What are the best practices for setting up SPF, DKIM and DMARC for email authentication?
Michael Ko
Co-founder & CEO, Suped
Published 13 Aug 2025
Updated 16 Aug 2025
8 min read
Establishing robust email authentication with SPF, DKIM, and DMARC is no longer optional, especially with new sender requirements from major mailbox providers like Google and Yahoo. These protocols are fundamental to ensuring your emails reach their intended inboxes, protecting your brand reputation, and preventing spoofing and phishing attacks. Ignoring them can lead to your legitimate emails being marked as spam or even blocked entirely.
For email deliverability, proper authentication signals to receiving servers that your messages are legitimate and originate from an authorized source. Without these critical DNS records, your emails lack the necessary verifiable identity, making them highly susceptible to filtering. It is a foundational step in any effective email security strategy.
I've seen many businesses, particularly those using multiple email service providers (ESPs), struggle with the nuances of setting up and maintaining these records. The differing instructions from platforms like Mailchimp, Mailerlite, ConvertKit, or ActiveCampaign can make it confusing. This guide outlines the best practices for setting up SPF, DKIM, and DMARC to secure your email communications and boost your deliverability.
Before diving into specific best practices, it's essential to understand what SPF, DKIM, and DMARC are and how they interact. These three protocols form a powerful defense against email fraud and play a crucial role in establishing your sender reputation. They work together to verify that an email claiming to be from your domain is indeed authorized by you.
Sender policy framework (SPF) is a DNS TXT record that lists all the IP addresses and domains authorized to send email on behalf of your domain. When a receiving server gets an email, it checks the sender's SPF record to confirm that the sending IP is on the allowed list. If it isn't, the email might be flagged as suspicious, quarantined, or rejected. Remember, you should only have one SPF record per domain.
DomainKeys Identified Mail (DKIM) adds a digital signature to your outgoing emails, allowing the recipient's server to verify that the email has not been tampered with in transit and that it originates from an authorized domain. This signature is created using a private key by the sender's mail server and verified using a public key published in your domain's DNS. This cryptographic verification significantly reduces the risk of email spoofing.
Domain-based Message Authentication, Reporting, and Conformance (DMARC) builds upon SPF and DKIM. It tells receiving mail servers what to do with emails that fail SPF or DKIM checks, and it provides reporting mechanisms so you can see who is sending email using your domain, whether authorized or not. DMARC policies are crucial for enforcing your email authentication strategy and gaining visibility into your email traffic, including potential abuse.
Together, these three protocols create a robust defense system. For a deeper dive into how they work, you can explore how SPF, DKIM, and DMARC function.
Setting up SPF and DKIM
The first step in setting up SPF and DKIM is to consult your email service provider. Many ESPs will provide specific instructions and records for you to publish in your DNS. While some ESPs might handle authentication on their shared domains, it's a best practice to configure custom records that align with your sending domain to maximize your deliverability and brand control.
Configuring SPF
Your SPF record should include all legitimate sending sources, such as your ESP, transactional email services, and any in-house mail servers. Be careful not to exceed the 10-lookup limit to avoid errors. An SPF record is a TXT record in your DNS. Here's an example:
The -all mechanism is recommended, as it explicitly states that any mail from a server not listed in your SPF record should be rejected, preventing unauthorized senders from using your domain. Using a ~all (softfail) mechanism can allow unauthorized emails to be accepted but marked, which isn't ideal for strong security.
Implementing DKIM
For DKIM, you will typically generate a public and private key pair through your ESP. The public key is published as a CNAME or TXT record in your DNS, usually under a selector._domainkey.yourdomain.com subdomain. This allows receiving servers to retrieve your public key and verify the digital signature of your emails. It is crucial that the DKIM signature aligns with the domain in your email's 'From' header.
Many ESPs now offer a simple way to set up DKIM for your sending domain, which is highly recommended over relying on their default authentication. This ensures that even if your emails are processed by various services, they maintain a consistent and verified identity linked directly to your brand.
It is important to ensure your DKIM keys are at least 1,024 bits long, with 2,048 bits being preferable for enhanced security. Signatures with shorter keys may be ignored by receiving mail servers, negating the benefits of DKIM. You can find more information on best practices from DMARC.org.
DMARC policies and reporting
Once SPF and DKIM are properly configured and your emails are consistently passing authentication checks, you're ready to implement DMARC. This is where you gain control over how unauthenticated emails claiming to be from your domain are handled, and you also receive valuable reports.
Gradual DMARC policy deployment
A common best practice for DMARC implementation is to adopt a phased approach, starting with a relaxed policy and gradually moving to a stricter one. This allows you to monitor your email ecosystem and identify any legitimate senders that might not be properly authenticated before enforcing a quarantine or reject policy.
