StarDomain

Understanding SPF, DKIM, and DMARC Records

Understanding SPF, DKIM, and DMARC Records

Email authentication records — SPF, DKIM, and DMARC — are essential DNS entries that protect your domain from spoofing, phishing, and spam. Without them, your legitimate emails may land in spam folders or be rejected entirely. This guide explains what each record does and how to set them up.

Why Email Authentication Matters

Anyone can forge the "From" address in an email. Without authentication, attackers can send emails pretending to be from your domain. Email authentication solves this by letting receiving mail servers verify that a message truly came from your domain's authorized servers.

Benefits of proper email authentication:

  • Improved deliverability — Emails are less likely to be flagged as spam
  • Brand protection — Prevents others from impersonating your domain
  • Compliance — Many email providers (Gmail, Outlook) now require SPF and DKIM
  • Visibility — DMARC reports show you who is sending email on your behalf

SPF (Sender Policy Framework)

What SPF Does

SPF lets you specify which mail servers are authorized to send email on behalf of your domain. It is published as a TXT record in your DNS.

How to Set Up SPF

  1. Log in to your DNS management panel
  2. Create a new TXT record for your root domain (@)
  3. Set the value to your SPF policy

Example SPF record:

v=spf1 include:_spf.yourmailprovider.com ~all

Breakdown:

PartMeaning
v=spf1Identifies this as an SPF record
include:_spf.provider.comAuthorizes your mail provider's servers
aAuthorizes the server at your domain's A record
mxAuthorizes servers listed in your MX records
~allSoft-fail for unauthorized senders (recommended starting point)
-allHard-fail — reject unauthorized senders (stricter)

Tip: Start with ~all (soft-fail) and move to -all (hard-fail) after confirming everything works correctly.

Common SPF Mistakes

  • Multiple SPF records — You can only have ONE SPF TXT record per domain. Combine all sources into a single record.
  • Too many DNS lookups — SPF allows a maximum of 10 DNS lookups. Each include: counts as one lookup.
  • Forgetting third-party senders — If you use services like Mailchimp or Google Workspace, include their SPF entries.

DKIM (DomainKeys Identified Mail)

What DKIM Does

DKIM adds a digital signature to every outgoing email. The receiving server verifies this signature against a public key published in your DNS, confirming the email was not tampered with in transit.

How to Set Up DKIM

  1. Generate DKIM keys — Your email hosting provider typically does this. In your control panel, look for a DKIM or Email Authentication section.
  2. Publish the public key — Add a TXT record in your DNS:
FieldValue
TypeTXT
Host/Namedefault._domainkey (or the selector your provider specifies)
ValueThe DKIM public key string (starts with v=DKIM1; k=rsa; p=...)
TTL3600
  1. Enable DKIM signing — Ensure DKIM signing is enabled in your email hosting control panel.

Tip: The selector name (e.g., default, google, s1) is chosen by your mail provider. Check their documentation for the correct selector.

Verifying DKIM

Send a test email to a Gmail account, then open the email and click Show Original. Look for DKIM: PASS in the authentication results.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

What DMARC Does

DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It also provides reporting so you can monitor who is sending email from your domain.

How to Set Up DMARC

Add a TXT record in your DNS:

FieldValue
TypeTXT
Host/Name_dmarc
Valuev=DMARC1; p=none; rua=mailto:[email protected]; pct=100
TTL3600

DMARC Policy Options:

PolicyAction
p=noneMonitor only — no action on failures (start here)
p=quarantineSend failing emails to spam folder
p=rejectReject failing emails outright (strongest protection)

Recommended Rollout Strategy

  1. Week 1–4: Set p=none and monitor DMARC reports
  2. Week 5–8: Move to p=quarantine with pct=25 (apply to 25% of failures)
  3. Week 9–12: Increase to pct=100
  4. Week 13+: Move to p=reject for full protection

Verifying All Three Records

Use these command-line checks:

bash
# Check SPF
dig TXT yourdomain.com +short

# Check DKIM
dig TXT default._domainkey.yourdomain.com +short

# Check DMARC
dig TXT _dmarc.yourdomain.com +short

Or use online tools like MXToolbox, Google Admin Toolbox, or mail-tester.com.

Troubleshooting

ProblemSolution
SPF: too many lookupsReduce include: statements or use SPF flattening
DKIM: signature not foundVerify the selector name and ensure DKIM is enabled
DMARC: no reports receivedCheck the rua email address is valid and monitored
Emails still going to spamEnsure all three records are set up and passing

Related Articles

Need help setting up email authentication? Contact our support team at {{SUPPORT_URL}} or email {{SUPPORT_EMAIL}}. We can configure SPF, DKIM, and DMARC for your domain.

Need Help?
New TicketTrack TicketKnowledge BaseContact Us