SPF, DKIM, DMARC Explained: Complete Email Authentication Guide (2024)

Master email authentication with this complete guide to SPF, DKIM, and DMARC. Includes setup instructions, DNS records, troubleshooting, and real-world examples.

Your emails are landing in spam. Your domain is being spoofed by scammers. Your sender reputation is in the toilet.

The fix? Email authentication: SPF, DKIM, and DMARC.

Related Reading

These three protocols prove to email providers (Gmail, Outlook, Yahoo) that your emails are legitimate. Without them, you're fighting an uphill battle for inbox placement - even if you're following all the cold email deliverability best practices.

In this guide, you'll learn:

  • What SPF, DKIM, and DMARC are (in plain English)
  • How to set them up (step-by-step with DNS records)
  • Common mistakes and troubleshooting
  • How to test and monitor your setup
  • Real-world examples and best practices

By the end, you'll have bulletproof email authentication that protects your domain and improves deliverability.

Let's dive in.

The Problem: Email Spoofing & Spam

Email was invented in the 1970s without security in mind. Anyone can send an email claiming to be from [email protected]-no verification required.

This creates two major problems:

  1. Spoofing/Phishing: Scammers impersonate your domain to steal credentials or money.
    • Example: Fake "CEO email" asking employees to wire funds.
    • Result: Brand damage, customer distrust, security breaches.
  2. Spam Classification: Email providers can't tell legitimate emails from spam, leading to your messages being caught in spam traps or flagged as junk.
    • Example: Your newsletter lands in spam because there's no proof it's really from you.
    • Result: Low open rates, wasted marketing spend.

The solution: SPF, DKIM, and DMARC prove your emails are authentic.

SPF: Sender Policy Framework

What is SPF?

SPF (Sender Policy Framework) is a DNS record that lists which mail servers are allowed to send emails on behalf of your domain.

Think of it like this: SPF is a whitelist. When Gmail receives an email from [email protected], it checks your SPF record to see if the sending server is authorized.

How SPF Works (Step-by-Step)

  1. You send an email from [email protected] via Mailchimp's servers.
  2. Gmail receives the email and sees it came from IP address 198.2.128.1 (Mailchimp).
  3. Gmail looks up example.com's SPF record in DNS.
  4. SPF record says: "v=spf1 include:servers.mcsv.net ~all" (Mailchimp is authorized).
  5. Gmail sees 198.2.128.1 is in Mailchimp's IP range → PASS.
  6. Email proceeds (without SPF, it might be spam-filtered).

SPF Record Syntax

SPF records are added as TXT records in your DNS.

Basic format:

v=spf1 [mechanisms] [qualifier]

Example SPF record:

v=spf1 include:_spf.google.com include:servers.mcsv.net ip4:198.51.100.5 -all

Breakdown:

  • v=spf1 - SPF version 1 (always required)
  • include:_spf.google.com - Allow Google Workspace servers
  • include:servers.mcsv.net - Allow Mailchimp servers
  • ip4:198.51.100.5 - Allow specific IP address
  • -all - Reject all other servers (strict)

SPF Mechanisms

Mechanism Description Example
include: Reference another domain's SPF record include:_spf.google.com
ip4: Authorize specific IPv4 address ip4:198.51.100.5
ip6: Authorize specific IPv6 address ip6:2001:db8::1
a Authorize domain's A record a:mail.example.com
mx Authorize domain's MX servers mx
all Catch-all (must be last) -all

SPF Qualifiers

Qualifier Meaning Recommendation
-all Hard fail - Reject unauthorized ✅ Best for security
~all Soft fail - Mark as spam but accept ⚠️ Use during testing
+all Pass all - Allow everything (insecure) ❌ Never use
?all Neutral - No policy ❌ Defeats the purpose
Best Practice: Start with ~all (soft fail) for 1-2 weeks to test. Once confirmed working, switch to -all (hard fail).

How to Set Up SPF (Step-by-Step)

Step 1: Identify Your Email Senders

List all services that send email from your domain - including any role-based email addresses like support@ or no-reply@:

  • Email provider (Google Workspace, Microsoft 365)
  • Marketing tools (Mailchimp, SendGrid, Klaviyo)
  • CRM (HubSpot, Salesforce)
  • Support desk (Zendesk, Intercom)
  • Custom servers (if you host email yourself)

Step 2: Get SPF Include Records

Each service provides an SPF include string. Common ones:

  • Google Workspace: include:_spf.google.com
  • Microsoft 365: include:spf.protection.outlook.com
  • Mailchimp: include:servers.mcsv.net
  • SendGrid: include:sendgrid.net
  • HubSpot: include:_spf.hubspot.com

Step 3: Build Your SPF Record

Combine all includes into one TXT record:

v=spf1 include:_spf.google.com include:servers.mcsv.net include:sendgrid.net -all

