Email authentication protects your domain and improves deliverability. Learn how to set up SPF, DKIM, and DMARC records with step-by-step instructions and verification tips.
Email authentication proves your emails are really from you. Without it, your emails land in spam, get rejected entirely, or worse—scammers can impersonate your domain to phish your customers.
Three authentication methods work together to protect your domain and improve deliverability:
Critical Requirement: As of February 2024, Gmail and Yahoo require SPF, DKIM, and DMARC for bulk senders (anyone sending 5,000+ emails per day). Even if you send less, authentication dramatically improves deliverability.
This guide walks you through setting up all three authentication methods, step by step.
When you send an email, receiving servers check if you're authorized to send from your domain.
All of this happens automatically in seconds. But it only works if you've set up your DNS records correctly.
SPF tells receiving servers which mail servers are allowed to send email from your domain.
SPF prevents spammers from forging your domain in the "From" address. When configured, only servers you specify can send email as yourcompany.com.
Without SPF: Anyone can send email claiming to be from your domain
With SPF: Only authorized servers can send from your domain
SPF is a DNS TXT record that lists authorized sending servers.
Basic SPF record structure:
v=spf1 [mechanisms] [qualifier]
Common mechanisms:
- ip4:192.0.2.1 - Authorizes a specific IPv4 address
- ip6:2001:db8::1 - Authorizes a specific IPv6 address
- include:_spf.google.com - Includes Google's SPF record (for Google Workspace)
- include:sendgrid.net - Includes SendGrid's servers
- a - Authorizes the domain's A record
- mx - Authorizes the domain's MX records
- ~all - Soft fail for everything else (recommended)
- -all - Hard fail for everything else (stricter)
Example SPF records:
Simple website (no email service):
v=spf1 -all
This says "nobody is authorized to send from this domain" - use this for domains that don't send email.
Google Workspace only:
v=spf1 include:_spf.google.com ~all
Google Workspace + SendGrid:
v=spf1 include:_spf.google.com include:sendgrid.net ~all
Multiple services:
v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org ~all
Check your ESP's documentation for their SPF include directive:
| Email Service | SPF Include |
|---|---|
| Google Workspace (Gmail) | include:_spf.google.com |
| Microsoft 365 | include:spf.protection.outlook.com |
| SendGrid | include:sendgrid.net |
| Mailchimp | include:servers.mcsv.net |
| Mailgun | include:mailgun.org |
| Postmark | include:spf.mtasv.net |
| Amazon SES | include:amazonses.com |
Step 1: Access your DNS provider
Log into wherever you manage your domain's DNS records. Common providers: - Cloudflare - GoDaddy - Namecheap - Google Domains - Your web host
Step 2: Create a new TXT record
v=spf1 include:_spf.google.com ~all)Step 3: Save the record
DNS changes can take 1-48 hours to propagate, but often work within minutes.
The 10 DNS Lookup Limit:
SPF records have a hard limit of 10 DNS lookups. Each include: statement counts as a lookup. If you exceed 10, SPF fails entirely.
How to count lookups:
- Each include: = 1 lookup
- Each a or mx = 1 lookup
- ip4: and ip6: = 0 lookups
Example that FAILS (too many lookups):
v=spf1 include:service1.com include:service2.com include:service3.com include:service4.com include:service5.com include:service6.com include:service7.com include:service8.com include:service9.com include:service10.com include:service11.com ~all
Solution if you hit the limit:
- Consolidate email services where possible
- Use ip4: for services that provide IP addresses instead of include:
- Create a subdomain for marketing emails (marketing.yourcompany.com)
Best practices:
- Use ~all (soft fail) not -all (hard fail) while testing
- Only include services you actually use
- Don't include your domain's own SPF record (no self-reference)
- Keep it simple - fewer includes is better
DKIM adds a digital signature to your emails that proves they came from your domain and weren't modified in transit.
