SPF, DKIM, and DMARC Setup Guide: Protect Your Email Domain

Email spoofing — where attackers send emails pretending to be from your domain — is one of the most common attack vectors on the internet. SPF, DKIM, and DMARC are three DNS-based protocols that work together to prevent it. This guide walks you through setting up all three.

Step 1: Set Up SPF

SPF (Sender Policy Framework) tells the world which mail servers are authorized to send email for your domain.

Building Your SPF Record

Start with v=spf1 and add each service that sends email on your behalf:

v=spf1 include:_spf.google.com include:sendgrid.net include:mailchimp.com -all

• include: — Authorizes another domain's SPF senders (used for SaaS email services).
• ip4: / ip6: — Authorizes specific IP addresses or ranges.
• a / mx — Authorizes the IPs pointed to by your A or MX records.
• -all — Hard fail: reject anything not listed. Use ~all (soft fail) while testing.

SPF Best Practices

• Keep DNS lookups under 10 (each include, a, mx, and redirect counts as one lookup).
• Only have one SPF record per domain. Multiple records cause failures.
• Start with ~all (soft fail), monitor results, then switch to -all (hard fail).

Step 2: Set Up DKIM

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email.

How to Set Up DKIM

1. Generate your DKIM key pair — Most email providers (Google Workspace, Microsoft 365, SendGrid) generate these for you in their admin panel.
2. Publish the public key in DNS — Add a TXT record at selector._domainkey.yourdomain.com. The selector name is provided by your email service.
3. Enable DKIM signing — Turn on DKIM signing in your email provider's settings.

google._domainkey.example.com.  3600  IN  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w..."

DKIM Best Practices

• Use 2048-bit keys (some providers still default to 1024-bit).
• Set up DKIM for each service that sends email on your behalf — each gets its own selector.
• Rotate DKIM keys annually.

Step 3: Set Up DMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together with a policy that tells receivers what to do with unauthenticated email.

Building Your DMARC Record

Add a TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensic@example.com; pct=100

• p=none — Monitor only (start here).
• p=quarantine — Send failing emails to spam.
• p=reject — Block failing emails entirely (the goal).
• rua — Email address to receive aggregate reports.
• pct — Percentage of emails the policy applies to (use 100 once confident).

DMARC Rollout Strategy

1. Start with p=none and collect reports for 2-4 weeks.
2. Review reports to identify legitimate senders that need SPF/DKIM configuration.
3. Fix any authentication gaps found in the reports.
4. Move to p=quarantine and monitor for another 2 weeks.
5. Finally, set p=reject to fully protect your domain.

Verifying Your Setup

After configuring all three records, verify them:

dig TXT example.com          # Check SPF
dig TXT selector._domainkey.example.com  # Check DKIM
dig TXT _dmarc.example.com   # Check DMARC

Send a test email to a Gmail or Outlook account and check the email headers for SPF, DKIM, and DMARC pass results. You can also use our Nameserver Lookup Tool to verify your DNS records are published correctly.

Setting up SPF, DKIM, and DMARC properly takes about an hour but protects your domain reputation indefinitely. Do not skip any of the three — they work as a system, and gaps in one undermine the others.