What are wildcard, DKIM, and DMARC best practices?
Matthew Whittaker
Co-founder & CTO, Suped
Published 2 Aug 2025
Updated 17 Aug 2025
9 min read
Email authentication standards like SPF, DKIM, and DMARC are no longer just optional recommendations, they are fundamental requirements for maintaining strong email deliverability. With major email providers like Gmail and Yahoo implementing stricter authentication policies, understanding and correctly configuring these protocols is crucial for any sender, whether you send bulk emails or transactional messages.
These protocols work together to verify the legitimacy of your emails, helping to prevent spoofing, phishing, and other forms of abuse. Without them, your emails are far more likely to land in the spam folder or be blocked entirely, severely impacting your communication efforts and sender reputation.
Navigating the complexities of DNS records and email headers can be daunting, but the investment in proper setup pays dividends in improved inbox placement and trust with recipients. Let's explore the best practices for implementing SPF, DKIM, and DMARC, including how wildcard DNS records can fit into your authentication strategy.
Before diving into DMARC, it's essential to have a solid understanding of its foundational components: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). These two protocols serve as the primary methods for authenticating your sending domain.
SPF allows a domain owner to publish a DNS TXT record that specifies which IP addresses are authorized to send email on behalf of that domain. When a receiving server gets an email, it checks the SPF record to confirm that the sending IP is listed as legitimate. If the IP isn't authorized, the email may be flagged as suspicious or rejected. It's crucial to include all legitimate sending sources in your SPF record, but also to ensure you don't exceed the 10 DNS lookup limit, which can lead to SPF TempError failures.
DKIM, on the other hand, provides a cryptographic signature for emails. When an email is sent, the sending server signs it with a private key. The corresponding public key is published in the domain's DNS as a TXT record, typically under a selector (e.g., s1._domainkey.yourdomain.com). Receiving servers use this public key to verify the email's signature, confirming that the email hasn't been tampered with in transit and truly originated from the claimed sender. For detailed insights on DKIM, you can refer to this article on DKIM enforcement.
Example DKIM recorddns
s1._domainkey IN TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDyXhU4YxW4oQ7o3G..."
DMARC and its powerful role
DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds upon SPF and DKIM by allowing domain owners to specify how receiving mail servers should handle emails that fail SPF or DKIM authentication. More importantly, it introduces the concept of alignment, meaning the domain in the From: header (what your users see) must align with the domain that passes either SPF or DKIM. Without this alignment, even if SPF or DKIM passes, DMARC will fail.
The DMARC policy is defined in a DNS TXT record and includes a p tag that specifies the action to take for non-compliant emails: p=none (monitor), p=quarantine (send to spam), or p=reject (block). A crucial part of DMARC implementation is setting up DMARC reports, which provide valuable insights into your email authentication status and help identify potential issues or unauthorized senders. You can learn more about DMARC reports and best practices here.
The transition to a p=reject policy should be done gradually. Start with p=none to gather data and ensure all legitimate mail passes. Then, move to p=quarantine with a low percentage before finally enforcing p=reject across 100% of your mail. This phased approach helps prevent accidental blocking of legitimate emails. For more in-depth guidance, explore the best practices for setting DMARC policy.
A key DMARC best practice also involves ensuring proper DMARC setup for domains that do not send email. This helps protect your brand from being impersonated even on unused domains.
Wildcard DNS records and email authentication
Wildcard DNS records can play a role in managing authentication for subdomains. A wildcard record matches requests for non-existent subdomains within a domain, redirecting them to a specified IP address or hostname. For example, *.yourdomain.com would cover anything.yourdomain.com. While useful for web hosting, their application in email authentication requires careful consideration.
For DKIM, a wildcard DKIM record (e.g., *._domainkey.yourdomain.com) can be used to explicitly fail DKIM for all subdomains that don't have their own specific DKIM records. This can be a strategy for domains that are not intended to send email, providing an added layer of protection against spoofing on those subdomains. However, it's generally best practice for legitimate sending subdomains to have their own explicit DKIM records rather than relying on a wildcard that might be configured to explicitly fail.
DMARC, by design, applies to subdomains by default unless a specific policy for a subdomain is published using the sp tag or a separate DMARC record. This means that if you have a DMARC record for yourdomain.com, its policy will extend to sub.yourdomain.com unless explicitly overridden. While a wildcard DMARC record (e.g., *._dmarc.yourdomain.com) can exist, it's generally redundant if your organizational DMARC record correctly applies to subdomains or if you manage subdomain policies individually. A good resource for understanding this is this article on wildcards and DMARC.
