Mailthentic
email-deliverability

SPF, DKIM & DMARC Explained: The Complete Setup Guide

SPF, DKIM, and DMARC are the three pillars of email authentication. This guide explains what each one does, why you need all three, and how to set them up step by step.

SPF DKIM DMARC email authentication DNS deliverability security

If you send email from your own domain, you need SPF, DKIM, and DMARC configured correctly. Without them, your emails are more likely to land in spam, get rejected, or be spoofed by attackers.

These three DNS records form the foundation of email authentication. They tell receiving servers: "Yes, this email really came from us, and it hasn't been tampered with." Here's how each one works and how to set them up.

Check your current setup

Use our free domain health checker to instantly see your SPF, DKIM, and DMARC status — no signup required.

The Big Picture: How Email Authentication Works

When you send an email, the receiving server asks three questions:

  1. SPF: "Is this server authorized to send email for this domain?"
  2. DKIM: "Was this email tampered with in transit?"
  3. DMARC: "What should I do if SPF or DKIM fails?"

If all three pass, your email is trusted. If any fail and you don't have DMARC telling servers what to do, the result is unpredictable — your email might land in spam, get rejected, or be delivered normally depending on the provider.

SPF (Sender Policy Framework)

What SPF does

SPF is a DNS TXT record that lists which servers are authorized to send email on behalf of your domain. When a receiving server gets an email from you@yourdomain.com, it checks the SPF record to see if the sending server's IP is authorized.

SPF record structure

v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.5 -all

Breaking it down:

  • v=spf1 — Version identifier (always required)
  • include:_spf.google.com — Authorize Google Workspace servers
  • include:sendgrid.net — Authorize SendGrid servers
  • ip4:203.0.113.5 — Authorize a specific IP address
  • -all — Reject email from any other server (~all for soft fail)

How to set up SPF

  1. List all services that send email for your domain (Gmail, Mailchimp, SendGrid, your app server, etc.)
  2. Look up each service's SPF include directive (usually in their docs)
  3. Create a single TXT record at your domain with all includes
  4. Use -all (hard fail) once you're confident the list is complete

Common SPF mistakes

  • Multiple SPF records — You can only have ONE SPF record per domain. Multiple records cause authentication failures.
  • Too many DNS lookups — SPF has a 10-lookup limit. Each include: counts as a lookup. Use ip4: where possible.
  • Using +all — This authorizes every server on the internet to send as your domain. Never do this.
  • Forgetting a sending service — If you use Mailchimp but forget to include it, Mailchimp emails will fail SPF.

DKIM (DomainKeys Identified Mail)

What DKIM does

DKIM adds a cryptographic signature to every outgoing email. The sending server signs the email with a private key, and the receiving server verifies the signature using a public key published in your DNS. If the signature matches, the email wasn't modified in transit.

DKIM record structure

DKIM records are published as TXT records at selector._domainkey.yourdomain.com:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB...
  • v=DKIM1 — Version
  • k=rsa — Key type
  • p=... — The public key (base64 encoded)

How to set up DKIM

  1. Your email provider generates a key pair (Google Workspace, Microsoft 365, etc. all have guides)
  2. Add the public key as a DNS TXT record at the selector they specify
  3. The provider automatically signs outgoing emails with the private key
  4. Verify with our domain checker — it auto-detects common selectors

DKIM tips

  • Each sending service needs its own DKIM selector (e.g., Google uses google._domainkey)
  • Use 2048-bit keys when possible (more secure than 1024-bit)
  • Rotate keys periodically (annually is good practice)

DMARC (Domain-based Message Authentication, Reporting & Conformance)

What DMARC does

DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. Without DMARC, servers decide on their own — which is unpredictable.

DMARC record structure

DMARC is a TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100
  • v=DMARC1 — Version
  • p=quarantine — Policy: none (monitor), quarantine (spam folder), reject (block)
  • rua=mailto:... — Where to send aggregate reports
  • pct=100 — Apply to 100% of emails

DMARC rollout strategy

  1. Start with p=none — Monitor mode. Collects reports without affecting delivery.
  2. Analyze reports for 2-4 weeks — Identify legitimate senders that are failing SPF/DKIM
  3. Fix authentication gaps — Add missing SPF includes, set up DKIM for all senders
  4. Move to p=quarantine — Failed emails go to spam
  5. Move to p=reject — Failed emails are blocked entirely (strongest protection)

The Complete Setup Checklist

Step Record Where
1. List all email sendersSpreadsheet
2. Create SPF recordTXT @ yourdomain.comDNS provider
3. Set up DKIM for each senderTXT @ selector._domainkey.yourdomain.comDNS provider
4. Create DMARC record (monitor)TXT @ _dmarc.yourdomain.comDNS provider
5. Verify with domain checkerMailthentic tool
6. Monitor reports for 2-4 weeksDMARC report inbox
7. Upgrade DMARC to quarantine/rejectUpdate TXT @ _dmarcDNS provider

Testing Your Configuration

After setting up all three records, verify them:

  1. Mailthentic Domain Checker — Free instant check of MX, SPF, DKIM, and DMARC with a health score
  2. Send a test email — Send to a Gmail account and click "Show original" to see SPF/DKIM/DMARC results
  3. Check DMARC reports — After 24-48 hours, you'll start receiving aggregate reports showing pass/fail rates

What Happens Without Proper Authentication

Missing Record Risk
No SPFAnyone can send email pretending to be your domain. Receivers may flag or reject your legitimate emails.
No DKIMEmails can be modified in transit without detection. Some receivers downgrade trust for unsigned emails.
No DMARCNo policy for handling failed authentication. Each receiver decides independently, leading to inconsistent delivery.

The combination of all three is what matters. SPF alone is not enough. DKIM alone is not enough. You need the complete stack.

Check your domain's authentication right now

Use our free domain health checker to see your SPF, DKIM, and DMARC status in seconds. Then sign up free to verify individual email addresses with 100 credits.

Ready to verify your email list?

Start free with 100 verification credits. No credit card required.

Get Started Free Try Free Checker

Related Articles