DKIM uses cryptographic keys: - Private key: Kept secret by your email server, used to sign outgoing messages - Public key: Published in your DNS, used by receiving servers to verify signatures
When you send an email: 1. Your email server signs the message with your private key 2. Receiving server retrieves your public key from DNS 3. Receiving server verifies the signature matches 4. If it matches, the email passes DKIM authentication
DKIM setup varies by email service provider. Your ESP generates the keys and gives you DNS records to publish.
General process:
Step 1: Generate DKIM keys in your ESP
Find the DKIM settings in your email service: - Google Workspace: Admin Console → Apps → Google Workspace → Gmail → Authenticate email - Microsoft 365: Admin Center → Security → Email authentication - SendGrid: Settings → Sender Authentication → Domain Authentication - Mailchimp: Account → Settings → Domains → Authenticate domain
Step 2: Get your DKIM DNS records
Your ESP will provide: - Selector: A label for this key (e.g., "google", "s1", "k1") - DKIM record: A TXT record containing your public key
Example DKIM record:
Name: google._domainkey.yourcompany.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...
Step 3: Add DKIM record to DNS
Create a new TXT record:
- Type: TXT
- Name: [selector]._domainkey (e.g., google._domainkey)
- Value: The DKIM public key provided by your ESP
- TTL: 3600 or default
Step 4: Verify in your ESP
After adding the DNS record, click "Verify" or "Authenticate" in your ESP's interface. They'll check that the DNS record is correct.
Use multiple selectors for multiple services:
If you send from Google Workspace and SendGrid, you'll have multiple DKIM records with different selectors:
google._domainkey.yourcompany.com → Google's DKIM key
s1._domainkey.yourcompany.com → SendGrid's DKIM key
This is normal and recommended.
Rotate keys annually:
For security, generate new DKIM keys every 12-24 months. Most ESPs make this easy.
Use 2048-bit keys:
Longer keys are more secure. Most services now default to 2048-bit RSA keys.
DMARC builds on SPF and DKIM. It tells receiving servers what to do when authentication fails and sends you reports about your email.
DMARC provides: 1. Policy enforcement: Tells receivers to reject, quarantine, or deliver emails that fail authentication 2. Alignment: Requires the domain in the "From" header to match SPF or DKIM domains 3. Reporting: Sends daily reports showing who's sending from your domain
DMARC has three policy levels:
p=none (monitoring only):
v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.com
- Doesn't affect delivery
- Collects reports
- Use this: When first implementing DMARC
p=quarantine (soft reject):
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourcompany.com
- Suspicious emails go to spam folder
- Use this: After monitoring shows your legitimate email passes authentication
p=reject (hard reject):
v=DMARC1; p=reject; rua=mailto:dmarc@yourcompany.com
- Failing emails are rejected entirely
- Use this: For maximum protection (only when ready)
Basic DMARC record:
v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.com
Components:
- v=DMARC1 - Version (always this)
- p=none - Policy for your domain
- rua=mailto:dmarc@yourcompany.com - Where to send aggregate reports
- sp=none - Policy for subdomains (optional)
- pct=100 - Percentage of emails to apply policy to (optional, defaults to 100)
- adkim=r - DKIM alignment mode: r=relaxed (default), s=strict
- aspf=r - SPF alignment mode: r=relaxed (default), s=strict
Recommended starting DMARC record:
v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.com; pct=100; adkim=r; aspf=r
Step 1: Create the DMARC record
v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.com)Step 2: Wait for reports
DMARC reports arrive daily (if anyone sent/received email from your domain that day). They're XML files showing: - Who sent email from your domain - Whether SPF and DKIM passed - What the receiving server did with the message
Don't jump straight to p=reject. Follow this rollout:
Week 1-2: Deploy p=none
v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.com
Monitor reports. Identify all legitimate email sources. Fix any SPF or DKIM issues.
Week 3-6: Move to p=quarantine
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourcompany.com
Start with 10% of traffic. Monitor reports. Increase percentage gradually (25%, 50%, 75%, 100%).
