Summary
To effectively authenticate your email, SPF, DKIM, and DMARC records are essential components, all published as TXT records within your domain's DNS. The SPF record typically resides at your root domain, authorizing which mail servers are permitted to send emails for your domain. DKIM records are placed at a specific subdomain, such as selector._domainkey.yourdomain.com, with the 'selector' being a unique identifier provided by your email service. Finally, the DMARC record is consistently found at the _dmarc.yourdomain.com subdomain, dictating how email receivers should manage messages that fail authentication checks. While most setups require direct configuration, some email vendors may handle these records for you as part of their service.
Key findings
- All TXT Records: SPF, DKIM, and DMARC records are universally implemented as TXT records within your domain's DNS settings, a standard approach for email authentication.
- SPF Placement: The SPF record is consistently placed at the root or main domain level of your DNS (e.g., yourdomain.com), authorizing specific mail servers to send email on your behalf.
- DKIM Subdomain: DKIM records are published at a specific subdomain that follows a predictable pattern, typically selector._domainkey.yourdomain.com, where 'selector' is a unique string provided by your email service.
- DMARC Standardized: DMARC records are always placed at a standardized subdomain: _dmarc.yourdomain.com. This consistent location helps email receivers easily locate your DMARC policy for handling unauthenticated messages.
Key considerations
- Vendor Handling: Be aware that some email service providers may handle the setup of these authentication records for you, especially if they are managing the sender from and return-path domains. This means you might not need to configure them directly.
- DKIM Selector: The 'selector' part of the DKIM record is crucial and will be a unique string provided by your email sending service or vendor. It's not a generic value and must match their specifications.
- DNS Access: To set up SPF, DKIM, and DMARC records, you will need access to your domain's Domain Name System (DNS) settings, usually through your domain registrar or hosting provider.
What email marketers say
10 marketer opinions
Email authentication relies heavily on SPF, DKIM, and DMARC records, all of which are published as TXT entries within your domain's DNS. The SPF record, verifying authorized sending servers, is always placed at your main domain's root. For DKIM, which ensures message integrity, a specific subdomain like selector._domainkey.yourdomain.com is used, where the 'selector' is a unique string provided by your email service. DMARC, governing policy for unauthenticated mail, consistently resides at the _dmarc.yourdomain.com subdomain. Proper placement of these records is fundamental for reliable email delivery.
Key opinions
- Common TXT Format: SPF, DKIM, and DMARC records are consistently implemented as TXT entries within your domain's DNS settings, a universal standard for email authentication.
- SPF Root Placement: The SPF record is invariably placed at the root or apex of your domain (e.g., yourdomain.com), serving as the primary authorization for sending servers.
- DKIM Selector Subdomain: DKIM records are published on a distinct subdomain following the pattern selector._domainkey.yourdomain.com, with the 'selector' being a unique identifier supplied by your email service.
- DMARC's Standard Location: DMARC records are uniformly located at the _dmarc.yourdomain.com subdomain, providing a consistent point for email receivers to check your domain's authentication policy.
Key considerations
- Access DNS Settings: To properly configure SPF, DKIM, and DMARC, you must have access to your domain's Domain Name System (DNS) settings, usually managed through your domain registrar or hosting provider.
- Obtain DKIM Selector: Always obtain the specific 'selector' for your DKIM record directly from your email service provider, as this unique string is critical for its correct functioning.
- Service Provider Role: Some email service providers may automate or manage the setup of these authentication records on your behalf, so it's wise to check their specific guidance.
Marketer view
Marketer from Mailchimp Support explains that SPF, DKIM, and DMARC records are all published as TXT records within your domain's DNS settings. SPF goes on the main domain (e.g., yourdomain.com), DKIM uses a selector prefix like k1._domainkey.yourdomain.com, and DMARC is placed at _dmarc.yourdomain.com.
5 Dec 2022 - Mailchimp
Marketer view
Marketer from MXToolbox answers that SPF, DKIM, and DMARC records are all DNS TXT records. SPF is added to the root of your domain, DKIM requires a specific selector subdomain (e.g., selector._domainkey), and DMARC is placed at _dmarc.yourdomain.com.
