Email

SPF, DKIM, and DMARC: Setup Guide for Email Authentication

Step-by-step guide to setting up SPF, DKIM, and DMARC records for your domain. DNS examples, testing, and common mistakes to avoid.

Feb 7, 202613 min read

If you send email from your own domain — whether for cold outreach, marketing, or transactional messages — you need SPF, DKIM, and DMARC configured correctly. Without them, your emails will land in spam.

Since Google and Yahoo's 2024 authentication requirements, these three protocols are no longer optional. This guide walks you through setting up each one, step by step.

Why Email Authentication Matters

Email authentication serves three purposes:

  • Proves you're legitimate — Receiving servers verify your identity
  • Prevents spoofing — Nobody can send email pretending to be you
  • Improves deliverability — Authenticated emails are more likely to reach the inbox

    • As of 2026, all major inbox providers (Gmail, Outlook, Yahoo, Apple Mail) require SPF and DKIM at minimum. DMARC is required for bulk senders (5,000+ emails/day to Gmail).

    Part 1: SPF (Sender Policy Framework)

    What SPF Does

    SPF is a DNS record that lists which mail servers are authorized to send email on behalf of your domain. When a receiving server gets an email from your domain, it checks your SPF record to verify the sending server is authorized.

    Step-by-Step Setup

    Step 1: Identify all services that send email for your domain

    Common sending services:

  • Google Workspace: include:_spf.google.com
  • Microsoft 365: include:spf.protection.outlook.com
  • Brevo (Sendinblue): include:sendinblue.com
  • SendGrid: include:sendgrid.net
  • Mailgun: include:mailgun.org
  • Amazon SES: include:amazonses.com

    • Step 2: Create your SPF record

    Format: v=spf1 [includes] [mechanism]

    Example for a company using Google Workspace and Brevo:

    v=spf1 include:_spf.google.com include:sendinblue.com -all

    Step 3: Add the DNS record

  • Log into your DNS provider
  • Add a new TXT record
  • Host/Name: @ (root domain)
  • Value: your SPF record
  • TTL: 3600 (1 hour)

    • SPF Rules and Limits

  • Only one SPF record per domain (multiple records cause failures)
  • Maximum 10 DNS lookups (each include: counts as one)
  • Use -all (hard fail) not ~all (soft fail) for strongest protection
  • The record must start with v=spf1

    • Common SPF Mistakes

  • Multiple SPF records — Combine all includes into one record
  • Exceeding 10 lookups — Use ip4: for static IPs instead of includes
  • Using +all — This authorizes everyone (defeats the purpose)
  • Forgetting services — Every tool that sends email needs to be included

    • Part 2: DKIM (DomainKeys Identified Mail)

    What DKIM Does

    DKIM adds a cryptographic signature to every email you send. The receiving server verifies this signature against a public key in your DNS, confirming:

  • The email was sent by an authorized server
  • The email content hasn't been modified in transit

    • Step-by-Step Setup

    Step 1: Generate DKIM keys

    Your email provider generates these. The process varies:

  • Google Workspace: Admin Console → Apps → Gmail → Authenticate Email → Generate
  • Brevo: Settings → Senders & IP → Domain Authentication → DKIM
  • SendGrid: Settings → Sender Authentication → Domain Authentication

    • Step 2: Add DNS records

    Your provider will give you a CNAME or TXT record to add. Typically:

  • Host: selector._domainkey.yourdomain.com
  • Type: CNAME or TXT
  • Value: Points to your provider's DKIM key

    • Example CNAME:

    google._domainkey.yourdomain.com → dkim.googlehosted.com

    Step 3: Enable DKIM signing

    After adding the DNS record (allow 24-48 hours for propagation), enable DKIM signing in your email provider's settings.

    DKIM Best Practices

  • Use 2048-bit keys (not 1024-bit)
  • Rotate keys annually
  • Set up DKIM for every sending service
  • Test after setup with our domain health checker

    • Part 3: DMARC (Domain-based Message Authentication, Reporting & Conformance)

    What DMARC Does

    DMARC tells receiving servers what to do when an email fails SPF or DKIM checks. It also sends you reports about authentication results, so you can monitor for issues or abuse.

    The Three DMARC Policies

  • p=none — Monitor only. Failed emails still deliver. Use this to start.
  • p=quarantine — Failed emails go to spam. Use after monitoring confirms setup works.
  • p=reject — Failed emails are blocked entirely. Maximum protection.