Step 4: Add to DNS

  1. Log in to your domain registrar (Namecheap, GoDaddy, Cloudflare)
  2. Navigate to DNS settings
  3. Add a TXT record:
    • Host/Name: @ (or leave blank for root domain)
    • Value: v=spf1 include:_spf.google.com -all
    • TTL: 3600 (1 hour)
  4. Save changes

Step 5: Verify SPF

Use dig (Linux/Mac) or online tools:

dig yourdomain.com TXT

Or use MXToolbox SPF Checker: https://mxtoolbox.com/spf.aspx

SPF Limitations

  • 10 DNS Lookups Max: SPF has a hard limit of 10 DNS lookups. Exceeding this breaks SPF and can trigger permanent SMTP errors.
    • Each include: counts as 1 lookup (and nested lookups count too).
    • Solution: Use SPF flattening (convert includes to IP ranges).
  • One SPF Record Only: You can only have one SPF TXT record per domain. Multiple records break SPF.
  • Doesn't Protect "From" Header: SPF only validates the Return-Path (envelope sender), not the From header users see. (DMARC fixes this.)

DKIM: DomainKeys Identified Mail

What is DKIM?

DKIM (DomainKeys Identified Mail) adds a digital signature to your emails, proving they weren't tampered with in transit.

Think of it like this: DKIM is a wax seal on an envelope. If the seal is broken, you know someone opened it.

How DKIM Works

  1. You configure DKIM keys (public + private) for your domain.
  2. When you send an email, your mail server signs it with the private key (an encrypted hash).
  3. Gmail receives the email and retrieves your public key from DNS.
  4. Gmail uses the public key to verify the signature.
  5. If the signature matches → PASS (email is authentic and unmodified).
  6. If it doesn't match → FAIL (email was tampered with or is fraudulent).

DKIM Record Syntax

DKIM records are TXT records in DNS, published at:

[selector]._domainkey.yourdomain.com

Example:

default._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA..."

Breakdown:

  • v=DKIM1 - DKIM version 1
  • k=rsa - Key type (RSA encryption)
  • p=MIGfMA... - Public key (base64-encoded)

How to Set Up DKIM

Step 1: Generate DKIM Keys

Most email providers generate DKIM keys for you:

  • Google Workspace: Admin Console → Apps → Google Workspace → Gmail → Authenticate email
  • Microsoft 365: Security & Compliance Center → Threat management → Policy → DKIM
  • Mailchimp: Account → Settings → Domains → Authenticate
  • SendGrid: Settings → Sender Authentication → Authenticate Your Domain

If you're self-hosting, use OpenDKIM to generate keys:

opendkim-genkey -t -s default -d example.com

Step 2: Add DKIM Record to DNS

Your provider will give you a DKIM record to add. Example from Google:

  • Host/Name: google._domainkey
  • Value: v=DKIM1; k=rsa; p=MIIBIjANBg...
  • Type: TXT

Step 3: Enable DKIM Signing

In your email provider, toggle DKIM signing to "On" (Google/Microsoft require this step).

Step 4: Verify DKIM

Send a test email to [email protected]. You'll receive a report showing DKIM status.

Or use MXToolbox DKIM Checker: https://mxtoolbox.com/dkim.aspx

DKIM Best Practices

  • Use 2048-bit keys (more secure than 1024-bit)
  • Rotate keys yearly (generate new keys, update DNS)
  • Use multiple selectors (one per service: google._domainkey, mailchimp._domainkey)
  • Keep private keys secure (never expose them publicly)

DMARC: Domain-based Message Authentication, Reporting & Conformance

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together and tells email providers what to do if authentication fails.

Think of it like this: SPF and DKIM are locks on your door. DMARC is the security camera that records who tried to break in and calls the police.

How DMARC Works

  1. Gmail receives an email claiming to be from @example.com.
  2. Gmail checks SPF → PASS.
  3. Gmail checks DKIM → PASS.
  4. Gmail checks DMARC policy for example.com.
  5. DMARC policy says: p=reject (reject unauthenticated emails).
  6. If SPF or DKIM failed, Gmail rejects the email.
  7. Gmail sends a report to [email protected] (DMARC reporting).

DMARC Record Syntax

DMARC records are TXT records published at:

_dmarc.yourdomain.com

Example DMARC record:

v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100; adkim=s; aspf=s;

Breakdown:

  • v=DMARC1 - DMARC version 1
  • p=quarantine - Policy: quarantine (spam folder) failed emails
  • rua=mailto:[email protected] - Send aggregate reports here
  • ruf=mailto:[email protected] - Send forensic (failure) reports here
  • pct=100 - Apply policy to 100% of emails
  • adkim=s - DKIM strict alignment
  • aspf=s - SPF strict alignment

DMARC Policy Options

Policy Action Use Case
p=none Monitor only (no action taken) ✅ Start here-collect reports, identify issues
p=quarantine Send to spam folder ⚠️ Intermediate step after monitoring
p=reject Block email entirely ✅ Final goal-maximum protection

How to Set Up DMARC

Step 1: Ensure SPF and DKIM Are Working

DMARC requires at least one of SPF or DKIM to pass. Set these up first.

