Setting Up SPF, DKIM, and DMARC: A Complete Guide

If you send business emails, you need email authentication. Period.

Without proper authentication, your emails are more likely to land in spam, your domain is vulnerable to spoofing attacks, and you're leaving your business and customers at risk. Yet only 42% of businesses have properly configured email authentication.

This guide demystifies SPF, DKIM, and DMARC—the three critical email authentication protocols. We'll explain what they do, why you need them, and exactly how to set them up, even if you're not technical.

Why Email Authentication Matters

Before diving into the how, let's understand the why.

The Email Forgery Problem

Email was designed in a simpler time when trust wasn't a concern. The original protocols don't verify that senders are who they claim to be. This means anyone can send an email claiming to be from any domain—including yours.

Without authentication:

• Scammers can send emails from [email protected]
• Your customers receive phishing emails that appear to come from you
• Your brand reputation suffers when these scams are discovered
• Your legitimate emails get blocked because ISPs can't verify authenticity

The Business Impact

Security Risks:

• 94% of organizations experienced email-based attacks in 2025
• Average cost of a business email compromise: $4.6 million
• Customer trust erosion when your domain is used for fraud

Deliverability Consequences:

• Gmail requires authentication for bulk senders
• Poor authentication increases spam folder placement
• Authentication is a critical component of overall email deliverability
• Microsoft Office 365 increasingly filters unauthenticated mail
• Yahoo and other providers penalize senders without proper setup
• Your important emails end up in spam folders

Compliance Requirements:

• GDPR considers email security a data protection measure
• Industry regulations (HIPAA, PCI-DSS) often require email authentication
• Cyber insurance policies may require proper email security

Understanding the Authentication Trinity

Email authentication relies on three complementary protocols:

SPF: Who Can Send?

SPF (Sender Policy Framework) lists which mail servers are authorized to send email from your domain.

Analogy: SPF is like a guest list at an exclusive event. If your name isn't on the list, you don't get in.

What it does:

• You publish a list of approved mail servers in your DNS
• Receiving servers check if the sending server is on your approved list
• Emails from unauthorized servers are flagged or rejected

What it protects against:

• Basic email spoofing
• Unauthorized servers sending from your domain
• Some types of phishing attacks

Limitations:

• Doesn't verify the message content hasn't been altered
• Can break when emails are forwarded
• Doesn't specify what to do with failed checks

DKIM: Is It Authentic and Unchanged?

DKIM (DomainKeys Identified Mail) adds a digital signature to your emails proving they're legitimate and haven't been modified.

Analogy: DKIM is like a tamper-evident seal on a bottle of medication. If the seal is broken or missing, you know something's wrong.

What it does:

• Your mail server adds an encrypted signature to outgoing emails
• This signature is generated using a private key only you possess
• Receiving servers use your public key (published in DNS) to verify the signature
• If the email was modified in transit, the signature won't match

What it protects against:

• Email tampering
• Content modification attacks
• Advanced spoofing attempts

Advantages over SPF:

• Survives email forwarding (signature travels with message)
• Verifies message integrity, not just source
• Can sign specific parts of the message

DMARC: What Should Receivers Do?

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM to tell receiving servers what to do when authentication fails.

Analogy: DMARC is like security protocols at a building. The guest list (SPF) and ID verification (DKIM) identify who you are, but DMARC tells security what to do if someone fails these checks.

What it does:

• Specifies policy: should failed emails be delivered, quarantined, or rejected?
• Requires either SPF or DKIM to pass (or both)
• Sends reports about authentication attempts and failures
• Provides visibility into who's sending email from your domain

What it protects against:

• Email spoofing (comprehensive protection)
• Phishing attacks using your domain
• Brand impersonation
• Unauthorized email senders

Critical value:

• Gives you control over your domain's email ecosystem
• Provides visibility through reports
• Allows gradual enforcement without disrupting legitimate email

Setting Up SPF: Step by Step

Step 1: Identify Your Email Senders

Before creating your SPF record, list all services that send email from your domain:

Common sources:

• Your email hosting provider (MailAfiniti, Google Workspace, Office 365, etc.)
• Marketing platforms (Mailchimp, SendGrid, Constant Contact)
• CRM systems (Salesforce, HubSpot)
• Help desk software (Zendesk, Freshdesk)
• E-commerce platforms (Shopify, WooCommerce)
• Notification services
• Any third-party service that sends on your behalf

How to identify:

• Review your sent mail folders for different systems
• Check with your IT team or service providers
• Look at email headers from your various systems (they show sending servers)

Step 2: Build Your SPF Record

An SPF record is a TXT record in your DNS that starts with v=spf1 and lists authorized senders.