Month 2+: Move to p=reject
v=DMARC1; p=reject; rua=mailto:dmarc@yourcompany.com
Only do this when you're confident all legitimate email passes authentication.
DMARC reports are XML files that can be overwhelming. Use a DMARC reporting service:
DMARC report analyzers (free tiers available): - Postmark DMARC Digests - DMARC Analyzer - Valimail - dmarcian
These services parse the XML and show you: - Which sources are sending from your domain - Pass/fail rates for SPF and DKIM - Potential spoofing attempts - Configuration issues
After setting up SPF, DKIM, and DMARC, verify they're working correctly.
Wait 1-24 hours after adding DNS records, then check if they're visible:
Using dig (command line): ```bash
dig TXT yourcompany.com
dig TXT google._domainkey.yourcompany.com
dig TXT _dmarc.yourcompany.com ```
Using online tools: - MXToolbox (mxtoolbox.com/SuperTool.aspx) - Google Admin Toolbox Dig (toolbox.googleapps.com/apps/dig/) - DNSChecker (dnschecker.org)
Send a test email to yourself and check the headers.
Gmail: 1. Send email from your domain to your Gmail address 2. Open the email 3. Click the three dots → "Show original" 4. Look for authentication results:
SPF: PASS
DKIM: PASS
DMARC: PASS
Mail-Tester: 1. Go to mail-tester.com 2. Send an email to the address they provide 3. Check your score and authentication results
SPF issues:
"SPF failed: too many DNS lookups"
- Solution: Reduce number of include: statements to 10 or fewer
"SPF failed: no policy" - Solution: Add SPF TXT record to root domain (@)
DKIM issues:
"DKIM failed: no key" - Solution: Verify DKIM TXT record is published correctly - Check selector name matches what ESP expects
"DKIM failed: signature mismatch" - Solution: Ensure your ESP is signing emails - Regenerate DKIM keys if needed
DMARC issues:
"DMARC failed: alignment" - Solution: Ensure "From" domain matches SPF/DKIM domain - Use relaxed alignment (adkim=r; aspf=r)
"No DMARC record found" - Solution: Add TXT record at _dmarc.yourcompany.com
Send marketing emails from a subdomain to protect your primary domain reputation.
Setup: - Main domain: yourcompany.com (for business email) - Marketing subdomain: marketing.yourcompany.com (for bulk email)
Benefits: - Marketing email issues don't affect business email - Easier to monitor and manage authentication - Can use stricter DMARC on main domain
Configuration: Each subdomain needs its own SPF, DKIM, and DMARC records.
BIMI displays your logo next to emails in supporting inbox clients (Gmail, Yahoo, Apple Mail).
Requirements:
- DMARC policy of p=quarantine or p=reject
- Verified Mark Certificate (VMC) from a certificate authority
- SVG logo file hosted on HTTPS
BIMI is optional but improves brand recognition and trust.
ARC preserves authentication results when emails are forwarded or modified by mailing lists.
Most email services handle ARC automatically. As a sender, you don't need to configure it separately.
Use this checklist to ensure complete authentication:
Email authentication is no longer optional. SPF, DKIM, and DMARC are required for serious email senders and dramatically improve deliverability.
The setup process: 1. Add SPF: List authorized sending servers 2. Add DKIM: Enable in your ESP and publish public key 3. Add DMARC: Start with monitoring, move to enforcement 4. Verify: Test and monitor reports
Authentication protects your brand, improves deliverability, and builds trust with receiving servers. It takes a few hours to set up and provides ongoing benefits forever.
Don't skip this. Your deliverability depends on it.
Want to maintain the reputation you've built with authentication? Check our email list hygiene guide to keep your sender reputation strong with proper list maintenance.
Are your email subjects marking you as spam?
Are you being filtered as a 'Promotion' instead of a 'Priority'?
Find out instantly.