8 Jul 2021 - MXToolbox
What the experts say
3 expert opinions
For robust email authentication, SPF, DKIM, and DMARC records are fundamentally implemented as TXT records within your domain's DNS. While these are typically configured by domain owners, it's worth noting that certain email service providers may manage these records on your behalf, especially when they control the sending and return-path domains, simplifying the setup process for their users.
Key opinions
- Universal DNS TXT: Email authentication protocols, including SPF, DKIM, and DMARC, are universally implemented as TXT records within a domain's Domain Name System, a standard practice for authorizing email sending.
Key considerations
- Vendor Management: Certain email service providers (ESPs) handle the configuration of SPF, DKIM, and DMARC records internally, particularly when they manage the sender from and return-path domains, meaning clients may not need to set these up directly.
Expert view
Expert from Email Geeks explains that some vendors do not require clients to set up SPF, DKIM, and DMARC records. This is because these vendors are responsible for setting the sender from and return-path domains, and they will have their own policy setup for those.
22 Oct 2021 - Email Geeks
Expert view
Expert from Spam Resource explains that SPF, DKIM, and DMARC records are all implemented as DNS records, specifically TXT records, which are added to your domain's DNS to authorize email sending.
21 Apr 2025 - Spam Resource
What the documentation says
5 technical articles
To establish sender authenticity and protect against spoofing, SPF, DKIM, and DMARC records are crucial, each published as a DNS TXT record. Their precise placement within your domain's DNS is standardized, ensuring email receivers can readily verify your messages. SPF records are situated at your domain's root, while DKIM records are found at a specific subdomain incorporating a unique 'selector' provided by your email service. DMARC records are consistently placed at the _dmarc subdomain, instructing mail servers on how to handle emails that fail authentication checks.
Key findings
- DNS TXT Standard: All three primary email authentication records-SPF, DKIM, and DMARC-are consistently implemented as TXT records within a domain's DNS configuration.
- SPF at Domain Root: The Sender Policy Framework (SPF) record is always placed at the main domain's root, clearly identifying authorized mail servers.
- DKIM Subdomain Structure: DomainKeys Identified Mail (DKIM) records utilize a specific subdomain format, selector._domainkey.yourdomain.com, with the 'selector' unique to your email service.
- DMARC's Dedicated Spot: DMARC (Domain-based Message Authentication, Reporting, and Conformance) records are published at the standardized _dmarc.yourdomain.com subdomain, defining policy for unauthenticated email.
Key considerations
- DNS Access Required: Configuring these essential authentication records necessitates direct access to your domain's DNS settings, usually managed via your domain registrar or hosting provider.
- Unique DKIM Selector: The 'selector' component for DKIM records is not arbitrary; it's a specific string provided by your email sending service and must be accurately copied into your DNS.
- Provider Specifics: While direct DNS configuration is common, some email service providers may offer automated setup or manage these records on your behalf, so always consult their specific documentation.
Technical article
Documentation from Google Workspace Admin Help explains that SPF records are added as TXT records to your domain's DNS settings, specifically at the root domain or main domain name, to authorize mail servers allowed to send email for your domain.
19 Jun 2024 - Google Workspace Admin Help
Technical article
Documentation from SendGrid Documentation specifies that DKIM records are placed as TXT records in your domain's DNS, specifically at a subdomain that follows the pattern selector._domainkey.yourdomain.com, where 'selector' is a unique string provided by SendGrid.
25 Jun 2024 - SendGrid
Do SPF and DKIM records need to be aligned for all email service providers?
How do I properly set up DMARC records and reporting for email authentication?
How do I set up SPF and DKIM records for new subdomains when using third-party email services?
How do SPF, DKIM, and DMARC email authentication standards work?
How should DMARC, SPF, and DKIM records be configured for domains that do not send email?
What are the best practices for setting up SPF, DKIM and DMARC for email authentication?
