How to set up and troubleshoot SPF, DKIM, and DMARC for email domain authentication?
Matthew Whittaker
Co-founder & CTO, Suped
Published 28 Apr 2025
Updated 19 Aug 2025
8 min read
Navigating email domain authentication with SPF, DKIM, and DMARC can seem daunting, especially if you haven't had to set them up or troubleshoot them before. However, these three protocols are fundamental to ensuring your emails reach their intended inboxes and protect your brand from impersonation and phishing attacks. Ignoring them can lead to significant deliverability issues and damage to your domain's reputation.
The good news is that setting up and managing SPF, DKIM, and DMARC is a structured process. With a clear understanding of each protocol's role and a systematic approach to implementation and monitoring, you can achieve robust email authentication and significantly improve your email deliverability. Let's break down how to get these essential security measures in place.
Before diving into the setup, it's crucial to grasp what each of these email authentication mechanisms does and why they are necessary. Each plays a distinct role in verifying the legitimacy of emails sent from your domain, working together to create a strong defense against spoofing and phishing.
Understanding how these standards work individually and in concert is the first step. SPF (Sender Policy Framework) specifies which mail servers are authorized to send email on behalf of your domain. DKIM (DomainKeys Identified Mail) adds a digital signature to your emails, allowing recipients to verify that the email was sent by the domain owner and hasn't been tampered with. DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds upon SPF and DKIM, telling recipient mail servers how to handle emails that fail authentication and providing reporting on email authentication results. For a deeper dive into the technicalities, you can explore how these standards work.
SPF
Identifies authorized sending servers for your domain. It helps prevent spammers from sending messages with a forged 'from' address that appears to be from your domain. SPF records are published as TXT records in your DNS.
DKIM
Provides a cryptographic signature that verifies the sender's identity and ensures the email hasn't been altered in transit. This adds a layer of trust beyond just the sending server's IP address. DKIM records are also published as CNAME or TXT records.
DMARC Policy
Specifies how recipient email servers should handle emails that fail SPF or DKIM authentication. It also provides reporting capabilities, giving domain owners insight into their email traffic and potential abuse. DMARC records are published as TXT records.
Alignment
For DMARC to pass, either SPF or DKIM (or both) must align with the 'From' domain visible to the end-user. This means the domain used in the SPF authentication (Return-Path) or DKIM signature must match the domain in the email's 'From' header.
Together, these records form a robust framework that helps mailbox providers like Google and Microsoft determine whether an incoming email is legitimate or a potential threat. Without them, your emails are far more likely to land in the spam folder or be rejected outright.
Setting up SPF, DKIM, and DMARC
Setting up SPF, DKIM, and DMARC involves adding specific DNS TXT or CNAME records to your domain. This process typically occurs in your domain registrar's or DNS hosting provider's control panel. The exact steps can vary slightly depending on your provider, but the core principle remains the same. You'll need to locate your domain's DNS settings, then add the appropriate records.
SPF setup
For SPF, you'll create a TXT record that lists all authorized IP addresses and sending domains. You should have only one SPF TXT record per domain to avoid issues. If you use multiple email sending services, all their legitimate sending IP addresses and domains must be included within this single record. For example, if you send emails through Google Workspace and another ESP, both should be accounted for. Here's a common example of an SPF record:
Setting up DKIM typically involves generating a key pair through your email service provider (ESP) or mail server. You'll then publish the public key as a CNAME or TXT record in your DNS. The record will usually include a 'selector' which is a unique identifier for the DKIM key. This allows you to have multiple DKIM keys for different sending purposes or providers. Here's what a DKIM CNAME record might look like:
Example DKIM CNAME recordDNS
s1._domainkey CNAME s1.domainkey.your-esp.com
For a more detailed guide on how to configure DKIM within Microsoft 365, you can refer to their official documentation. Remember that SPF and DKIM records are DNS records, meaning they need to be publicly accessible for recipient servers to verify.
DMARC setup
After SPF and DKIM are configured, you can set up your DMARC record. This is also a TXT record, typically placed at _dmarc.yourdomain.com. A basic DMARC record with a policy of p=none is a good starting point for monitoring before moving to stricter policies like p=quarantine or p=reject. This policy dictates what mailbox providers should do with emails that fail DMARC authentication.
For assistance in creating your DMARC record, you can use a free DMARC record generator tool. This tool can help you formulate the correct syntax for your needs, including setting up reporting addresses.
Common troubleshooting scenarios
Even with careful setup, issues can arise. Troubleshooting SPF, DKIM, and DMARC failures often involves checking DNS records, verifying alignment, and analyzing DMARC reports. One of the initial steps is to use online tools to verify your DMARC, DKIM, and SPF setup.