Basic structure:

v=spf1 [mechanisms] [qualifiers] [modifier]

Common mechanisms:

• ip4:192.0.2.1 - Authorize specific IPv4 address
• ip6:2001:db8::1 - Authorize specific IPv6 address
• a - Authorize the IP(s) in your domain's A record
• mx - Authorize the IP(s) of your domain's mail servers
• include:domain.com - Include another domain's SPF record

Qualifiers:

• + (pass) - Authorize this sender [default, often omitted]
• - (fail) - Reject if this matches
• ~ (soft fail) - Accept but mark as suspicious
• ? (neutral) - Doesn't indicate pass or fail

Modifiers:

• all - Covers everything not previously matched
  • ~all (recommended) - Soft fail everything else
  • -all (strict) - Reject everything else
  • +all (insecure) - Accept everything (don't use!)

Step 3: Example SPF Records

Simple business using MailAfiniti:

v=spf1 include:_spf.mailafiniti.com ~all

Business using MailAfiniti + Mailchimp:

v=spf1 include:_spf.mailafiniti.com include:servers.mcsv.net ~all

Business with multiple services:

v=spf1 include:_spf.mailafiniti.com include:_spf.google.com include:spf.protection.outlook.com ~all

Business with dedicated IP:

v=spf1 ip4:203.0.113.10 include:_spf.mailafiniti.com ~all

Step 4: Add SPF to DNS

Process varies by DNS provider, but general steps:

1. Log into your DNS hosting (often your domain registrar: GoDaddy, Namecheap, Cloudflare, etc.)
2. Navigate to DNS management or DNS records
3. Add new TXT record:
   • Host/Name: @ (or blank, or your domain name depending on provider)
   • Type: TXT
   • Value: Your SPF record (starting with v=spf1)
   • TTL: 3600 (1 hour) or default
4. Save the record

Example DNS entry:

Type: TXT
Host: @
Value: v=spf1 include:_spf.mailafiniti.com ~all
TTL: 3600

Step 5: Verify SPF

Using command line:

nslookup -type=txt yourdomain.com

or

dig yourdomain.com TXT

Using online tools:

• MXToolbox SPF Checker
• dmarcian SPF Surveyor
• Mail-tester.com (send test email)

Common issues:

⚠️ Multiple SPF records: You can only have ONE SPF record. Multiple TXT records starting with v=spf1 will cause failures.

⚠️ DNS lookup limit: SPF has a 10 DNS lookup limit. Too many include: statements cause errors.

⚠️ Syntax errors: Missing spaces, typos in mechanisms, or incorrect formatting breaks SPF.

Setting Up DKIM: Step by Step

DKIM setup requires your email service provider to generate keys, then you publish the public key in DNS.

Step 1: Generate DKIM Keys

Your email hosting provider handles this:

MailAfiniti users:

1. Log into your control panel
2. Navigate to Email Authentication or DKIM settings
3. Click "Generate DKIM Keys"
4. System creates public/private key pair
5. Private key stays on server (signs outgoing mail)
6. You receive the public key to publish in DNS

Google Workspace:

1. Admin console > Apps > Google Workspace > Gmail
2. Authenticate email
3. Generate new record
4. Copy provided DNS record

Office 365:

1. Admin center > Setup > Domains
2. Select your domain
3. DKIM signing
4. Generate keys
5. Copy CNAME records

Step 2: Understand DKIM Record Structure

A DKIM DNS record contains your public key and looks like:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

Components:

• v=DKIM1 - Version
• k=rsa - Key type (RSA is standard)
• p=... - Public key (long string of characters)

Selector: The DKIM record is published at a subdomain using a selector:

[selector]._domainkey.yourdomain.com

Common selectors: default, mail, google, k1, etc.

Step 3: Add DKIM to DNS

Your provider will give you specific instructions, but typically:

TXT record format:

Type: TXT
Host: default._domainkey
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
TTL: 3600

Some providers use CNAME:

Type: CNAME
Host: selector._domainkey
Points to: dkim.provider.com
TTL: 3600

Important notes:

• The "Host" includes ._domainkey suffix
• The public key (p= value) can be very long - copy it exactly
• Some DNS interfaces require the full hostname (default._domainkey.yourdomain.com)
• Others just need the first part (default._domainkey)

Step 4: Enable DKIM Signing

After publishing the DNS record:

