How to Set Up SPF, DKIM, and DMARC: Step-by-Step Email Authentication Guide

Last updated: December 2025 (Microsoft Outlook enforcement added)

Part of: Gmail and Yahoo Bulk Sender Requirements Explained - For complete context on why these matter and enforcement timelines, see our comprehensive guide.

TL;DR:

• SPF (Sender Policy Framework) tells receiving servers which IPs can send email from your domain
• DKIM (DomainKeys Identified Mail) cryptographically signs your emails to prove they weren’t tampered with
• DMARC (Domain-based Message Authentication) tells receivers what to do when SPF/DKIM checks fail
• All three are required for Gmail, Yahoo, and Microsoft Outlook bulk sending (5,000+ emails/day)
• Setup time: 30-60 minutes per domain (DNS changes take 1-24 hours to propagate)
• Validation is critical: Use free tools to verify before you start sending

Quick navigation:

• Step 1: Set Up SPF
• Step 2: Configure DKIM
• Step 3: Implement DMARC
• Validation and Testing
• Common Mistakes to Avoid
• Troubleshooting Guide

For Business Owners: Do You Need Help?

Can you access your domain’s DNS settings?

No → You have a bigger problem. If you don’t control your domain’s DNS, you don’t truly own your digital infrastructure. Read How to Take Back Control: Website Ownership Transfer to understand what you need to reclaim. Then forward this guide to whoever has DNS access (IT person, web developer, domain registrar).

Yes → This guide walks you through the setup (30-60 minutes). You’ll be adding TXT records to your DNS.

Not technical? Contact us for setup assistance—we can configure this for you or walk your team through it.

Why You Need All Three

Think of email authentication like a three-layer security system:

SPF is the guest list. It says, “These IP addresses are allowed to send email for my domain.”

DKIM is the wax seal. It proves the email wasn’t altered in transit.

DMARC is the policy. It says, “If SPF or DKIM fail, here’s what you should do with the email.”

You need all three because:

1. SPF alone can be spoofed (forwarded emails break SPF)
2. DKIM alone doesn’t prevent domain spoofing (attackers can sign emails from their own domains)
3. DMARC ties them together and gives you visibility into authentication failures

Gmail, Yahoo, and Microsoft Outlook now require all three for bulk senders. Microsoft joined the enforcement in May 2025, rejecting non-compliant emails outright (not just sending to spam). Even if you’re not sending bulk email, these protect your domain from being used in phishing attacks.

Step 1: Set Up SPF

SPF is the easiest to set up. You’re creating a DNS TXT record that lists which servers can send email from your domain.

Understanding SPF Syntax

An SPF record looks like this:

v=spf1 ip4:203.0.113.10 include:_spf.google.com ~all

Let’s break it down:

• v=spf1 - Version identifier (always this)
• ip4:203.0.113.10 - This specific IP can send email
• include:_spf.google.com - Include Google’s SPF record (if you use Google Workspace)
• ~all - “Soft fail” for everything else (mark as suspicious but don’t reject)

Step-by-Step SPF Setup

Step 1: Identify your email senders

List every service that sends email from your domain:

• Your email hosting provider (Google Workspace, Microsoft 365, etc.)
• Marketing platforms (Mailchimp, SendGrid, etc.)
• Transactional email services (Postmark, AWS SES, etc.)
• Your own mail servers (if you self-host)

Step 2: Get SPF includes for each service

Common providers:

• Google Workspace: include:_spf.google.com
• Microsoft 365: include:spf.protection.outlook.com
• Mailchimp: include:servers.mcsv.net
• SendGrid: include:sendgrid.net
• Postmark: include:spf.mtasv.net
• AWS SES: include:amazonses.com

Step 3: Build your SPF record

Combine all includes into one record:

v=spf1 include:_spf.google.com include:spf.mtasv.net include:sendgrid.net ~all

Critical rules:

• One SPF record per domain (multiple SPF records break everything)
• 10 DNS lookup limit (each include: counts as a lookup)
• Use ~all for testing, -all for enforcement

Step 4: Add to DNS

Create a TXT record:

• Host: @ (or your root domain)
• Type: TXT
• Value: v=spf1 include:_spf.google.com ~all
• TTL: 3600 (1 hour)

