How to Set Up SPF, DKIM, and DMARC in Under 60 Seconds

Email authentication is the single most important thing you can do to improve your email deliverability. Yet most small business owners skip it because it sounds too technical. SPF, DKIM, DMARC — these acronyms feel like they belong in an IT department, not on your to-do list.

But here's the truth: without these three records, your emails are essentially unsigned letters. Any spam filter worth its salt will treat them with suspicion. Let's break down what each one does and how to set them up.

What Is SPF?

Sender Policy Framework (SPF) is a DNS record that tells receiving mail servers which IP addresses are authorized to send emails on behalf of your domain.

Think of it as a guest list for your email. When Gmail receives an email from @yourdomain.com, it checks your SPF record to see if the sending server is on the approved list.

How to Set Up SPF

1. Log into your DNS provider (Cloudflare, Namecheap, GoDaddy, etc.)
2. Add a TXT record for your domain
3. Set the value to: v=spf1 include:amazonses.com ~all
4. Replace amazonses.com with your email provider's domain

Common providers: include:amazonses.com (Amazon SES), include:_spf.google.com (Google Workspace), include:spf.protection.outlook.com (Microsoft 365)

What Is DKIM?

DomainKeys Identified Mail (DKIM) adds a digital signature to every email you send. The receiving server can verify that the email wasn't tampered with during transit.

It's like a wax seal on a letter — it proves the email is authentic and unmodified.

How to Set Up DKIM

1. Your email provider generates a public/private key pair
2. Add the public key as a TXT record in your DNS
3. The record name is usually something like selector._domainkey.yourdomain.com
4. Your provider automatically signs outgoing emails with the private key

What Is DMARC?

Domain-based Message Authentication, Reporting, and Conformance (DMARC) builds on SPF and DKIM. It tells receiving servers what to do when authentication fails and provides reporting.

How to Set Up DMARC

1. Add a TXT record for _dmarc.yourdomain.com
2. Start with a monitoring-only policy: v=DMARC1; p=none; rua=mailto:[email protected]
3. After 2-4 weeks of monitoring, upgrade to p=quarantine
4. Eventually move to p=reject for maximum protection

Common Mistakes to Avoid

• Multiple SPF records — you can only have ONE SPF TXT record per domain. Combine all includes into one record.
• Starting DMARC with p=reject — always start with p=none to monitor first, or you'll block legitimate emails.
• Forgetting subdomains — if you send from mail.yourdomain.com, you need records for that subdomain too.
• Not monitoring DMARC reports — the reports tell you if someone is spoofing your domain.
• SPF lookup limit — SPF allows max 10 DNS lookups. Too many include: statements will break it.

Why All Three Matter

Since February 2024, Gmail and Yahoo require all three protocols for bulk senders (5,000+ emails/day). Even if you send fewer emails, having all three dramatically improves your inbox placement rate.

Here's what happens without them:

• No SPF — emails may be rejected or marked as spam
• No DKIM — emails can't be verified as authentic
• No DMARC — anyone can spoof your domain

Verification: How to Check Your Setup

After adding your records, verify them:

• Use dig TXT yourdomain.com in terminal to check SPF
• Use dig TXT selector._domainkey.yourdomain.com for DKIM
• Use dig TXT _dmarc.yourdomain.com for DMARC
• Or use free online tools like MXToolbox or Mail-Tester

DNS changes can take up to 48 hours to propagate, though most providers update within minutes.

Next Steps

Once your authentication is set up, you'll want to:

• Warm up your email domain to build sender reputation
• Check your spam score before sending campaigns
• Read our complete email deliverability guide