    • Step-by-Step Setup

    Step 1: Start with monitoring (p=none)

    Add this TXT record to your DNS:

  • Host: _dmarc.yourdomain.com
  • Value: v=DMARC1; p=none; rua=mailto:[email protected]

    • Step 2: Monitor reports for 2-4 weeks

    DMARC reports come as XML files to your specified email. Use a free DMARC report analyzer to read them. Check for:

  • Legitimate emails failing authentication
  • Unknown senders using your domain
  • SPF/DKIM alignment issues

    • Step 3: Tighten to quarantine

    After confirming all legitimate emails pass authentication:

    v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100

    Step 4: Enforce with reject

    After 2-4 more weeks of clean reports:

    v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100

    DMARC Alignment

    DMARC requires either SPF or DKIM to "align" with the From header domain:

  • SPF alignment: The Return-Path domain matches the From domain
  • DKIM alignment: The DKIM signing domain (d=) matches the From domain

    • Most email providers handle alignment automatically, but third-party senders sometimes cause issues.

    Testing Your Setup

    After configuring all three records, verify everything works:

  • DNS check: Use our Domain Health Checker to verify records
  • Send test email: Send to a Gmail account and check the "Show Original" header
  • Authentication header should show:

    • - SPF: PASS

    - DKIM: PASS

    - DMARC: PASS

    Troubleshooting Common Issues

    "SPF PermError"

  • You have multiple SPF records (merge them into one)
  • You exceeded 10 DNS lookups (reduce includes)

    • "DKIM fail"

  • DNS record not propagated (wait 24-48 hours)
  • Wrong selector name
  • Key mismatch between provider and DNS

    • "DMARC fail"

  • SPF and DKIM both failing or misaligned
  • Third-party sender not configured for your domain
  • Forwarded emails (normal — forwarding breaks SPF)

    • Complete DNS Record Example

    For a domain using Google Workspace + Brevo:

    TypeHostValue
    TXT@v=spf1 include:_spf.google.com include:sendinblue.com -all
    CNAMEgoogle._domainkeydkim.googlehosted.com
    TXTmail._domainkey(Brevo DKIM public key)
    TXT_dmarcv=DMARC1; p=reject; rua=mailto:[email protected]

    Key Takeaways

  • SPF authorizes your sending servers — one record, max 10 lookups, use -all
  • DKIM signs your emails cryptographically — set up for every sending service
  • DMARC enforces policy — start with none, progress to reject over 4-6 weeks
  • Test everything — Use our free checker to verify
  • Monitor ongoing — Authentication issues can develop over time

    • Check your domain's email health now →

    Check your domain health for free

    Try Free

    Frequently Asked Questions

    Do I need SPF, DKIM, and DMARC?
    Yes, all three are required in 2026. Google and Yahoo mandate SPF and DKIM for all senders, and DMARC for anyone sending more than 5,000 emails per day to Gmail. Even small senders should set up all three for maximum deliverability and domain protection.
    How long does it take for DNS records to propagate?
    DNS changes typically propagate within 1-4 hours, but can take up to 48 hours in some cases. Most changes are visible within 1-2 hours. After adding SPF, DKIM, or DMARC records, wait at least 4 hours before testing.
    Can I have multiple DKIM records?
    Yes, unlike SPF (which allows only one record), you can have multiple DKIM records using different selectors. Each email provider uses its own selector (e.g., google._domainkey, brevo._domainkey), so they don't conflict with each other.
    What happens if DMARC is set to reject?
    With DMARC p=reject, any email that fails both SPF and DKIM authentication is completely blocked — it won't reach the inbox or spam folder. This provides maximum protection against spoofing but must be set up carefully to avoid blocking legitimate emails.
    How do I read DMARC reports?
    DMARC reports are XML files sent to the email address in your rua= tag. Use free tools like DMARC Analyzer, Postmark DMARC, or dmarcian to parse them into readable dashboards. Reports show which IPs are sending email for your domain and whether they pass authentication.

    Ready to automate your outreach?

    FatihAI finds leads, verifies emails, and sends AI-personalized sequences. Start free with 50 leads/month.

    Start Free Trial

    Related Resources

    📧

    Cold Email Swipe File

    50+ proven cold email templates with 15-35% reply rates

    $39

    AI Prompt Pack

    200+ battle-tested AI prompts for business

    $29

    Related Articles

    Outreach

    How to Write Cold Emails That Get Replies in 2026 (Templates + Examples)

    Learn proven cold email strategies, templates, and AI-powered personalization techniques that achieve 30-50% reply rates. Includes 7 ready-to-use templates.

    Email Verification

    Email Verification: The Complete Guide to Reducing Bounce Rates (2026)

    Learn how email verification works, why it matters for deliverability, and how to reduce bounce rates by 90%. Includes technical deep-dive and tool comparison.

    Lead Generation

    15 B2B Lead Generation Strategies That Actually Work in 2026

    Proven B2B lead generation strategies ranked by cost, effort, and ROI. From AI outreach to content marketing, find what works for your business.