Example for common DNS providers:

Cloudflare:

1. Log in to Cloudflare dashboard
2. Select your domain → DNS
3. Click “Add record”
4. Type: TXT, Name: @, Content: v=spf1 include:_spf.google.com ~all

GoDaddy:

1. DNS Management → Add → TXT
2. Host: @, TXT Value: v=spf1 include:_spf.google.com ~all

AWS Route 53:

1. Hosted zones → Select domain → Create record
2. Record type: TXT, Value: "v=spf1 include:_spf.google.com ~all"

SPF Best Practices

Use ~all during testing: This soft-fails unauthorized senders (marks as spam but doesn’t reject).

Switch to -all after validation: This hard-fails unauthorized senders (rejects the email).

Don’t exceed 10 DNS lookups: If you have many includes, consolidate or use IP addresses directly:

v=spf1 ip4:203.0.113.10 ip4:203.0.113.11 include:_spf.google.com -all

Monitor SPF alignment: DMARC requires SPF to align with your From: domain.

Step 2: Configure DKIM

DKIM is more complex because it involves cryptographic keys. Your email server signs outgoing emails with a private key, and you publish the public key in DNS.

How DKIM Works

1. Your email server generates a public/private key pair
2. You publish the public key in DNS (as a TXT record)
3. Your server signs outgoing emails with the private key
4. Receiving servers verify the signature using your public key

Step-by-Step DKIM Setup

The process varies by email provider. Here are the most common:

DKIM for Google Workspace

Step 1: Generate DKIM key in Google Admin

1. Log in to admin.google.com
2. Apps → Google Workspace → Gmail → Authenticate email
3. Click “Generate new record”
4. Prefix: google (or custom selector like google2025)
5. Key length: 2048 bits (required by Gmail/Yahoo)
6. Click “Generate”

Step 2: Copy the DKIM record

Google gives you a TXT record like:

• Host: google._domainkey.yourdomain.com
• Value: v=DKIM1; k=rsa; p=MIIBIjANBgkq...

Step 3: Add to DNS

Create a TXT record:

• Host: google._domainkey (remove your domain if your DNS provider auto-appends it)
• Type: TXT
• Value: v=DKIM1; k=rsa; p=MIIBIjANBgkq... (paste the full value from Google)

Step 4: Start authentication in Google Admin

After DNS propagates (1-24 hours):

1. Return to Google Admin → Authenticate email
2. Click “Start authentication”
3. Google validates the DNS record and enables DKIM signing

DKIM for Microsoft 365

Step 1: Enable DKIM in Microsoft 365 Admin Center

1. Log in to admin.microsoft.com
2. Settings → Domains → Select domain → DKIM
3. Microsoft auto-generates two CNAME records

Step 2: Add CNAME records to DNS

Microsoft gives you two records:

• Host: selector1._domainkey.yourdomain.com → Points to: selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
• Host: selector2._domainkey.yourdomain.com → Points to: selector2-yourdomain-com._domainkey.yourtenent.onmicrosoft.com

Add both as CNAME records in your DNS.

Step 3: Enable DKIM signing

After DNS propagates:

1. Return to Microsoft 365 Admin → DKIM settings
2. Toggle “Sign messages with DKIM signatures” to ON

DKIM for Postmark (Transactional Email)

Step 1: Add your domain in Postmark

1. Log in to postmarkapp.com
2. Servers → Select server → Sender Signatures → Add Domain

Step 2: Postmark generates DKIM records

You’ll get three TXT records to add to DNS.

Step 3: Add to DNS and verify

Add all three records, then click “Verify” in Postmark.

DKIM for Self-Hosted Mail Servers

If you run your own mail server (Postfix, Exim, etc.):

Step 1: Generate DKIM keys

Use OpenDKIM or similar:

opendkim-genkey -b 2048 -d yourdomain.com -s mail

This creates:

• mail.private (keep this secret, put on mail server)
• mail.txt (public key, publish in DNS)

Step 2: Publish public key in DNS

The mail.txt file contains your DNS record:

mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."

Add as TXT record:

• Host: mail._domainkey
• Value: v=DKIM1; k=rsa; p=MIIBIjANBgkq...