1. Wait for DNS propagation (usually 15-60 minutes, can take up to 48 hours)
2. Verify the record is published (see verification below)
3. Enable DKIM signing in your email provider's control panel
4. Send test email to verify signature is attached

Step 5: Verify DKIM

Using command line:

nslookup -type=txt default._domainkey.yourdomain.com

Using online tools:

• MXToolbox DKIM Checker
• DKIM Core Validator

Send test email:

1. Send email to Gmail account
2. Open email, click three dots > Show original
3. Look for "DKIM: 'PASS'"

Example header showing DKIM pass:

ARC-Authentication-Results: i=1; mx.google.com;
  dkim=pass [email protected] header.s=default header.b=abc123;
  spf=pass [email protected];

Setting Up DMARC: Step by Step

DMARC is the final and most powerful piece of the authentication puzzle.

Step 1: Ensure SPF and DKIM Are Working

DMARC requires at least one of SPF or DKIM to be properly configured. Both is strongly recommended.

Verify using the tools mentioned above before proceeding with DMARC.

Step 2: Start with Monitoring Policy

Recommended first DMARC record:

v=DMARC1; p=none; rua=mailto:[email protected]; pct=100; fo=1

Why start with p=none?

• Doesn't affect email delivery (monitoring only)
• Lets you see authentication results
• Identifies legitimate senders you might have missed
• Reveals spoofing attempts
• Safe to implement while you learn

Step 3: Understand DMARC Tags

Required tags:

• v=DMARC1 - Version (must be first)
• p= - Policy for domain
  • none - Monitor only (recommended start)
  • quarantine - Send failures to spam
  • reject - Reject failures entirely

Important optional tags:

• rua=mailto:[email protected] - Aggregate reports (daily summaries)
• ruf=mailto:[email protected] - Forensic reports (individual failure details)
• pct=100 - Percentage of email to apply policy to (100 = all)
• sp= - Policy for subdomains (if different from domain policy)
• adkim= - DKIM alignment mode (r relaxed or s strict)
• aspf= - SPF alignment mode (r relaxed or s strict)
• fo= - Failure reporting options

Step 4: Add DMARC to DNS

Create TXT record:

Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:[email protected]
TTL: 3600

Note: The host is specifically _dmarc (underscore is important)

Step 5: Verify DMARC

Using command line:

nslookup -type=txt _dmarc.yourdomain.com

Using online tools:

• MXToolbox DMARC Checker
• DMARC Analyzer

Step 6: Monitor Reports

DMARC reports arrive at the email address specified in rua= tag.

Aggregate reports (RUA):

• Sent daily by major email providers
• XML format (use DMARC report parsers)
• Show authentication results for all email from your domain
• Identify legitimate senders and spoofing attempts

Report analysis tools:

• dmarcian.com
• Postmark DMARC Digests
• Valimail
• URIports

What to look for:

• Sources passing authentication (these are good)
• Sources failing authentication (investigate these)
• Unknown IPs sending from your domain (potential spoofing)
• Legitimate services you forgot to include in SPF

Step 7: Strengthen Policy

After monitoring for 2-4 weeks and ensuring legitimate email passes:

Move to quarantine:

v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100

Monitor for another 2-4 weeks. If no issues:

Move to reject:

v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100

Gradual rollout alternative:

Use pct= to apply policy to percentage of mail:

v=DMARC1; p=reject; rua=mailto:[email protected]; pct=10

Start at 10%, increase to 25%, 50%, 75%, then 100% over several weeks.

Advanced DMARC Configuration

Subdomain Policy

Protect subdomains separately:

v=DMARC1; p=reject; sp=quarantine; rua=mailto:[email protected]

• p=reject - Main domain policy (strict)
• sp=quarantine - Subdomain policy (less strict for testing subdomains)

Alignment Modes

Control how strictly "From" address must match authenticated domain:

Relaxed alignment (default):

v=DMARC1; p=reject; aspf=r; adkim=r; rua=mailto:[email protected]

• Allows subdomains to send for parent domain
• More flexible, fewer false positives

Strict alignment:

v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:[email protected]

• Exact domain match required
• Maximum security, potential for false positives

Common Setup Mistakes and Solutions

Mistake 1: Too Many SPF Lookups

Problem: SPF record exceeds 10 DNS lookup limit

Symptoms:

v=spf1 include:service1.com include:service2.com include:service3.com include:service4.com include:service5.com include:service6.com include:service7.com ~all

Solution:

• Use IP addresses instead of includes where possible
• Consolidate services
• Use SPF flattening tools
• Consider SPF macros for complex scenarios

