up SPF

SPF (Sender Policy Framework) is a DNS TXT record that declares which mail servers are authorised to send email for your domain.

How does it work?

When a mail server receives an email "from" your domain, it looks up your SPF record in DNS. If the sending server's IP is not listed there, the email may be flagged as spam or rejected.

Example SPF record:

v=spf1 include:_spf.google.com include:mailgun.org -all

Meaning: Google Workspace and Mailgun servers are allowed to send email for my domain. Anyone else (-all) is strictly rejected.

Step 2 — Set Up DKIM

DKIM (DomainKeys Identified Mail) adds a digital signature to every email. The recipient verifies this signature using the public key stored in your DNS.

How is it configured?

The process varies by email provider, but generally:

1. Your email provider (Google Workspace, Microsoft 365, Mailgun, etc.) generates a key pair (public + private)
2. You retrieve the public key from the provider's admin panel
3. You add it as a TXT record in your DNS in the form: selector._domainkey.example.com

google._domainkey.example.com  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."

The "selector" (e.g. google, mail, s1) is provided by your email provider.

DKIM best practices

• Key size: Use RSA 2048-bit or ECDSA P-256. 1024-bit keys are considered weak.
• Key rotation: Rotate DKIM keys every 6–12 months. Keep the old selector active for 24–48 hours after rotation so in-transit emails can still be verified.
• Multiple selectors: If you use multiple email providers, each gets its own selector — there is no conflict.

Step 3 — Set Up DMARC

DMARC (Domain-based Message Authentication, Reporting and Conformance) ties together SPF and DKIM and defines what happens when they fail. It also sends you reports so you can see who is sending email on your behalf.

Example DMARC record:

_dmarc.example.com  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100"

Recommended DMARC rollout strategy:

1. Weeks 1–4: p=none; rua=mailto:dmarc@yourdomain.com — collect reports, see who sends email on your behalf
2. Weeks 5–8: p=quarantine; pct=25 — start with 25% enforcement, monitor results
3. Long term: p=reject; pct=100 — full protection

How to read DMARC reports

DMARC reports arrive as XML files via email (rua). Each report shows:

• Which IP sent email on your behalf
• Whether SPF and DKIM passed
• Whether the policy was applied (quarantine/reject)

For easy reading, use free tools like dmarcian.com or MxToolbox DMARC Report Analyzer.

How to Verify Everything Is Working

After configuring, check that SPF, DKIM and DMARC are present and correct:

Troubleshooting Common Issues

SPF: "None" or "Fail"

The SPF record doesn't exist or doesn't include your mail server. Add or fix the TXT record according to your email provider's instructions.

DKIM: selector not found

The selector your email provider uses doesn't exist in DNS. Check the provider dashboard (Google Workspace, Microsoft 365, etc.) for the correct selector and TXT record value.

DMARC alignment failure

SPF or DKIM pass but DMARC fails? This usually means the From: domain doesn't match what SPF/DKIM are verifying. Common with email forwarding or third-party senders.

SPF PermError (TooManyDNSLookups)

You have exceeded the 10 DNS lookup limit. Solution: use SPF flattening — replace include: directives with the actual IPs to reduce the lookup count.