SPF, DKIM and DMARC explained: the complete setup guide
Email authentication doesn't have to be confusing. This plain-English guide walks you through SPF, DKIM, and DMARC — what they do, why they matter, and exactly how to set them up for Google Workspace and Microsoft 365.
3
protocols explained
10x
more likely to reach the inbox
85%
of spam lacks authentication
Table of Contents
What you'll learn in this guide
- What SPF, DKIM, and DMARC are and why every sender needs all three
- How the three protocols work together to protect your domain and boost deliverability
- Step-by-step DNS record setup for Google Workspace and Microsoft 365
- How to verify your configuration is correct using free tools
- The most common authentication mistakes and how to avoid them
If you've ever had a perfectly good email land in spam, you already know how frustrating deliverability problems can be. In many cases, the root cause isn't your content or your sending volume — it's that your domain is missing one or more email authentication records.
SPF, DKIM, and DMARC are the three protocols that prove to mailbox providers like Gmail, Outlook, and Yahoo that your emails are legitimate. Without them, you're essentially sending unsigned mail — and inbox providers treat that the same way you'd treat an unsigned letter from a stranger asking for your bank details.
This guide explains all three protocols in plain English, gives you copy-paste DNS records, and walks you through setup for the two most popular email platforms. Whether you're a marketer, a sales leader running cold outreach campaigns, or a founder setting up email for the first time, you'll have everything configured in under an hour.
Why email authentication matters
Email was invented in the 1970s, long before anyone worried about spam or phishing. The original protocol (SMTP) has no built-in way to verify that a message actually came from the domain it claims to come from. That means anyone can send an email pretending to be you@yourdomain.com — and without authentication, mailbox providers have no way to tell the difference.
SPF, DKIM, and DMARC were created to fix this. Together, they answer three critical questions: Is the sending server authorized? (SPF), Has the message been tampered with? (DKIM), and What should happen if authentication fails? (DMARC). When you configure all three correctly, you get several major benefits for your email deliverability.
Inbox placement
Authenticated emails are far more likely to reach the inbox. Gmail, Yahoo, and Microsoft all require authentication for bulk senders as of 2024.
Spoofing protection
Authentication prevents attackers from sending phishing emails that impersonate your domain, protecting both your brand and your recipients.
Domain reputation
Proper authentication builds a positive sending reputation over time, making every future email more likely to land in the inbox.
Key takeaway
Since February 2024, Google and Yahoo require SPF, DKIM, and DMARC for anyone sending more than 5,000 emails per day. But even if you send far fewer, authentication dramatically improves your chances of reaching the inbox. There's no reason not to set it up.
What is SPF?
SPF (Sender Policy Framework) is a DNS record that tells receiving mail servers which IP addresses and servers are allowed to send email on behalf of your domain. Think of it as a guest list for your email — if the sending server isn't on the list, the email is treated as suspicious.
When someone receives an email from you@yourdomain.com, the receiving server checks your domain's DNS for an SPF record. It then compares the IP address of the server that actually sent the email against the list of authorized senders. If there's a match, SPF passes. If not, SPF fails — and the email is more likely to be flagged as spam or rejected entirely.
Anatomy of an SPF record
An SPF record is a TXT record added to your domain's DNS. Here's what a typical SPF record looks like:
v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.50 -all Let's break down each part:
v=spf1 Declares this is an SPF version 1 record. Every SPF record must start with this.
include: Authorizes all servers listed in another domain's SPF record. Use this for third-party services like Google Workspace, Sendgrid, or Mailchimp.
ip4: Authorizes a specific IPv4 address. Use this for your own mail servers or services that give you a dedicated IP.
-all Hard fail — reject any server not explicitly listed. You can also use ~all (soft fail, less strict) while testing.
Important limitation
SPF has a 10-lookup limit. Every include: statement counts as a lookup, and nested includes count too. If you exceed 10, your SPF record becomes invalid. Be strategic about which services you include, and consider using an SPF flattening service if you have many senders.
SPF record examples for common providers
v=spf1 include:_spf.google.com -all v=spf1 include:spf.protection.outlook.com -all v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net -all What is DKIM?
DKIM (DomainKeys Identified Mail) adds a digital signature to every outgoing email. This signature is generated using a private key that only your email server knows, and verified by a public key published in your DNS. It proves two things: the email genuinely came from your domain, and it hasn't been altered in transit.
If SPF is the guest list, DKIM is the wax seal on the envelope. Even if someone intercepts the message, any tampering with the headers or body will break the signature, and the receiving server will know.