Mistake 2: Multiple SPF Records

Problem: Multiple TXT records starting with v=spf1

Result: SPF fails entirely (not cumulative)

Solution: Combine all authorized senders into ONE SPF record

Mistake 3: Jumping Straight to p=reject

Problem: Setting DMARC to reject without monitoring period

Result: Legitimate email gets rejected if you missed a sender

Solution: Always start with p=none, monitor, then strengthen

Mistake 4: Forgetting to Enable DKIM Signing

Problem: Published DKIM DNS record but didn't enable signing in email system

Result: DKIM appears in DNS but emails aren't signed

Solution: Enable DKIM signing in your email provider's control panel after DNS setup

Mistake 5: Wrong DNS Record Location

Problem: Publishing authentication records at wrong domain/subdomain

Result: Records aren't found during checks

Solution:

• SPF: @ or root domain
• DKIM: selector._domainkey
• DMARC: _dmarc

Maintenance and Monitoring

Authentication isn't set-it-and-forget-it:

Regular Checks

Monthly:

• Review DMARC reports
• Check for new unauthorized senders
• Verify authentication still passing (send test emails)

Quarterly:

• Audit all email-sending services
• Update SPF record if services changed
• Review and tighten DMARC policy if appropriate

When Adding Services:

• Update SPF record before service goes live
• Test authentication from new service
• Monitor DMARC reports for new source

Troubleshooting Authentication Issues

SPF failures:

1. Verify DNS record exists and is correct
2. Check you don't have multiple SPF records
3. Ensure sending server is included in SPF
4. Verify not exceeding 10 lookup limit

DKIM failures:

1. Confirm DKIM DNS record is published
2. Verify DKIM signing is enabled
3. Check selector matches between signing and DNS
4. Ensure public key in DNS matches private key in use

DMARC failures:

1. Verify SPF and/or DKIM are passing
2. Check alignment (From domain must match authenticated domain)
3. Review DMARC reports for specific failure reasons

The Complete Authentication Checklist

Ready to implement? Follow this checklist:

SPF Setup:

• [ ] List all email sending sources
• [ ] Build SPF record including all sources
• [ ] Verify 10 lookup limit not exceeded
• [ ] Add SPF TXT record to DNS at @ or root
• [ ] Wait for DNS propagation (1-48 hours)
• [ ] Verify SPF record with nslookup or online tools
• [ ] Send test email and check headers

DKIM Setup:

• [ ] Generate DKIM keys in email provider
• [ ] Receive public key and selector
• [ ] Add DKIM TXT record to DNS at selector._domainkey
• [ ] Wait for DNS propagation
• [ ] Verify DKIM DNS record is published
• [ ] Enable DKIM signing in email provider
• [ ] Send test email and verify DKIM signature in headers

DMARC Setup:

• [ ] Confirm SPF and DKIM are working
• [ ] Create email address for DMARC reports ([email protected])
• [ ] Add DMARC TXT record starting with p=none
• [ ] Wait for DNS propagation
• [ ] Verify DMARC record is published
• [ ] Monitor reports for 2-4 weeks
• [ ] Identify and fix any legitimate senders failing authentication
• [ ] Strengthen policy to p=quarantine, monitor 2-4 weeks
• [ ] Move to p=reject when confident

Ongoing Maintenance:

• [ ] Review DMARC reports monthly
• [ ] Update SPF when adding new email services
• [ ] Test authentication quarterly
• [ ] Monitor for blacklist appearances

Let MailAfiniti Handle the Complexity

Email authentication is critical but can be complex to implement correctly. MailAfiniti makes it simple:

Pre-configured Authentication:

• SPF automatically configured for your domain
• DKIM keys generated and managed
• DMARC guidance and templates provided
• One-click DNS record generation

Expert Support:

• Help setting up authentication
• DNS configuration assistance
• Troubleshooting authentication issues
• DMARC report analysis

Built-in Monitoring:

• Authentication status dashboard
• Alerts for configuration issues
• Deliverability monitoring
• Easy verification tools

Don't let email authentication complexity hold you back from protecting your domain and ensuring deliverability. Start your free trial with MailAfiniti and get authentication right from day one.

---

Related Reading

• Email Deliverability 101: Why Your Emails Land in Spam — The bigger picture on inbox placement beyond authentication records.
• 5 Email Security Threats Every Business Should Know — How SPF, DKIM, and DMARC protect you from spoofing and phishing attacks.
• How to Migrate Your Business Email Without Losing Data — Moving providers? Here's how to transfer everything safely.
• MailAfiniti vs Namecheap Email — See which provider handles authentication setup automatically.