A Dummies Guide to Set Up SPF, DKIM and DMARC for Email Authentication

Hey email marketers! Quick question: can you tell us what SPF, DKIM, and DMARC all stand for?

Yea, we didn’t think so … but you aren’t alone.

With Google cracking down on email warming, understanding how to set up SPF, DKIM, and DMARC is crucial for marketers looking to improve email deliverability and protect domain reputation. These three email authentication protocols work together to ensure that your emails are legitimate and authorized by the appropriate servers.

To ensure a smooth transition and better email deliverability, consider utilizing an IP warm up service.

In today’s blog post, we will delve into the specifics of the following protocols:

  • Sender Policy Framework (SPF), 
  • DomainKeys Identified Mail (DKIM), and
  • Domain-based Message Authentication Reporting & Conformance (DMARC).

We’ll explore how they function individually as well as in conjunction with one another.

You will learn how to (i) correctly set up SPF records, (ii) configure DKIM keys for proper domain alignment, (iii) implement effective DMARC policies across all owned domains/subdomains, (iv) verify your technical setup using appropriate tools, and (v) analyze comprehensive email authentication status reports.

By mastering these steps on how to set up SPF, DKIM and DMARC you can enhance your overall email marketing strategy while safeguarding your brand’s online presence.

Ready to get started? Let’s go!

Understanding SPF, DKIM, and DMARC

Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) are essential email authentication protocols that help:

  1. Identify fake email addresses
  2. Fight against spam
  3. Prevent spoofing and identity theft while increasing sender reputation and deliverability rate.

These authentication protocols help to guarantee that emails don’t bounce back or get relegated to the junk folder – which is absolutely essential for any email marketer.

If you prefer to just authenticate if your SPF, DKIM, and DMARC protocols are properly configured, use Inboxy’s awesome configuration tool to help you out.

Simply use our free inbox placement test and you will get an email back showing you the test results of these 3 important technical configurations that impact your email deliverability.

What is SPF Email Security?

No, SPF is not a measure on how well sunscreen will protect your delicate skin. 😎

Sender Policy Framework (SPF) is an email validation system designed to detect forged sender addresses during the delivery of an email. It allows domain owners to specify which mail servers are authorized to send emails on their behalf by publishing a list of IP addresses in their DNS records.

SPF records were originally created because the standard protocol used for email — the Simple Mail Transfer Protocol (SMTP) — does not automatically authenticate the “from” address in an email.

This means that without SPF or other authentication records, an attacker can easily impersonate a sender and trick the recipient into taking action or sharing information they otherwise would not.

This helps protect recipients from receiving malicious emails sent using a forged “From” address.

What is DKIM Authorization?

DomainKeys Identified Mail (DKIM) is another authentication method that adds a digital signature to each outgoing message’s header. DKIM’s advantage is that it can survive forwarding, which makes it superior to SPF and a foundation for securing your email.

This signature can be verified by the recipient’s mail server using public keys published in the sender’s DNS records. If the signatures match, it proves that the message was not altered during transit and confirms its authenticity.

What is DMARC In Networking?

Domain-based Message Authentication, Reporting & Conformance (DMARC), as its name suggests, combines both SPF and DKIM mechanisms with additional reporting capabilities for better security control over incoming messages.

By implementing DMARC policies on your domain(s), you can instruct receiving servers how they should handle unauthenticated messages – either monitor, quarantine, or reject them – and receive reports on authentication results.

Now that you have a basic understanding of these email authentication protocols, let’s dive into how to set up SPF, DKIM, and DMARC for your domain.

Understanding SPF, DKIM, and DMARC is an essential step for any email marketer when it comes to setting up their domain. Now, let’s find out how to cract a basic SPF record for your domain.

Setting Up SPF Records for Your Domain

To set up an accurate SPF record for your domain that includes all authorized sending domains, follow these simple steps.

Step 1: Gather IP addresses from mail servers used to send email

Organizations send mail from a variety of places, and this is reflected in the setup of your SPF, DKIM and DMARC protocols.

The first step to implement SPF is to identify which mail servers you will use to send email from your domain. You’ll start by making a list of all your mail servers and their IP addresses, and assess  whether any of the following are used to send email on behalf of your organization:

  • Your email service provider’s (ESP) mail server 
  • In-office mail server (e.g., Microsoft Exchange) 
  • Any other third-party mail server used to send email on behalf of your brand 
  • The mail server of your end users’ mailbox provider

If you’re unsure of what your IP addresses are, reach out to your IT System Administrator to compile a list of IP addresses your business uses.

Step 2: Create your SPF record

SPF is a protocol designed to restrict who can use an organization’s domain as the source of an email message. SPF blocks spammers and other attackers from sending email that appears to be from a legitimate organization.