How DKIM signing works
You generate a key pair
Your email provider creates a private key (kept secret on the mail server) and a public key (published in your DNS as a TXT record).
Your server signs outgoing emails
When you send an email, your server uses the private key to create a cryptographic hash of select headers and the message body, and attaches it as a DKIM-Signature header.
The receiver verifies the signature
The receiving server looks up your DKIM public key in DNS, decrypts the signature, and compares it to the actual message. If they match, DKIM passes.
What a DKIM DNS record looks like
The DKIM public key is published as a TXT record at a specific subdomain. The subdomain follows the format selector._domainkey.yourdomain.com, where the selector is a name chosen by your email provider:
Host: google._domainkey.yourdomain.com
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQE...
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=yourdomain.com; s=google;
h=from:to:subject:date:message-id;
bh=abc123hash...;
b=xyz789signature... Key takeaway
You never need to manually create the DKIM signature — your email provider handles that automatically. Your only job is to publish the public key in DNS so receiving servers can verify it. Most providers give you a ready-to-paste CNAME or TXT record.
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting and Conformance) is the policy layer that ties SPF and DKIM together. It tells receiving servers what to do when an email fails authentication — and gives you visibility into who's sending email using your domain.
Without DMARC, even if SPF or DKIM fails, the receiving server makes its own judgment call (which varies wildly between providers). DMARC lets you, the domain owner, set an explicit policy: let it through, quarantine it, or reject it outright.
DMARC policy options
p=none
Monitor only
No action is taken on failing emails. You receive reports so you can see who's sending as your domain. Start here when first setting up DMARC.
p=quarantine
Send to spam
Emails that fail authentication are sent to the recipient's spam folder. A good intermediate step once you've confirmed all legitimate senders pass.
p=reject
Block entirely
Emails that fail authentication are rejected and never delivered. The strongest protection against spoofing. Use once you're fully confident in your setup.
Anatomy of a DMARC record
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100; adkim=r; aspf=r v=DMARC1 Identifies this as a DMARC record. Required as the first tag.
p= The policy: none, quarantine, or reject. Start with none and work your way up.
rua= Where aggregate reports are sent. These XML reports show who's sending email as your domain and whether they pass authentication.
pct= Percentage of failing messages the policy applies to. Use pct=10 to gradually roll out a stricter policy.
adkim= / aspf= Alignment mode for DKIM and SPF. r = relaxed (subdomains allowed), s = strict (exact domain match).
Recommended rollout path
Start with p=none for 2-4 weeks to collect data. Then move to p=quarantine; pct=10 and gradually increase the percentage. Only move to p=reject once you're confident every legitimate sender is properly authenticated.
How SPF, DKIM and DMARC work together
Each protocol handles a different piece of the puzzle. SPF verifies the sending server, DKIM verifies the message integrity, and DMARC enforces the policy. Here's the full flow when a receiving server processes your email:
Authentication flow: what happens when you hit send
You send an email
Your mail server signs the message with DKIM and sends it from an authorized IP.
SPF check
The receiving server queries your DNS for the SPF record and checks if the sending IP is authorized.
DKIM check
The server fetches your DKIM public key from DNS and verifies the cryptographic signature on the message.
DMARC evaluation
The server checks your DMARC policy. If either SPF or DKIM passes and aligns with the From domain, DMARC passes.
Delivery decision
Based on the results, the email is delivered to the inbox, sent to spam (quarantine), or rejected entirely.
The critical concept here is alignment. DMARC requires that the domain in SPF or DKIM matches (aligns with) the domain in the email's From: header. This prevents attackers from passing SPF with their own domain while spoofing yours in the From address. For DMARC to pass, at least one of SPF or DKIM must both pass and align.
This is why having all three protocols is essential. SPF alone doesn't prevent From-header spoofing. DKIM alone doesn't tell the receiver what to do with failures. DMARC ties them together into a complete solution. For a deeper dive into how authentication impacts your overall sending reputation, see our email deliverability guide.
Step-by-step setup for Google Workspace
Google Workspace handles DKIM signing automatically once you publish the key. Here's how to configure all three records. You'll need access to your DNS provider (Cloudflare, Namecheap, GoDaddy, Route 53, etc.) and your Google Admin console.
1. Set up SPF for Google Workspace
Log in to your DNS provider
Navigate to the DNS management section for your domain. Look for "DNS records," "Zone editor," or "Advanced DNS."
Check for an existing SPF record
Look for a TXT record starting with v=spf1. You can only have one SPF record per domain — if one exists, you'll edit it rather than creating a new one.