Common issues
Common problems include syntax errors in DNS records, exceeding the 10-lookup limit for SPF, missing DKIM selectors, or DMARC alignment failures. A specific issue to watch out for is a DKIM body hash mismatch failures, which can occur if email content is altered after signing. Also, ensure that your DMARC record is correctly set up for your primary domain, as placing it solely on a subdomain might not provide the full protection you need.
When troubleshooting, begin by using a diagnostic tool like About My Email to get an immediate overview of your domain's authentication status. This can quickly highlight alignment issues for SPF and DKIM. From there, you can consult specific guides, such as how to troubleshoot DMARC failures and their impact on deliverability.
Resolving DMARC failures
If you're seeing DMARC failures, the issue often boils down to SPF or DKIM not being correctly configured or failing to align with your 'From' domain. This could be due to sending emails from an unauthorized server (SPF) or a tampered message (DKIM). A comprehensive guide on DMARC, DKIM, and SPF can provide further insights. Review your DMARC reports (RUA and RUF) to pinpoint the exact sources of unauthenticated mail.
Best practices for ongoing maintenance
Setting up SPF, DKIM, and DMARC isn't a one-time task, it's an ongoing commitment to maintaining your email deliverability and security. Regular monitoring and periodic adjustments are essential, especially as your email sending practices evolve. This includes keeping an eye on your DMARC reports and making sure your SPF record stays updated with all authorized sending sources.
Monitoring your DMARC reports is critical. These reports provide valuable insights into who is sending email on behalf of your domain, whether legitimate emails are passing authentication, and if any malicious activity (spoofing or phishing) is occurring. Analyzing these reports helps you refine your DMARC policy from a monitoring-only state (p=none) to quarantine or reject.
Furthermore, it's important to be proactive. Regularly check your domain's standing against various email blocklists (or blacklists). Being listed on a blocklist can severely impact your email deliverability. Tools that offer blocklist monitoring can alert you quickly if your domain or IP address ends up on one, allowing for swift action to resolve the issue. For a deeper understanding of these lists, consult an in-depth guide to email blocklists. Maintaining a healthy domain reputation is an ongoing effort that pays dividends in deliverability.
For more information on best practices, including moving to stricter DMARC policies and considering BIMI (Brand Indicators for Message Identification), refer to sender compliance guides from authoritative sources.
Views from the trenches
Best practices
Always start with DMARC p=none to monitor your email streams without affecting delivery, then gradually move to stricter policies as confidence grows.
Ensure all legitimate sending services and IP addresses are correctly included in your SPF record to avoid authentication failures.
Regularly check your DMARC reports to identify unauthorized sending sources and troubleshoot any authentication issues promptly.
Generate DKIM keys through your email service provider to ensure proper signing and align the DKIM signature with your 'From' domain.
Common pitfalls
Having multiple SPF records for a single domain, which can cause validation errors and lead to emails being rejected.
Not accounting for all third-party senders in your SPF record, resulting in legitimate emails failing authentication.
Ignoring DMARC reports, thus missing crucial insights into email authentication failures and potential spoofing attempts.
Placing DMARC records only on subdomains and neglecting the parent domain, which leaves the primary domain vulnerable.
Expert tips
When troubleshooting, prioritize fixing alignment failures for SPF and DKIM as these are often the root cause of DMARC issues.
Consolidate DMARC reporting to a single vendor for easier monitoring and analysis, rather than distributing reports across multiple services.
Understand that different ESPs (Email Service Providers) might handle test emails differently than bulk campaigns, impacting how authentication is tested.
Always conduct basic DNS cleanups before diving into complex authentication configurations, ensuring a solid foundation.
Marketer view
Marketer from Email Geeks says they should begin by performing basic DNS cleanups.
2025-05-20 - Email Geeks
Expert view
Expert from Email Geeks says they should test their authentication with aboutmy.email and specifically look for SPF and DKIM alignment failures.
2025-05-20 - Email Geeks
Ensuring robust email authentication
Setting up and troubleshooting SPF, DKIM, and DMARC is an indispensable part of email deliverability and security. By carefully configuring these authentication protocols, you not only protect your domain from malicious activities like spoofing and phishing but also significantly increase the likelihood of your legitimate emails reaching the inbox.
Embrace a proactive approach to email authentication. Regularly monitor your DMARC reports, stay informed about your domain's blocklist status (or blacklist status), and make necessary adjustments to your DNS records. This diligence will help you build and maintain a strong sender reputation, ensuring your email communications are both secure and effective.
Google and 
Microsoft determine whether an incoming email is legitimate or a potential threat. Without them, your emails are far more likely to land in the spam folder or be rejected outright.
