Mike Buckbee

Email Authentication Setup: Complete Guide to SPF, DKIM, and DMARC

Mike Buckbee
Email Authentication Setup: Complete Guide to SPF, DKIM, and DMARC

Email authentication protects your domain and improves deliverability. Learn how to set up SPF, DKIM, and DMARC records with step-by-step instructions and verification tips.

Why Email Authentication Matters

Email authentication proves your emails are really from you. Without it, your emails land in spam, get rejected entirely, or worse—scammers can impersonate your domain to phish your customers.

Three authentication methods work together to protect your domain and improve deliverability:

  • SPF (Sender Policy Framework): Specifies which servers can send email from your domain
  • DKIM (DomainKeys Identified Mail): Adds a digital signature proving the email wasn't tampered with
  • DMARC (Domain-based Message Authentication, Reporting & Conformance): Tells receiving servers what to do if SPF or DKIM fails

Critical Requirement: As of February 2024, Gmail and Yahoo require SPF, DKIM, and DMARC for bulk senders (anyone sending 5,000+ emails per day). Even if you send less, authentication dramatically improves deliverability.

This guide walks you through setting up all three authentication methods, step by step.

How Email Authentication Works

When you send an email, receiving servers check if you're authorized to send from your domain.

The Authentication Flow

  1. You send an email from yourcompany.com
  2. Receiving server checks SPF: Is the sending server authorized to send from yourcompany.com?
  3. Receiving server checks DKIM: Does the digital signature match and validate?
  4. Receiving server checks DMARC: Do SPF and DKIM pass? What should I do if they fail?
  5. Email is delivered, quarantined, or rejected based on authentication results

All of this happens automatically in seconds. But it only works if you've set up your DNS records correctly.

SPF Setup (Sender Policy Framework)

SPF tells receiving servers which mail servers are allowed to send email from your domain.

What SPF Does

SPF prevents spammers from forging your domain in the "From" address. When configured, only servers you specify can send email as yourcompany.com.

Without SPF: Anyone can send email claiming to be from your domain

With SPF: Only authorized servers can send from your domain

How to Create Your SPF Record

SPF is a DNS TXT record that lists authorized sending servers.

Basic SPF record structure: v=spf1 [mechanisms] [qualifier]

Common mechanisms: - ip4:192.0.2.1 - Authorizes a specific IPv4 address - ip6:2001:db8::1 - Authorizes a specific IPv6 address - include:_spf.google.com - Includes Google's SPF record (for Google Workspace) - include:sendgrid.net - Includes SendGrid's servers - a - Authorizes the domain's A record - mx - Authorizes the domain's MX records - ~all - Soft fail for everything else (recommended) - -all - Hard fail for everything else (stricter)

Example SPF records:

Simple website (no email service): v=spf1 -all This says "nobody is authorized to send from this domain" - use this for domains that don't send email.

Google Workspace only: v=spf1 include:_spf.google.com ~all

Google Workspace + SendGrid: v=spf1 include:_spf.google.com include:sendgrid.net ~all

Multiple services: v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org ~all

Finding Your Email Service Provider's SPF Include

Check your ESP's documentation for their SPF include directive:

Email Service SPF Include
Google Workspace (Gmail) include:_spf.google.com
Microsoft 365 include:spf.protection.outlook.com
SendGrid include:sendgrid.net
Mailchimp include:servers.mcsv.net
Mailgun include:mailgun.org
Postmark include:spf.mtasv.net
Amazon SES include:amazonses.com

Adding SPF to Your DNS

Step 1: Access your DNS provider

Log into wherever you manage your domain's DNS records. Common providers: - Cloudflare - GoDaddy - Namecheap - Google Domains - Your web host

Step 2: Create a new TXT record

  • Type: TXT
  • Name/Host: @ (represents your root domain)
  • Value: Your SPF record (e.g., v=spf1 include:_spf.google.com ~all)
  • TTL: 3600 (1 hour) or use default

Step 3: Save the record

DNS changes can take 1-48 hours to propagate, but often work within minutes.

SPF Limitations and Best Practices

The 10 DNS Lookup Limit:

SPF records have a hard limit of 10 DNS lookups. Each include: statement counts as a lookup. If you exceed 10, SPF fails entirely.