Add or update the SPF record
Create a new TXT record (or update the existing one) with these values:
Type: TXT
Host: @ (or leave blank)
Value: v=spf1 include:_spf.google.com -all
TTL: 3600 (or default)
2. Set up DKIM for Google Workspace
Open Google Admin console
Go to admin.google.com and navigate to Apps > Google Workspace > Gmail > Authenticate email.
Select your domain and generate a key
Select your domain, choose a DKIM key bit length (2048 is recommended), and click Generate new record. Google will give you a hostname and a TXT value.
Add the DKIM record to your DNS
In your DNS provider, create a new TXT record using the hostname and value from Google.
Start authentication
Wait 24-48 hours for DNS propagation, then return to the Google Admin console and click Start authentication. Google will verify the record and begin signing your outgoing emails.
Type: TXT
Host: google._domainkey
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqh... (from Admin console)
TTL: 3600 (or default)
3. Set up DMARC for Google Workspace
Confirm SPF and DKIM are working
Send a test email to a Gmail address and check the headers (click the three dots > Show original). Look for spf=pass and dkim=pass.
Add the DMARC record
In your DNS provider, create a TXT record at _dmarc.yourdomain.com. Start with monitoring mode:
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
TTL: 3600 (or default)
Monitor reports for 2-4 weeks
Review DMARC aggregate reports (or use a free tool like DMARC Analyzer) to confirm all legitimate senders pass authentication. Look for any unauthorized senders or misconfigured third-party services.
Gradually tighten the policy
Move from p=none to p=quarantine (start with pct=10), then eventually to p=reject for maximum protection.
Step-by-step setup for Microsoft 365
Microsoft 365 (Exchange Online) requires a slightly different approach, especially for DKIM. The SPF and DMARC setup is similar to Google Workspace, but the DKIM configuration uses CNAME records instead of TXT records.
1. Set up SPF for Microsoft 365
Log in to your DNS provider
Navigate to your domain's DNS management section.
Add the Microsoft 365 SPF record
Create or update your TXT record. If you already have an SPF record, add the Microsoft include before the -all tag.
Type: TXT
Host: @ (or leave blank)
Value: v=spf1 include:spf.protection.outlook.com -all
TTL: 3600 (or default)
2. Set up DKIM for Microsoft 365
Microsoft uses CNAME records for DKIM instead of TXT records. This allows Microsoft to rotate DKIM keys automatically without you needing to update your DNS each time.
Open Microsoft 365 Defender
Go to security.microsoft.com and navigate to Email & Collaboration > Policies > Threat policies > Email authentication settings > DKIM.
Select your domain
Click on your domain. Microsoft will show you two CNAME records to add to your DNS.
Add the two CNAME records to DNS
Add both CNAME records in your DNS provider. The records point to Microsoft's DKIM key hosting.
Type: CNAME
Host: selector1._domainkey
Points to: selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
Type: CNAME
Host: selector2._domainkey
Points to: selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
Enable DKIM signing
Wait for DNS propagation (up to 48 hours), then return to the Defender portal and toggle DKIM signing to Enabled for your domain.
3. Set up DMARC for Microsoft 365
DMARC setup is identical regardless of your email provider — it's a DNS record on your domain. Follow the same steps as Google Workspace: start with p=none, monitor, then tighten.
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
TTL: 3600 (or default)
Key takeaway
Whether you use Google or Microsoft, the DMARC record is the same. The only differences are in SPF (different include: statements) and DKIM (TXT vs. CNAME records). Once you understand the pattern, adding new sending services is straightforward.
How to verify your setup
Setting up the DNS records is only half the job. You need to confirm everything is working correctly. Here are the best ways to verify your SPF, DKIM, and DMARC configuration. Proper verification is especially important if you're running a warm-up process for a new domain.
Method 1: Check email headers in Gmail
Send an email to a Gmail account
Send a test email from your domain to any Gmail address you have access to.
View the original message
Open the email, click the three-dot menu, and select Show original. You'll see a summary showing SPF, DKIM, and DMARC results.
Look for three green "PASS" results
You should see SPF: PASS, DKIM: PASS, and DMARC: PASS. If any show FAIL, review your DNS records.