Using wildcard DNS records for email authentication, especially for DKIM, can be complex. While they offer a broad sweep for policy application, explicit per-subdomain records are often preferred for clearer control and troubleshooting. For instance, if you're using services like SendGrid or Mailchimp, they will usually provide specific DKIM records for your sending domains or subdomains, which should be prioritized over wildcards for domains that actually send email.
Wildcard benefits
Simplified management: Can reduce the number of individual DNS records for non-sending subdomains.
Broad coverage: Automatically applies a policy to all subdomains, including those not explicitly defined.
Security for parked domains: Helps protect dormant or parked subdomains from being exploited for spoofing.
Wildcard risks
Overly broad application: Can unintentionally affect legitimate sending subdomains if not carefully managed.
Debugging complexity: Pinpointing authentication failures can be harder with generic records.
Conflicting policies: A specific subdomain record always takes precedence over a wildcard.
Best practices for implementation
Implementing SPF, DKIM, and DMARC effectively requires adherence to several key best practices to ensure optimal deliverability and protection.
Start with DMARC p=none: Always begin with a monitoring-only policy to collect data without impacting email delivery. This allows you to identify all legitimate sending sources.
Monitor DMARC reports: Regularly review your aggregate (RUA) and forensic (RUF) reports to gain visibility into your email ecosystem. This is critical for uncovering unauthorized sending and authentication failures.
Gradually enforce DMARC: Incrementally move your policy from p=none to p=quarantine (e.g., 5-10%, then 100%) and then to p=reject. This phased approach minimizes disruption. More on safely transitioning DMARC policy can be found here.
Ensure SPF and DKIM alignment: For DMARC to pass, either your SPF or DKIM domain must align with the From: header domain. This is a critical component for DMARC success.
Cover all subdomains: While DMARC policies cascade to subdomains, ensure all actively used and unused subdomains are covered. For non-sending subdomains, apply a p=reject policy with a null SPF and DKIM record for maximum protection against brand impersonation.
Keep DNS records clean: Regularly review and update your SPF, DKIM, and DMARC DNS records. Remove old or unused entries to prevent errors and improve efficiency.
Adhering to these best practices will significantly enhance your email security posture and improve your inbox placement rates. For a comprehensive overview, consider consulting resources like this guide on implementing DMARC, DKIM, and SPF for stopping email spoofing and phishing.
Views from the trenches
Best practices
Always begin with a DMARC policy of p=none and monitor reports extensively.
Ensure all legitimate sending IP addresses are included in your SPF record.
Regularly rotate your DKIM keys to maintain a robust security posture.
Protect non-sending or parked domains with p=reject DMARC policies to deter spoofing.
Implement DMARC reporting to gain full visibility into your email authentication.
Common pitfalls
Jumping directly to p=reject without sufficient monitoring can lead to legitimate email loss.
Exceeding the 10 DNS lookup limit in SPF records, causing SPF authentication failures.
Failing to align the 'From' domain with either SPF or DKIM domains, resulting in DMARC failures.
Not having a DMARC record for all active and unused subdomains, leaving them vulnerable.
Ignoring DMARC reports, missing critical insights into email authentication issues and abuse.
Expert tips
Use a DMARC analysis tool to visualize reports and identify authentication gaps.
Consider transactional and marketing emails separately, as they often have different sending setups.
Automate DNS record management where possible to reduce manual errors.
Educate your team on the importance of email authentication and its impact on deliverability.
Leverage the DMARC 'rua' tag to send aggregate reports to multiple recipients for collaborative monitoring.
Expert view
Expert from Email Geeks says that the article on wildcards and DKIM and DMARC is particularly relevant given recent Google and Yahoo requirements.
2023-10-18 - Email Geeks
Marketer view
Marketer from Email Geeks says that the article provides excellent examples for DNS.
2023-10-18 - Email Geeks
Securing your email ecosystem
Mastering SPF, DKIM, and DMARC is no longer optional in today's email landscape. These authentication protocols are your first line of defense against phishing and spoofing, and they are critical for ensuring your legitimate emails reach the inbox. By understanding how each works individually and how they complement each other through DMARC alignment, you can significantly boost your email deliverability and protect your brand's reputation.
Remember to implement these protocols systematically, starting with DMARC's monitoring policy, carefully validating your configurations, and gradually moving towards enforcement. Consistent monitoring and adherence to best practices will help you navigate the evolving email ecosystem and maintain strong communication channels with your audience.
SendGrid or 
Mailchimp, they will usually provide specific DKIM records for your sending domains or subdomains, which should be prioritized over wildcards for domains that actually send email.
