How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
Michael Ko
Co-founder & CEO, Suped
Published 16 May 2025
Updated 15 Aug 2025
8 min read
Setting up SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) records is fundamental for successful email marketing. These authentication protocols help verify that your emails are legitimate, reducing the chances of them being marked as spam or rejected by recipient servers. Without them, your sender reputation suffers, and your marketing campaigns will struggle to reach the inbox.
Proper configuration, especially when dealing with multiple email sending services, IP ranges, and tracking bounce responses, is crucial. It's also vital to integrate your setup with tools like Google Postmaster Tools to monitor performance and ensure your emails are consistently landing in the inbox. Let's explore how to navigate these complexities effectively.
SPF is a DNS TXT record that lists all authorized servers that can send email on behalf of your domain. When an email server receives a message, it checks the sender's SPF record to verify if the sending IP address is on the approved list. This helps prevent email spoofing, where malicious actors try to send emails appearing to be from your domain.
The core of an SPF record is the v=spf1 tag, indicating the SPF version. You then specify permitted IP addresses or hostnames using mechanisms like ip4, a (for A records), mx (for MX records), and include for third-party sending services. It's critical to include every service that sends email on your behalf.
Remember, you should only have one SPF TXT record per domain. Multiple SPF records can cause validation issues, leading to emails being rejected or sent to spam. If you find multiple, you'll need to merge them into a single comprehensive record. For instance, if you have separate records for Google and another ESP, combine their include statements into one record.
This example combines Google Workspace, Mailjet, and a specific IP range into a single record. The ~all mechanism at the end indicates a softfail, meaning emails from unauthorized servers might be accepted but marked as suspicious. For stricter enforcement, -all will cause unauthorized emails to be rejected.
Configuring DKIM for authentication
DKIM adds another layer of security by digitally signing your outgoing emails. This signature is attached to the email header and includes a cryptographic hash of the message content. Recipient servers use your domain's public DKIM key (published as a DNS TXT record) to verify the signature, ensuring the email hasn't been tampered with in transit and truly originates from your domain.
To set up DKIM, your email service provider will give you a unique DKIM record, typically a TXT record that you add to your domain's DNS. This record usually consists of a selector (e.g., s1 or mail) followed by ._domainkey, and then the long public key.
Unlike SPF, you can have multiple DKIM records for a single domain, especially if you use different email service providers for various types of emails (e.g., one for marketing, another for transactional). Each service will provide its own DKIM record, identified by a unique selector, allowing receivers to find the correct public key for verification. For example, Google Workspace provides specific instructions for setting up DKIM.
Verifying your DKIM setup is as important as the setup itself. After publishing your DNS records, allow some time for propagation, typically a few hours. Then, use an online tool to check that your DKIM record is correctly recognized and that emails sent from your domain are being signed properly. Misconfigurations can lead to emails failing authentication, impacting your deliverability.
Handling multiple SPF records and IP ranges
The single SPF record rule can be tricky when you use multiple email sending services. Many marketers use an ESP (Email Service Provider) for campaigns, a CRM for sales outreach, and perhaps Google Workspace or Microsoft 365 for internal communications. Each of these requires an entry in your SPF record.
To merge SPF records, you combine all the include statements and ip4 (or ip6) ranges into a single TXT record, ensuring you don't exceed the 10 DNS lookup limit. Exceeding this limit will cause SPF validation to fail, which is a common cause of SPF TempErrors. If you need to include a large IP range, it's generally better to use a specific IP or CIDR block provided by your sender rather than a broad network.
For IP ranges, only include the specific IP addresses or subnets that actually send email from your domain. Adding overly broad IP ranges, like a full /18 CIDR block, can inadvertently authorize many other servers that are not yours. This creates a security risk, allowing spammers to forge emails from your domain and potentially landing you on an email blacklist or blocklist. It's about precision to protect your domain reputation and improve deliverability.
Integrating with Google Postmaster Tools and bounce management
Google Postmaster Tools (GPT) is an invaluable resource for understanding your sending reputation with Gmail (and by extension, other mailbox providers). Once you verify your domain, GPT provides dashboards showing your spam rate, IP and domain reputation, feedback loops, and authentication errors (SPF, DKIM, DMARC). Regularly checking these reports helps you identify and address issues before they significantly impact your deliverability.