Method 2: Use online verification tools
Several free tools let you check your records without sending test emails:
MXToolbox
Check SPF, DKIM, and DMARC records individually. Also flags common issues like multiple SPF records or lookup limit violations.
mxtoolbox.com
Google Admin Toolbox
Google's own tool for checking MX, SPF, DKIM, and DMARC records. Particularly useful if you're on Google Workspace.
toolbox.googleapps.com
Mail Tester
Send an email to their test address and get a comprehensive score covering authentication, spam triggers, and more.
mail-tester.com
DMARC Analyzer
Parses your DMARC aggregate reports into readable dashboards. Essential for the monitoring phase before tightening your policy.
dmarcanalyzer.com
# Check SPF record
dig TXT yourdomain.com +short
# Check DKIM record (replace selector)
dig TXT google._domainkey.yourdomain.com +short
# Check DMARC record
dig TXT _dmarc.yourdomain.com +short
Common authentication mistakes
Even experienced teams make these mistakes. Each one can silently tank your email deliverability without obvious error messages. Here are the most common issues we see:
Multiple SPF records
You can only have one SPF record per domain. If you add a second TXT record starting with v=spf1, both become invalid. Instead, merge all senders into a single record with multiple include: statements.
Exceeding the SPF 10-lookup limit
Each include: counts as a DNS lookup, and nested includes stack up. With multiple sending services (ESP, CRM, transactional, marketing), it's easy to hit 10. Use MXToolbox to check your lookup count.
Forgetting to enable DKIM signing
Publishing the DKIM DNS record is not enough. You must also enable DKIM signing in your email provider's admin console. Without this step, your emails go out unsigned despite having the public key in DNS.
Jumping straight to p=reject
Setting DMARC to reject without a monitoring period can block legitimate emails from third-party services you forgot to authenticate. Always start with p=none and work up gradually.
Not authenticating third-party senders
Every service that sends email on your behalf — marketing platforms, CRM, transactional email, helpdesk — needs to be included in your SPF and have its own DKIM key. Check each provider's documentation for the correct DNS entries.
Using ~all instead of -all in SPF
Soft fail (~all) is useful during initial testing, but leaving it permanently gives weaker protection. Once you've confirmed all senders are authorized, switch to hard fail (-all).
Not monitoring DMARC reports
The rua= tag is not optional. Without it, you have zero visibility into authentication failures, spoofing attempts, or misconfigured services. Set up a dedicated inbox or use a DMARC reporting tool.
Maintaining your authentication records
Email authentication isn't set-and-forget. Your sending infrastructure changes over time — you'll add new marketing tools, switch CRMs, onboard transactional email services, or expand to new domains. Each change requires an update to your DNS records.
Here's a maintenance checklist to keep your authentication healthy. This is especially important if you're managing multiple domains or running cold email follow-up sequences across different sending infrastructure.
Monthly authentication health check
- Review DMARC aggregate reports for any new unauthorized senders
- Verify SPF lookup count is still under 10 (especially after adding new services)
- Test email authentication by sending to a Gmail account and checking headers
- Remove
include:entries for services you no longer use - Confirm DKIM keys haven't expired or been rotated (especially for third-party services)
- Check if your DMARC policy can be tightened (from none to quarantine, or quarantine to reject)
- Audit any new subdomains to ensure they have their own authentication records
- Document all authorized sending services and their DNS requirements in a central spreadsheet
When onboarding a new sending service, always follow this process: (1) add the service's include: to your SPF record, (2) publish the service's DKIM key in your DNS, (3) send a test email and verify authentication passes, and (4) only then start sending production email through the new service. This prevents authentication failures that could temporarily damage your domain reputation.
For teams managing multiple domains, consider creating a central authentication inventory — a simple spreadsheet listing every domain, every authorized sending service, and the current DMARC policy level. Review it quarterly to catch any drift.
Key takeaway
Email authentication is a living configuration. Every time you add, remove, or change a sending service, your DNS records need to be updated. Make authentication checks part of your regular email operations workflow — not a one-time project.
Your authentication setup checklist
SPF
- One TXT record per domain
- Include all sending services
- Stay under 10 lookups
- End with -all
DKIM
- Publish public key in DNS
- Enable signing in admin console
- Use 2048-bit keys
- Set up for each sender
DMARC
- Start with p=none
- Configure rua= reports
- Gradually tighten policy
- Monitor ongoing reports
Keep reading
Related Articles
Email deliverability: the complete guide for 2026
Master deliverability with SPF, DKIM, DMARC, domain warming, and inbox placement strategies.
Email warm-up: what it is and how to do it right in 2026
Why warm-up matters, how to do it manually or with tools, and warm-up schedules.
Email bounce rate: how to reduce bounces and protect your sender reputation
Understand hard vs soft bounces, acceptable thresholds, and strategies to protect your reputation.