Step 3: Configure your mail server to sign emails

This varies by mail server software. For Postfix with OpenDKIM:

# /etc/opendkim.conf
Domain                  yourdomain.com
KeyFile                 /etc/opendkim/keys/mail.private
Selector                mail

Restart OpenDKIM and Postfix.

DKIM Best Practices

Use 2048-bit keys: Gmail and Yahoo require this.

Use descriptive selectors: Instead of default, use google2025 or mail (makes key rotation easier).

Rotate keys annually: Generate new keys once a year to limit exposure if compromised.

Test before deploying: Use mail-tester.com to verify DKIM signatures.

Step 3: Implement DMARC

DMARC ties SPF and DKIM together and gives you visibility into who’s sending email from your domain.

Understanding DMARC Policies

A DMARC record looks like this:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; pct=100

Let’s break it down:

• v=DMARC1 - Version identifier
• p=none - Policy (none = monitor only, quarantine = spam folder, reject = block)
• rua=mailto:dmarc@yourdomain.com - Aggregate reports (daily summaries)
• ruf=mailto:dmarc@yourdomain.com - Forensic reports (individual failures)
• pct=100 - Apply policy to 100% of emails

Step-by-Step DMARC Setup

Step 1: Start with monitoring

Create a TXT record:

• Host: _dmarc
• Type: TXT
• Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

This monitors authentication without blocking anything.

Step 2: Set up a mailbox for reports

Create dmarc@yourdomain.com or use a free DMARC monitoring service:

• Postmark DMARC Digests: dmarc.postmarkapp.com (free)
• Dmarcian: dmarcian.com (free tier available)
• URIports: uriports.com (free for small volume)

Step 3: Monitor for 1-2 weeks

Review DMARC reports to identify:

• Legitimate senders passing authentication
• Legitimate senders failing authentication (fix SPF/DKIM for these)
• Unauthorized senders (spoofing/phishing attempts)

Step 4: Gradually enforce

After validating legitimate senders pass:

Week 3-4: Quarantine policy (sends failures to spam)

v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourdomain.com

Start with 10% of emails (pct=10), monitor reports.

Week 5-6: Increase to 100%

v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@yourdomain.com

Week 7+: Reject policy (blocks failures entirely)

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

DMARC Alignment Requirements

DMARC checks alignment between:

• SPF alignment: The domain in the Return-Path: header must match the From: header
• DKIM alignment: The domain in the DKIM signature must match the From: header

Strict alignment: Exact match required (example.com = example.com) Relaxed alignment: Organizational domain match (mail.example.com = example.com)

Default is relaxed. Most senders use relaxed alignment.

Validation and Testing

Before sending production email, validate everything.

Free Validation Tools

1. MXToolbox SPF/DKIM/DMARC Lookup

• URL: mxtoolbox.com/SuperTool.aspx
• Check: SPF record syntax, DKIM record, DMARC record

2. Google Admin Toolbox

• URL: toolbox.googleapps.com/apps/checkmx/
• Check: MX records, SPF, DKIM, DMARC for Google Workspace

3. Mail-Tester

• URL: mail-tester.com
• Send test email, get deliverability score (checks SPF, DKIM, DMARC, spam content)

4. DMARC Analyzer

• URL: dmarcanalyzer.com
• Parses DMARC reports, shows authentication failures

Validation Checklist

Before going live:

• SPF record published and passes lookup
• SPF includes all legitimate senders
• DKIM keys published in DNS
• Test email shows DKIM signature in headers
• DMARC record published
• DMARC reports arriving at monitoring mailbox
• Test email to Gmail shows “PASS” for SPF, DKIM, DMARC
• Send test to mail-tester.com, score >8/10

Common Mistakes to Avoid

1. Multiple SPF Records

Problem: Adding a second SPF record breaks authentication.

Wrong:

yourdomain.com TXT "v=spf1 include:_spf.google.com ~all"
yourdomain.com TXT "v=spf1 include:sendgrid.net ~all"

Right:

yourdomain.com TXT "v=spf1 include:_spf.google.com include:sendgrid.net ~all"

2. Exceeding 10 DNS Lookups

Problem: Each include: triggers a DNS lookup. SPF fails if you exceed 10.

Solution: Consolidate includes or use IP addresses directly.

