How to Set Up SPF, DKIM, and DMARC for Email Authentication

You set up email for your domain. You send a test email. It goes straight to spam. Or worse — someone starts sending phishing emails pretending to be you, and there is nothing stopping them.

Both problems have the same solution: email authentication. SPF, DKIM, and DMARC are three DNS records that work together to prove your emails are legitimate and block anyone from spoofing your domain. This guide explains what each one does and how to set them up correctly.

Why Email Authentication Matters

Without authentication, anyone can send an email claiming to be from your domain. The email protocol (SMTP) has no built-in identity verification — it was designed in 1982 when the internet was a trusted academic network.

Without SPF/DKIM/DMARC:

• Your legitimate emails may land in spam
• Attackers can send phishing emails as [email protected]
• Email providers (Gmail, Outlook) trust your domain less
• You have no visibility into who is sending email from your domain

With SPF/DKIM/DMARC:

• Your emails land in the inbox
• Spoofed emails are rejected or quarantined
• You get reports showing all email activity for your domain
• Email providers trust your domain more

SPF (Sender Policy Framework)

What It Does

SPF tells the world which mail servers are allowed to send email on behalf of your domain. When a receiving server gets an email from yourdomain.com, it checks the SPF record to see if the sending server is authorized.

How It Works

Sending server → Receiving server
                  ↓
                  Looks up SPF record for yourdomain.com
                  ↓
                  Is the sender's IP in the allowed list?
                  ↓
                  Yes → Pass | No → Fail

The SPF Record

SPF is a TXT record on your domain. Here is a real example:

v=spf1 include:_spf.google.com include:improvmx.com ~all

Breaking it down:

SPF Qualifiers

Common SPF Records

Google Workspace:

v=spf1 include:_spf.google.com ~all

Microsoft 365:

v=spf1 include:spf.protection.outlook.com ~all

Multiple services (Google + Mailchimp + custom server):

v=spf1 include:_spf.google.com include:servers.mcsv.net ip4:203.0.113.50 ~all

SPF Limitations

• 10 DNS lookup limit — each include: counts as a lookup. Too many and SPF breaks
• Only checks the envelope sender (Return-Path), not the From header
• Does not encrypt anything — just authorization

DKIM (DomainKeys Identified Mail)

What It Does

DKIM adds a cryptographic signature to every email you send. The receiving server can verify this signature using a public key published in your DNS. This proves the email was not modified in transit and actually came from your domain.

How It Works

Your mail server signs the email with a private key
  ↓
Email travels to recipient
  ↓
Receiving server looks up your DKIM public key in DNS
  ↓
Verifies the signature matches the email content
  ↓
Match → Pass | No match → Fail

The DKIM Record

DKIM is a TXT record at a specific subdomain: selector._domainkey.yourdomain.com

google._domainkey.samnet.dev  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhki..."

Setting Up DKIM

You do not generate DKIM keys manually — your email provider does it:

1. Go to your email provider's admin panel
2. Find DKIM settings (usually under Authentication or Security)
3. They give you a DNS record to add
4. Add the TXT record to your DNS
5. Enable DKIM signing in the provider's settings

DMARC (Domain-based Message Authentication, Reporting & Conformance)

What It Does

DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It also gives you reports showing who is sending email from your domain.

How It Works

Email arrives at receiving server
  ↓
Check SPF → Pass or Fail?
Check DKIM → Pass or Fail?
  ↓
Check DMARC alignment (does the From domain match?)
  ↓
If both fail → Apply DMARC policy (none/quarantine/reject)
  ↓
Send aggregate report to domain owner

The DMARC Record

DMARC is a TXT record at _dmarc.yourdomain.com:

_dmarc.samnet.dev  TXT  "v=DMARC1; p=none; rua=mailto:[email protected]"

DMARC Rollout Strategy

Do not jump straight to p=reject. Roll out gradually:

Week 1-2: Monitor only

v=DMARC1; p=none; rua=mailto:[email protected]

Week 3-4: Quarantine a percentage

v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]

Month 2: Quarantine all

v=DMARC1; p=quarantine; rua=mailto:[email protected]

Month 3+: Reject (maximum protection)

v=DMARC1; p=reject; rua=mailto:[email protected]

Review the DMARC reports at each stage to make sure legitimate email is not being blocked before tightening the policy.

The Complete Setup Checklist

1. Add SPF record — TXT record on your root domain listing authorized senders
2. Enable DKIM — through your email provider, add the DNS record they give you
3. Add DMARC record — start with p=none for monitoring
4. Test everything — send test emails to Gmail, check headers for SPF/DKIM/DMARC pass
5. Monitor DMARC reports — review weekly for unauthorized senders
6. Tighten DMARC policy — move from none to quarantine to reject over 2-3 months

Testing Your Setup

Check Email Headers

When you receive a test email in Gmail, click the three dots → "Show original" and look for:

SPF: PASS
DKIM: PASS
DMARC: PASS

All three should say PASS. If any fails, check the corresponding DNS record.

Use Our Tools

• SPF/DMARC Generator & Validator — generate correct SPF and DMARC records and validate existing ones
• DNS Toolbox — look up your current TXT records to verify SPF, DKIM, and DMARC are published correctly

See Also

• Email Server Setup
• DNS Explained
• How to Stop Spam Emails