To verify your domain with Google Postmaster Tools, you'll add a specific TXT record to your DNS, similar to SPF or DKIM. This record usually starts with google-site-verification. It's important that this verification record is a separate DNS entry and not merged into your SPF record, as this can cause verification failures.
Bounce capturing is another critical aspect of email marketing. When an email fails to deliver, the recipient server sends a bounce message. Proper bounce handling means you receive and process these messages, allowing you to remove invalid or problematic email addresses from your mailing lists. This not only keeps your lists clean but also signals to mailbox providers that you are a responsible sender, which positively impacts your email deliverability and sender reputation.
Most email marketing platforms handle bounce capturing automatically. However, if you send emails directly from a web server or a custom setup, you need to ensure your server is configured to receive and process bounce messages, usually through a designated return-path address. This helps maintain a healthy email list and avoids deliverability issues.
Maximising your email deliverability
Maximising your email deliverability involves more than just setting up SPF and DKIM. It requires ongoing monitoring, adherence to best practices, and a proactive approach to managing your sender reputation. A high sender reputation is your ticket to the inbox, ensuring your marketing messages reach their intended audience.
Beyond technical setup, content quality, recipient engagement, and list hygiene play significant roles. Avoid spammy content, encourage interaction, and regularly clean your email lists to remove inactive or invalid addresses. These practices, combined with robust authentication, form a comprehensive strategy for consistent inbox placement. For more advice, explore technical solutions from top performing senders.
Views from the trenches
Best practices
Always consolidate multiple SPF entries into a single TXT record for your domain to avoid validation issues.
Utilize precise IP addresses or small CIDR blocks instead of large ranges in your SPF record to minimize security vulnerabilities and maintain strict control.
Regularly monitor your domain's performance in Google Postmaster Tools to proactively address any authentication errors or reputation declines.
Ensure your email marketing platform automatically handles bounce capturing and processes invalid addresses to maintain a clean subscriber list.
Implement DMARC in addition to SPF and DKIM to gain visibility into your email authentication results and protect against spoofing.
Common pitfalls
Having multiple SPF records on the same domain, which leads to SPF failing and emails being rejected or sent to spam folders.
Including overly broad IP ranges (e.g., /18) in your SPF record, which can inadvertently authorize many unauthorized senders and weaken your domain's security.
Forgetting to verify your domain in Google Postmaster Tools, missing out on crucial insights into your email deliverability and sender reputation.
Not capturing or processing bounce messages, resulting in a high bounce rate that can negatively impact your sender reputation and lead to blocklisting.
Ignoring SPF or DKIM alignment requirements, causing DMARC authentication to fail even if the records are technically present.
Expert tips
If your SPF record exceeds the 10 DNS lookup limit, consider flattening it or using a dedicated subdomain for specific sending services to manage lookups effectively.
For optimal deliverability, ensure that the domain used in your email's From header aligns with both your SPF and DKIM authentication domains.
Leverage DMARC reports to identify all legitimate sending sources for your domain, helping you build a truly comprehensive SPF record.
Implement a DMARC policy with reporting to receive insights into how your SPF and DKIM records are performing in the wild.
Regularly audit your DNS records, including SPF and DKIM, to ensure they remain accurate and up-to-date with your current email sending infrastructure.
Expert view
Expert from Email Geeks says you should merge multiple SPF TXT entries into a single record to ensure syntactical correctness for email authentication.
July 2, 2020 - Email Geeks
Expert view
Expert from Email Geeks says it is bad practice to list an entire colo IP space in SPF, as anyone in that space could forge your domain and pass SPF, which can lead to poor delivery at Gmail.
July 2, 2020 - Email Geeks
Ensuring your emails reach the inbox
Properly setting up SPF and DKIM is not a one-time task; it's an ongoing commitment to email security and deliverability. By ensuring your DNS records are correctly configured, merging multiple SPF entries into a single record, being precise with IP ranges, and diligently monitoring your performance through Google Postmaster Tools, you can significantly enhance your email marketing effectiveness.
Remember, a strong authentication foundation is the bedrock of good sender reputation. This means your emails are more likely to reach the inbox, engage your audience, and drive the results you aim for in your campaigns. Stay vigilant with your DNS settings and monitoring, and you'll be well on your way to achieving optimal email deliverability.
Microsoft 365