How to count lookups: - Each include: = 1 lookup - Each a or mx = 1 lookup - ip4: and ip6: = 0 lookups

Example that FAILS (too many lookups): v=spf1 include:service1.com include:service2.com include:service3.com include:service4.com include:service5.com include:service6.com include:service7.com include:service8.com include:service9.com include:service10.com include:service11.com ~all

Solution if you hit the limit: - Consolidate email services where possible - Use ip4: for services that provide IP addresses instead of include: - Create a subdomain for marketing emails (marketing.yourcompany.com)

Best practices: - Use ~all (soft fail) not -all (hard fail) while testing - Only include services you actually use - Don't include your domain's own SPF record (no self-reference) - Keep it simple - fewer includes is better

DKIM Setup (DomainKeys Identified Mail)

DKIM adds a digital signature to your emails that proves they came from your domain and weren't modified in transit.

What DKIM Does

DKIM uses cryptographic keys: - Private key: Kept secret by your email server, used to sign outgoing messages - Public key: Published in your DNS, used by receiving servers to verify signatures

When you send an email: 1. Your email server signs the message with your private key 2. Receiving server retrieves your public key from DNS 3. Receiving server verifies the signature matches 4. If it matches, the email passes DKIM authentication

How to Set Up DKIM

DKIM setup varies by email service provider. Your ESP generates the keys and gives you DNS records to publish.

General process:

Step 1: Generate DKIM keys in your ESP

Find the DKIM settings in your email service: - Google Workspace: Admin Console → Apps → Google Workspace → Gmail → Authenticate email - Microsoft 365: Admin Center → Security → Email authentication - SendGrid: Settings → Sender Authentication → Domain Authentication - Mailchimp: Account → Settings → Domains → Authenticate domain

Step 2: Get your DKIM DNS records

Your ESP will provide: - Selector: A label for this key (e.g., "google", "s1", "k1") - DKIM record: A TXT record containing your public key

Example DKIM record: Name: google._domainkey.yourcompany.com Type: TXT Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

Step 3: Add DKIM record to DNS

Create a new TXT record: - Type: TXT - Name: [selector]._domainkey (e.g., google._domainkey) - Value: The DKIM public key provided by your ESP - TTL: 3600 or default

Step 4: Verify in your ESP

After adding the DNS record, click "Verify" or "Authenticate" in your ESP's interface. They'll check that the DNS record is correct.

DKIM Best Practices

Use multiple selectors for multiple services:

If you send from Google Workspace and SendGrid, you'll have multiple DKIM records with different selectors:

google._domainkey.yourcompany.com → Google's DKIM key
s1._domainkey.yourcompany.com → SendGrid's DKIM key

This is normal and recommended.

Rotate keys annually:

For security, generate new DKIM keys every 12-24 months. Most ESPs make this easy.

Use 2048-bit keys:

Longer keys are more secure. Most services now default to 2048-bit RSA keys.

DMARC Setup (Domain-based Message Authentication)

DMARC builds on SPF and DKIM. It tells receiving servers what to do when authentication fails and sends you reports about your email.

What DMARC Does

DMARC provides: 1. Policy enforcement: Tells receivers to reject, quarantine, or deliver emails that fail authentication 2. Alignment: Requires the domain in the "From" header to match SPF or DKIM domains 3. Reporting: Sends daily reports showing who's sending from your domain

DMARC Policy Levels

DMARC has three policy levels:

p=none (monitoring only): v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.com - Doesn't affect delivery - Collects reports - Use this: When first implementing DMARC

p=quarantine (soft reject): v=DMARC1; p=quarantine; rua=mailto:dmarc@yourcompany.com - Suspicious emails go to spam folder - Use this: After monitoring shows your legitimate email passes authentication

p=reject (hard reject): v=DMARC1; p=reject; rua=mailto:dmarc@yourcompany.com - Failing emails are rejected entirely - Use this: For maximum protection (only when ready)

How to Create Your DMARC Record

Basic DMARC record: v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.com

Components: - v=DMARC1 - Version (always this) - p=none - Policy for your domain - rua=mailto:dmarc@yourcompany.com - Where to send aggregate reports - sp=none - Policy for subdomains (optional) - pct=100 - Percentage of emails to apply policy to (optional, defaults to 100) - adkim=r - DKIM alignment mode: r=relaxed (default), s=strict - aspf=r - SPF alignment mode: r=relaxed (default), s=strict

Recommended starting DMARC record: v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.com; pct=100; adkim=r; aspf=r

Adding DMARC to Your DNS

Step 1: Create the DMARC record

  • Type: TXT
  • Name: _dmarc
  • Value: Your DMARC policy (e.g., v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.com)
  • TTL: 3600 or default

Step 2: Wait for reports

DMARC reports arrive daily (if anyone sent/received email from your domain that day). They're XML files showing: - Who sent email from your domain - Whether SPF and DKIM passed - What the receiving server did with the message

DMARC Implementation Strategy

Don't jump straight to p=reject. Follow this rollout:

Week 1-2: Deploy p=none v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.com Monitor reports. Identify all legitimate email sources. Fix any SPF or DKIM issues.