SMTP (Simple Mail Transfer Protocol) does not place any restrictions on the source address for emails, so SPF defines a process for the domain owners to identify which IP addresses are authorized to forward email for their domains.

Here’s how to create your SPF record:

  • Start with v=spf1 (version 1) tag and follow it with the IP addresses that are authorized to send mail. For example, v=spf1 ip4: ip4: 
  • Using a third party to send email on behalf of the domain? In this case,  you need to add an “include” statement in your SPF record (e.g., include:thirdparty.com) to designate that third party as a legitimate sender 
  • Once you have added all authorized IP addresses and include statements, end your record with an ~all or -all tag 
  • An ~all tag indicates a soft SPF fail while an -all tag indicates a hard SPF fail. In the eyes of the major mailbox providers ~all and -all will both result in SPF failure. 
  • SPF records cannot be over 255 characters in length and cannot include more than ten include statements, also known as “lookups.” Here’s an example of what your record might look like: v=spf1 ip4: ip4: include:thirdparty.com -all   
  • For your domains that do not send email, the SPF record will exclude any modifier with the exception of -all. Here’s an example record for a non-sending domain: v=spf1 –all 
  • You did it! You’ve created your SPF record. Let’s now get ready to publish it!

Step 3: Publish your SPF to DNS

Once you’ve crafted your SPF record, publish it as a TXT entry in your domain’s DNS settings. This will enable receiving mail servers to verify the authenticity of emails sent from your domain by checking against the published SPF record.

Step 4: Test!

Test your SPF configuration using our free inbox placement test.

Configuring DKIM Protocol Correctly

Proper configuration of the DomainKeys Identified Mail (DKIM) protocol is crucial for ensuring email authentication and preventing spoofing.

It involves generating two unique records, which are then published in your domain’s DNS settings. This article will provide instructions on how to correctly configure DKIM.

Generate Two Unique DKIM Records

Here’s how you can generate two unique DKIM records:

Step 1: Generate DKIM Key Pair

Use a DKIM key pair generator tool or software to generate a DKIM key pair. The key pair consists of a private key and a public key. The private key should be kept securely and not shared with anyone, while the public key will be added to the DNS as a DKIM record.

Step 2: Create DKIM Records

Using the DKIM key pair generated in Step 1, create two DKIM records in the DNS for your domain. The DKIM records are DNS TXT records with specific formatting. Here’s an example of how a DKIM record might look like:

Selector._domainkey.example.com IN TXT “v=DKIM1; k=rsa; p=DKIM_PUBLIC_KEY”

In this example, “Selector” is a string that you can choose, “_domainkey” is a standard DKIM subdomain, “example.com” is your domain name, “rsa” is the type of cryptographic algorithm used, and “DKIM_PUBLIC_KEY” is the public key generated in Step 1.

You need to create two unique DKIM records by choosing two different selectors. For example, you can use “selector1” and “selector2” as your selectors.

Step 3: Check Alignment Between Header Domain Tag & Return-Path Address

Prior to publishing generated records in DNS, it’s essential to ensure proper alignment between the “From” header domain tag used in emails sent from your domain and return-path address specified within SPF record.

This step helps avoid potential misalignments leading to failed authentication checks by recipient servers when processing incoming messages from your domain.

To verify alignment:

  • Analyze existing SPF record(s) associated with sending domains/subdomains identifying any authorized return-path addresses mentioned therein (v=spf1 include:example.com ~all).
  • Compare identified return-path addresses against “From” header domain tags used in outgoing emails ensuring they match.

Step 4: Publish DKIM Records

Publish the two DKIM records in the DNS of your domain by adding them as DNS TXT records. This is typically done using your domain registrar or DNS management tools provided by your web hosting service.

To do this:

  • Login to your domain registrar or hosting provider where you manage DNS records for the concerned domain.
  • Create a new TXT record with the following details:
  1. Name/Host: Enter the selector (usually ‘default’) followed by ._domainkey. For example: default._domainkey.yourdomain.com
  2. Type: Select TXT as record type.
  3. TTL (Time-to-Live): Set an appropriate value, such as 3600 seconds (1 hour) or longer depending on preference.

By correctly configuring the DKIM protocol, you can ensure that your emails are properly authenticated and secure. Moving on to implementing DMARC policies for email security will further increase the safety of your messages.

Step 4: Configure Email Server

Configure your email server to sign outgoing emails with the private key associated with one of the DKIM selectors. This ensures that the DKIM signature is added to the email headers, allowing the receiver to verify the authenticity of the email using the corresponding DKIM public key in the DNS.

Repeat Step 4 for the second selector as well, so that your email server can sign outgoing emails with both DKIM selectors.