3. Using +all in SPF

Problem: +all allows anyone to send from your domain.

Never do this:

v=spf1 include:_spf.google.com +all

Always use ~all or -all:

v=spf1 include:_spf.google.com -all

4. Forgetting DKIM Key Rotation

Problem: Keys never expire, increasing risk if compromised.

Solution: Rotate DKIM keys annually. Generate new keys, add to DNS with new selector, switch signing, then remove old keys.

5. DMARC p=reject Too Soon

Problem: Blocking legitimate email because you didn’t monitor first.

Solution: Start with p=none, monitor for 2-4 weeks, then gradually enforce.

6. Not Monitoring DMARC Reports

Problem: You won’t know when authentication breaks.

Solution: Use a DMARC monitoring service or set up automated parsing of reports.

Troubleshooting Guide

SPF Issues

“SPF PermError: Too many DNS lookups”

• Cause: More than 10 DNS lookups in your SPF record
• Fix: Consolidate include: statements or use IP addresses directly

“SPF Fail: Not authorized”

• Cause: Email sent from IP not listed in SPF record
• Fix: Add the sending IP or include the provider’s SPF record

DKIM Issues

“DKIM signature verification failed”

• Cause: Public key in DNS doesn’t match private key on server
• Fix: Regenerate keys or check for typos in DNS record

“DKIM record not found”

• Cause: DNS record not published or incorrect selector
• Fix: Verify DNS record exists: dig google._domainkey.yourdomain.com TXT

DMARC Issues

“DMARC alignment failure”

• Cause: SPF/DKIM domains don’t align with From: header
• Fix: Check SPF Return-Path and DKIM d= parameter match your From: domain

“Not receiving DMARC reports”

• Cause: rua= mailbox doesn’t exist or reports going to spam
• Fix: Check spam folder, verify mailbox accepts external email

Next Steps

You’ve set up SPF, DKIM, and DMARC. Now:

1. Monitor DMARC reports for 2-4 weeks before enforcing
2. Gradually move from p=none to p=quarantine to p=reject
3. Set up one-click unsubscribe if you’re a bulk sender - Read our RFC 8058 implementation guide
4. Monitor spam complaint rates (<0.3% for Gmail/Yahoo compliance)

Read the full context: Gmail and Yahoo Bulk Sender Requirements - comprehensive guide to all requirements and enforcement timelines.

FAQs

Q: Do I need SPF, DKIM, AND DMARC? A: Yes, if you send to Gmail, Yahoo, or Microsoft Outlook (especially bulk email). All three providers now enforce these requirements—Microsoft joined in May 2025 with hard rejections for non-compliant bulk senders.

Q: How long does DNS propagation take? A: Typically 1-4 hours, but can take up to 24 hours. Use a low TTL (3600 = 1 hour) during setup.

Q: Can I use the same DKIM key for multiple domains? A: No. Each domain needs its own public/private key pair.

Q: What’s the difference between ~all and -all in SPF? A: ~all = soft fail (mark as spam), -all = hard fail (reject). Use ~all for testing, -all for production.

Q: Do subdomains need their own SPF/DKIM/DMARC? A: Yes, if you send email from subdomains. Each subdomain needs separate records.

Q: What if I use multiple email providers? A: Include all providers in your SPF record: v=spf1 include:_spf.google.com include:sendgrid.net -all

Q: How do I check if my SPF/DKIM/DMARC are working? A: Send a test email to mail-tester.com or check headers in Gmail (Show original → look for SPF/DKIM/DMARC PASS).

Q: Can I skip DMARC if I have SPF and DKIM? A: Technically yes, but DMARC gives you visibility into authentication failures and is required by Gmail, Yahoo, and Microsoft for bulk senders.

Q: What happens if I don’t set up authentication? A: Your emails will be rejected or go to spam. Gmail, Yahoo, and Microsoft Outlook all enforce authentication for bulk senders (5,000+ emails/day). Microsoft rejects non-compliant emails outright since May 2025.

Q: How do I rotate DKIM keys? A: Generate new keys with a new selector (e.g., google2025), add to DNS, switch signing in your email provider, wait 48 hours, then remove old keys.

Want the full picture? Read our comprehensive Gmail and Yahoo bulk sender requirements guide for complete context and timelines.