Week 3-6: Move to p=quarantine v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourcompany.com Start with 10% of traffic. Monitor reports. Increase percentage gradually (25%, 50%, 75%, 100%).

Month 2+: Move to p=reject v=DMARC1; p=reject; rua=mailto:dmarc@yourcompany.com Only do this when you're confident all legitimate email passes authentication.

Reading DMARC Reports

DMARC reports are XML files that can be overwhelming. Use a DMARC reporting service:

DMARC report analyzers (free tiers available): - Postmark DMARC Digests - DMARC Analyzer - Valimail - dmarcian

These services parse the XML and show you: - Which sources are sending from your domain - Pass/fail rates for SPF and DKIM - Potential spoofing attempts - Configuration issues

Verification and Testing

After setting up SPF, DKIM, and DMARC, verify they're working correctly.

DNS Propagation Check

Wait 1-24 hours after adding DNS records, then check if they're visible:

Using dig (command line): ```bash

Check SPF

dig TXT yourcompany.com

Check DKIM

dig TXT google._domainkey.yourcompany.com

Check DMARC

dig TXT _dmarc.yourcompany.com ```

Using online tools: - MXToolbox (mxtoolbox.com/SuperTool.aspx) - Google Admin Toolbox Dig (toolbox.googleapps.com/apps/dig/) - DNSChecker (dnschecker.org)

Authentication Test Email

Send a test email to yourself and check the headers.

Gmail: 1. Send email from your domain to your Gmail address 2. Open the email 3. Click the three dots → "Show original" 4. Look for authentication results:

SPF: PASS
DKIM: PASS
DMARC: PASS

Mail-Tester: 1. Go to mail-tester.com 2. Send an email to the address they provide 3. Check your score and authentication results

Common Setup Issues

SPF issues:

"SPF failed: too many DNS lookups" - Solution: Reduce number of include: statements to 10 or fewer

"SPF failed: no policy" - Solution: Add SPF TXT record to root domain (@)

DKIM issues:

"DKIM failed: no key" - Solution: Verify DKIM TXT record is published correctly - Check selector name matches what ESP expects

"DKIM failed: signature mismatch" - Solution: Ensure your ESP is signing emails - Regenerate DKIM keys if needed

DMARC issues:

"DMARC failed: alignment" - Solution: Ensure "From" domain matches SPF/DKIM domain - Use relaxed alignment (adkim=r; aspf=r)

"No DMARC record found" - Solution: Add TXT record at _dmarc.yourcompany.com

Advanced Authentication Topics

Subdomain Strategy

Send marketing emails from a subdomain to protect your primary domain reputation.

Setup: - Main domain: yourcompany.com (for business email) - Marketing subdomain: marketing.yourcompany.com (for bulk email)

Benefits: - Marketing email issues don't affect business email - Easier to monitor and manage authentication - Can use stricter DMARC on main domain

Configuration: Each subdomain needs its own SPF, DKIM, and DMARC records.

BIMI (Brand Indicators for Message Identification)

BIMI displays your logo next to emails in supporting inbox clients (Gmail, Yahoo, Apple Mail).

Requirements: - DMARC policy of p=quarantine or p=reject - Verified Mark Certificate (VMC) from a certificate authority - SVG logo file hosted on HTTPS

BIMI is optional but improves brand recognition and trust.

ARC (Authenticated Received Chain)

ARC preserves authentication results when emails are forwarded or modified by mailing lists.

Most email services handle ARC automatically. As a sender, you don't need to configure it separately.

Email Authentication Checklist

Use this checklist to ensure complete authentication:

SPF

DKIM

DMARC

Testing

The Bottom Line

Email authentication is no longer optional. SPF, DKIM, and DMARC are required for serious email senders and dramatically improve deliverability.

The setup process: 1. Add SPF: List authorized sending servers 2. Add DKIM: Enable in your ESP and publish public key 3. Add DMARC: Start with monitoring, move to enforcement 4. Verify: Test and monitor reports

Authentication protects your brand, improves deliverability, and builds trust with receiving servers. It takes a few hours to set up and provides ongoing benefits forever.

Don't skip this. Your deliverability depends on it.


Want to maintain the reputation you've built with authentication? Check our email list hygiene guide to keep your sender reputation strong with proper list maintenance.

P.S. If you found this useful, you're going to love our Email Subject Line Tester

Get More Opens With Every Email Send

Are your email subjects marking you as spam?
Are you being filtered as a 'Promotion' instead of a 'Priority'?

Start the test

Find out instantly.