Initial policy: p=none
Start with p=none. This policy instructs receiving servers to take no action on emails that fail DMARC, but it still sends you DMARC reports. These reports are crucial for understanding your email traffic, identifying unauthorized sending sources, and ensuring all your legitimate mail is correctly authenticated. Think of it as a monitoring-only phase.
Intermediate policy: p=quarantine
Once you are confident that all legitimate email streams are passing DMARC authentication and alignment, you can move to p=quarantine. This policy tells receiving servers to place emails that fail DMARC into the recipient's spam or junk folder. It's a good intermediate step to test the waters before full enforcement, as it prevents suspicious emails from reaching the primary inbox without outright rejecting them. You can read more about transitioning your policy here.
Enforcement policy: p=reject
The ultimate goal is to reach p=reject. With this policy, emails that fail DMARC authentication are outright rejected by the receiving server and do not reach the inbox or spam folder. This is the strongest protection against spoofing and phishing attacks using your domain. Achieving p=reject is critical for maximum security. Some mailbox providers, like Yahoo and Microsoft, may treat quarantine and reject policies similarly.
Advanced considerations and continuous improvement
Beyond the basic setup, several advanced considerations can further enhance your email authentication and deliverability. These often involve continuous monitoring and adjustments to your DNS records.
Subdomain authentication
Ensure that all subdomains used for sending email are also covered by your SPF, DKIM, and DMARC policies. Many organizations use separate subdomains for marketing emails (e.g., mail.yourdomain.com) or transactional emails (e.g., app.yourdomain.com). These need their own proper authentication to prevent legitimate emails from being flagged.
DMARC reports and ongoing monitoring
Even after setting a p=reject policy, continuous DMARC report monitoring is crucial. These aggregate and forensic reports provide insights into your email traffic, helping you detect any new unauthorized sending sources or configuration issues that might arise. This continuous vigilance helps maintain strong email security and deliverability.
Regularly checking Google's recommendations for setting up SPF can also help ensure you are aligned with current requirements. Similarly, reviewing best practices from Microsoft Defender for Office 365 will ensure your emails are well-received by these major providers.
Views from the trenches
Best practices
Always configure custom DKIM records with your email service provider to ensure domain alignment, rather than relying on their shared domains.
Start DMARC implementation with a p=none policy and actively monitor reports to identify legitimate traffic before moving to stronger policies.
Ensure SPF records accurately list all authorized sending IP addresses and domains, and never have more than one SPF record per domain.
Cover all subdomains used for sending emails with their own SPF, DKIM, and DMARC policies to prevent spoofing of sub-brands.
Regularly review DMARC reports to detect unauthorized email activity or misconfigurations that could impact deliverability.
Common pitfalls
Relying solely on your ESP's default authentication, which might not provide full domain alignment.
Having multiple SPF records for a single domain, which can cause SPF validation failures.
Skipping the p=none DMARC phase and directly implementing p=quarantine or p=reject without sufficient monitoring.
Neglecting to monitor DMARC reports, missing opportunities to identify and remediate authentication issues.
Not authenticating emails sent from subdomains, leaving them vulnerable to spoofing and phishing attacks.
Expert tips
Use DMARC reports not just for security, but also as a powerful tool for auditing your email authentication practices.
DKIM is often the easiest authentication method to set up across shared email services and typically travels well.
The process of setting up and moving towards an enforcing DMARC policy brings order and rationality to email authentication, making it easier to manage sending sources.
A verified mark certificate (VMC) for BIMI (Brand Indicators for Message Identification) provides additional verification for your brand logo, further deterring spoofing.
Be cautious about equating BIMI logos with a 'trust indicator' for end-users, as threat actors may try to exploit visual cues.
Expert view
Expert from Email Geeks says: Email traffic should always be authenticated. There is no argument about the necessity of this fundamental security measure.
2022-08-04 - Email Geeks
Expert view
Expert from Email Geeks says: It is strongly recommended to always take the extra step and implement DKIM on the same domain as the visible From: address, which provides DKIM domain alignment and makes traffic DMARC compliant.
2022-08-04 - Email Geeks
Securing your email's future
Implementing SPF, DKIM, and DMARC is fundamental for modern email deliverability and security. These authentication protocols protect your domain from impersonation, enhance your sender reputation, and ensure your legitimate messages reliably reach the inbox. It's a non-negotiable step in maintaining a healthy and trustworthy email program.
By following these best practices, from careful SPF and DKIM setup to gradual DMARC policy enforcement and continuous monitoring, you can significantly improve your email security posture and overall deliverability. Investing in this foundation will yield long-term benefits for your brand and your email communications.
Yahoo and 
Microsoft, may treat quarantine and reject policies similarly.