By generating and publishing two unique DKIM records with different selectors, you can add an additional layer of security to your email authentication process, and enhance the integrity and authenticity of your outgoing emails.

Note down both the private and public keys as they will be required later during configuration steps.

Implementing DMARC Policies for Email Security

Setting up DMARC involves creating a policy specifying actions when an email fails authentication checks due to misaligned or missing SPF/DKIM records.

Start with monitoring-only mode before blocking any emails then gradually increase enforcement level until reaching full rejection mode once confident about configurations correctness.

Begin with Monitoring-Only Mode

To implement DMARC policies, start by setting your domain’s policy to “none” or monitoring-only mode. This allows you to gather data on how well your SPF and DKIM configurations are working without affecting the delivery of legitimate emails.

During this phase, closely monitor reports sent by receiving mail servers to identify potential issues and make necessary adjustments.

Gradually Increase Enforcement Levels

Once you have gained confidence in the accuracy of your SPF and DKIM setups, it’s time to increase the enforcement level of your DMARC policy. The two higher levels are:

  • p=quarantine: Emails that fail authentication will be marked as suspicious and may end up in recipients’ spam folders.
  • p=reject: Emails failing authentication will be rejected outright, preventing them from being delivered at all.

Moving between these levels should be done cautiously while continuously monitoring reports for any unintended consequences on legitimate email traffic.

Apply Policies Across All Owned Domains/Subdomains

In order to ensure comprehensive protection against spoofing attacks, apply consistent DMARC policies across all domains and subdomains under your control. This includes any third-party services used for sending emails on behalf of your organization.

Remember to update DNS settings accordingly, including the addition of DMARC records for each domain/subdomain.

By implementing DMARC policies, you can ensure the security of your emails and protect against malicious actors. Now let’s move on to verifying the technical setup of SPD, DKIM & DIM protocols for maximum protection.

Verifying Technical Setup of DMARC, SPD & DIM Protocols

After setting up SPF, DKIM, and DMARC protocols successfully comes verification. It is crucial to ensure that your email authentication setup is functioning correctly to prevent any issues with email deliverability or security.

You can utilize an online tool such as the Inboxy configuration checker which allows you to check existing published DNS records for SPF, DKIM, and DMARC easily by entering your domain name into their search bar.

Test your technical configuration using Inboxy’s free inbox placement tool.

Ensure proper alignment between domains specified within each protocol’s records

  • Email protected: Your emails should have consistent alignment between domains specified within each protocol’s records (SPF/DKIM/DMARC) so that they pass authentication checks without issue.
  • DNS settings: In addition to checking the records themselves, ensure that your DNS settings are configured correctly to allow for proper authentication.
  • Sender Policy Framework: Verify that your SPF record includes all authorized sending domains and third-party services used to send emails on behalf of your domain. This helps prevent spoofing and ensures a higher deliverability rate.

Taking these steps will help you verify the technical setup of your protocols, ensuring optimal email security and deliverability for your business communications.

Receive Detailed Information on Setup

The automated response from Inboxy will provide you with a PASS/FAIL notification if your authentication protocols are set up correctly.

This information allows you to take proactive steps towards ensuring the highest level of email security and deliverability for your domain.

Monitor Policies Regularly for Potential Vulnerabilities

Email authentication protocols like SPF, DKIM, and DMARC are not a one-time setup. It is crucial to regularly monitor your published policies as part of ongoing security maintenance efforts.

New vulnerabilities might emerge over time, requiring adjustments or updates to maintain the effectiveness of these measures. Additionally, changes in DNS settings or third-party services used to send emails may necessitate modifications to your records.

To stay up-to-date on best practices and potential threats related to email authentication, consider subscribing to industry newsletters or following relevant blogs such as DMARCian’s blog. This will help you stay informed about any new developments that could impact the performance of your SPF record, DKIM keys, and DMARC policies.


Setting up SPF, DKIM and DMARC is an essential step for email marketers to ensure the security of their emails. It can help protect against spoofing attacks and phishing attempts while also improving deliverability rates.

By following best practices such as setting up records correctly and regularly checking your technical setup, you will be able to maximize the effectiveness of these protocols in protecting your business’s email communications.

If this all seems a bit tricky, Inboxy can help you set up SPF, DKIM and DMARC quickly and securely. Reach out to us today at info@inboxy.io to schedule a consultation!

Erik Paulson

Erik Paulson, CEO of Vendisys, has been an undeniable force in the lead generation landscape for over 15 years. As the visionary behind a conglomerate of successful ventures, Erik's expertise in curating meeting-ready leads has set new industry standards. His insights and perspective are widely sought after and revered in the industry. Through Vendisys and its array of associated entities like Inboxy, he continues to shape and elevate the future of lead generation.