SPF, DKIM, DMARC: The Three Records Every Email Sender Must Set Up

Email authentication is no longer optional. In February 2024, Google and Yahoo made SPF, DKIM, and DMARC mandatory for bulk senders - accounts sending more than 5,000 messages per day face automatic rejection without all three properly configured. For cold email senders, the threshold that triggers enforcement is even lower. Here is everything you need to set up all three records correctly, with example DNS values and verification steps.

SPF (Sender Policy Framework)

What SPF does

SPF is a DNS TXT record that declares which mail servers are authorized to send email on behalf of your domain. When a receiving mail server gets an email from your domain, it checks your SPF record to confirm the sending server is on your approved list. If it is not, the email fails SPF and is more likely to land in spam or be rejected.

How to set up SPF

Add a TXT record to your domain's DNS with the following format:

• Type: TXT
• Host: @ (your root domain)
• Value: v=spf1 include:_spf.google.com ~all (for Google Workspace; replace with your ESP's include)

Use -all (hard fail) rather than ~all (soft fail) if you control all sending sources. Hard fail tells receiving servers to reject mail from unauthorized senders outright; soft fail marks it as suspicious but still delivers it. Hard fail is the more secure and more respected choice.

Common SPF mistakes: Using multiple SPF records (only one is allowed per domain), exceeding 10 DNS lookup limit (use SPF flattening tools if needed), and forgetting to include your ESP's servers.

DKIM (DomainKeys Identified Mail)

What DKIM does

DKIM adds a cryptographic signature to every email you send. The receiving server uses a public key published in your DNS to verify the signature - confirming the email came from your domain and that its content was not modified in transit. DKIM is the strongest authentication signal for inbox placement because it proves content integrity, not just sender identity.

How to set up DKIM

DKIM is generated by your email service provider (Google Workspace, Microsoft 365, SendGrid, etc.), not written manually. The setup process:

• In Google Workspace: Admin Console → Apps → Google Workspace → Gmail → Authenticate email → Generate DKIM record
• Copy the TXT record provided (it will look like google._domainkey.yourdomain.com)
• Add it to your domain's DNS as a TXT record
• Return to Admin Console and click "Start authentication"

For Microsoft 365: Microsoft 365 Admin Center → Security → Email authentication → DKIM → enable and follow the CNAME record instructions.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

What DMARC does

DMARC ties SPF and DKIM together. It tells receiving mail servers what to do when an email fails both authentication checks - nothing (p=none), quarantine it (p=quarantine), or reject it (p=reject). It also sends you aggregate reports of who is sending email using your domain, which is critical for catching spoofing and misconfigured senders.

How to set up DMARC

• Type: TXT
• Host: _dmarc
• Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; fo=1

Start with p=none (monitor mode) so you can review reports without risking legitimate email delivery. After 2–4 weeks of clean reports, move to p=quarantine, then eventually p=reject for maximum protection and highest inbox trust signals.

How to Verify All Three Are Working

• MXToolbox: Free SPF, DKIM, and DMARC lookup tool - paste your domain and see the parsed records with any errors highlighted
• Mail-tester.com: Send a test email to their disposable address and get a spam score report that includes authentication analysis
• Google Postmaster Tools: Register your domain to see Gmail-specific delivery metrics and authentication pass rates over time
• MailPilot DNS health check: Automatically audits SPF, DKIM, and DMARC on every connected mailbox and alerts you when records expire or drift out of configuration

What Happens If You Skip Any of These?

Missing SPF: ~15% of your email fails delivery at mail servers that enforce strict SPF checking. Missing DKIM: Gmail and Outlook lower your sender reputation score - you get lower inbox placement even on emails that technically pass other checks. Missing DMARC: Google and Yahoo bulk sender requirements treat your domain as non-compliant, which triggers spam placement at scale. All three together are the baseline cost of entry for reliable email deliverability in 2025.

Send like the inbox is yours.

Join the waitlist and lock in founding-member pricing.