SPF, DKIM, DMARC Setup Guide: Complete Email Authentication in 2025
Protect your domain from email spoofing and improve deliverability with proper SPF, DKIM, and DMARC configuration
What Are SPF, DKIM, and DMARC?
Email authentication protocols are essential for protecting your domain reputation and ensuring your emails reach recipients' inboxes. These three technologies work together to verify that emails claiming to be from your domain are legitimate.
SPF
Sender Policy Framework
Specifies which mail servers are authorized to send email on behalf of your domain. Prevents spammers from forging your domain in the "envelope from" address.
DKIM
DomainKeys Identified Mail
Adds a digital signature to your emails that receiving servers can verify. Ensures email content hasn't been tampered with during transit.
DMARC
Domain-based Message Authentication
Tells receiving servers what to do with emails that fail SPF or DKIM checks. Provides reporting on authentication results.
Step 1: Setting Up SPF Records
What is an SPF Record?
An SPF record is a TXT record added to your domain's DNS that lists all authorized mail servers for your domain. When a receiving server gets an email from your domain, it checks the SPF record to verify the sending server is authorized.
SPF Record Syntax
v=spf1 include:_spf.google.com ~all
v=spf1 include:spf.protection.outlook.com ~all
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all
SPF Mechanisms Explained
| Mechanism | Description | Example |
|---|---|---|
| v=spf1 | SPF version identifier (required) | v=spf1 |
| include: | Include another domain's SPF record | include:_spf.google.com |
| ip4: | Authorize specific IPv4 address | ip4:192.168.1.1 |
| ip6: | Authorize specific IPv6 address | ip6:2001:db8::1 |
| a | Authorize domain's A record | a:mail.example.com |
| mx | Authorize domain's MX records | mx |
| ~all | Soft fail (mark as suspicious) | ~all |
| -all | Hard fail (reject email) | -all |
Platform-Specific SPF Records
Google Workspace
Microsoft 365
Zoho Mail
Multiple Providers
Step 2: Configuring DKIM
Have questions about this topic?
Our migration specialists can help. Chat live or request a free consultation.
How DKIM Works
DKIM adds a digital signature to your email headers using public-key cryptography. Your email server signs outgoing messages with a private key, and receiving servers verify the signature using a public key published in your DNS.
DKIM Setup for Google Workspace
Access Admin Console
Go to admin.google.com → Apps → Google Workspace → Gmail → Authenticate email
Generate DKIM Key
Click Generate New Record. Choose 2048-bit key for better security.
Add DNS Record
Copy the TXT record and add it to your DNS provider:
Name: google._domainkey
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA...
Activate DKIM
Wait 24-48 hours for DNS propagation, then click Start Authentication in Google Admin.
DKIM Setup for Microsoft 365
Access Microsoft 365 Admin Center
Go to admin.microsoft.com → Settings → Domains → Select your domain
Get DKIM Records
Microsoft provides two CNAME records to add to your DNS:
selector1._domainkey → selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
selector2._domainkey → selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
Enable DKIM Signing
After DNS propagation, go to Security & Compliance → Threat Management → Policy → DKIM → Enable signing for your domain.
Step 3: Implementing DMARC
Why DMARC Matters
DMARC builds on SPF and DKIM by telling receiving servers what to do when authentication fails. It also provides valuable reporting on who's sending email using your domain, helping you identify spoofing attempts.
DMARC Record Syntax
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@yourdomain.com
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensics@yourdomain.com
DMARC Policy Tags Explained
| Tag | Description | Example |
|---|---|---|
| v | DMARC version (required) | v=DMARC1 |
| p | Policy for failed emails (required) | p=reject |
| rua | Aggregate report email address | rua=mailto:dmarc@example.com |
| ruf | Forensic report email address | ruf=mailto:forensics@example.com |
| pct | Percentage of emails to apply policy | pct=50 |
| sp | Subdomain policy | sp=quarantine |
| adkim | DKIM alignment mode | adkim=s |
| aspf | SPF alignment mode | aspf=r |
DMARC Policy Levels
p=none (Monitor)
Recommended for initial setup. No action taken on failed emails, but you receive reports.
p=quarantine
Moderate protection. Failed emails go to spam/junk folder. Good intermediate step.
p=reject
Maximum protection. Failed emails are rejected completely. Use after monitoring period.
Testing Your Configuration
Verification Checklist
Check DNS Propagation
Use tools like MXToolbox or Google Admin Toolbox to verify records are published
Send Test Emails
Send emails to Gmail, Outlook, and Yahoo to test authentication
Review Email Headers
Check for "PASS" results in SPF, DKIM, and DMARC authentication
Monitor DMARC Reports
Review aggregate reports weekly to identify issues
Common Issues and Solutions
SPF Record Too Long
Problem: SPF records have a 255-character limit and 10 DNS lookup limit.
Solution: Use SPF flattening services or consolidate include statements. Remove unnecessary entries.
DKIM Not Signing
Problem: Emails aren't being signed with DKIM even after setup.
Solution: Verify DNS records are correct, wait 48 hours for propagation, and ensure DKIM is enabled in your email platform admin panel.
DMARC Alignment Failures
Problem: SPF and DKIM pass but DMARC fails due to alignment issues.
Solution: Ensure the "From" domain matches the domain in SPF/DKIM. Use relaxed alignment (aspf=r, adkim=r) if needed.
Third-Party Senders Failing
Problem: Marketing platforms or CRMs can't send email after DMARC implementation.
Solution: Add third-party sender's SPF include to your record, or have them send from a subdomain with its own authentication.
Related Articles
Need Help with Email Authentication?
Our experts configure SPF, DKIM, and DMARC correctly during every migration project.
Get a Free Migration Quote
No spam, just expert advice.
Need Help with Email Authentication?
Setting up SPF, DKIM, and DMARC correctly is crucial for email deliverability. Our experts can configure and verify your email authentication during migration or as a standalone service.