Step 2: Create a Mailbox for Reports

Set up [email protected] to receive aggregate reports (XML files sent daily).

Step 3: Build Your DMARC Record

Start with p=none to monitor without blocking:

v=DMARC1; p=none; rua=mailto:[email protected]; pct=100;

Step 4: Add to DNS

Step 5: Monitor Reports for 2-4 Weeks

You'll receive daily XML reports showing:

  • Which IPs are sending email from your domain
  • SPF/DKIM pass/fail rates
  • Potential spoofing attempts

Use a DMARC analyzer like Postmark DMARC Digests (free) or dmarcian ($)

Step 6: Gradually Enforce Policy

Once you're confident SPF/DKIM are working:

  1. Week 1-2: p=none (monitor)
  2. Week 3-4: p=quarantine; pct=10 (quarantine 10% of failures)
  3. Week 5-6: p=quarantine; pct=100 (quarantine all failures)
  4. Week 7+: p=reject; pct=100 (reject all failures)

DMARC Alignment

DMARC checks that the From header domain matches the domain in SPF/DKIM.

Alignment Mode Requirement Example
Relaxed (r) Organizational domain must match mail.example.com matches example.com
Strict (s) Exact domain must match mail.example.com vs example.com

Recommendation: Start with adkim=r; aspf=r; (relaxed). Move to strict once confident.

📧 Protect Your Authenticated Emails

Even with SPF/DKIM/DMARC, sending to invalid emails destroys your sender reputation. That's why you need to validate emails in bulk before every campaign.

Emails Wipes removes bounces, spam traps, and disposables before you send.

Validate 100 Emails Free →

Common Mistakes & Troubleshooting

1. Multiple SPF Records

Symptom: SPF fails even though you added it.

Cause: You have 2+ TXT records starting with v=spf1.

Fix: Merge into one SPF record. Delete duplicates.

2. Exceeding 10 DNS Lookups (SPF)

Symptom: SPF hard fails (permerror).

Cause: Too many include: statements (each counts toward the limit).

Fix: Use SPF flattening tools (AutoSPF, EasySPF) to convert includes to IP ranges.

3. DKIM Signature Broken

Symptom: DKIM fails after setup.

Cause: Spaces/line breaks in public key when adding to DNS.

Fix: Remove all spaces and line breaks from the DKIM public key before pasting into DNS.

4. DMARC Blocking Legitimate Emails

Symptom: Emails from forwarding services (mailing lists) fail DMARC.

Cause: Forwarding breaks SPF (IP changes).

Fix: Use p=quarantine instead of p=reject, or set pct=90 (apply to 90%, not 100%).

5. Subdomain DMARC Issues

Symptom: Emails from newsletter.example.com fail DMARC.

Cause: Subdomains inherit parent DMARC but may need their own SPF/DKIM.

Fix: Add separate SPF/DKIM/DMARC for the subdomain.

Testing Your Setup

1. Send a Test Email to These Services:

2. Use DNS Lookup Tools:

3. Check Gmail Headers:

  1. Open an email in Gmail
  2. Click "⋮" (three dots) → "Show original"
  3. Look for:
    • spf=pass
    • dkim=pass
    • dmarc=pass

Summary: Your Authentication Checklist

✅ Complete Email Authentication Setup
  • SPF: Add TXT record with all authorized senders (-all qualifier)
  • DKIM: Generate keys, add TXT record, enable signing
  • DMARC: Start with p=none, monitor 2-4 weeks, escalate to p=reject
  • Test: Send to Port25, Mail-Tester, check headers
  • Monitor: Review DMARC reports weekly
  • Maintain: Update records when adding new email services

Real-World Examples

Example 1: SaaS Startup (Google Workspace + Mailchimp)

SPF Record:

v=spf1 include:_spf.google.com include:servers.mcsv.net -all

DKIM Records:

  • google._domainkey - Google's DKIM key
  • k1._domainkey - Mailchimp's DKIM key

DMARC Record:

v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100; adkim=r; aspf=r;

Example 2: E-Commerce (Shopify + Klaviyo + Zendesk)

SPF Record:

v=spf1 include:shops.shopify.com include:_spf.klaviyo.com include:mail.zendesk.com -all

DKIM Records:

  • shopify._domainkey
  • klaviyo1._domainkey, klaviyo2._domainkey
  • zendesk1._domainkey, zendesk2._domainkey

DMARC Record:

v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=50;

(50% quarantine during gradual rollout)

Related Articles