WebSentry
Log inSign up free
All articles
Email SecurityDNSDMARC

SPF, DKIM, and DMARC Setup: Email Auth That Actually Works

A practical SPF DKIM DMARC setup guide with real DNS records, common mistakes, and how to roll out enforcement without breaking legitimate email.

WebSentry TeamMay 18, 20265 min read

If your domain doesn't have SPF, DKIM, and DMARC configured correctly, you're handing attackers a free spoofing tool — and watching legitimate email land in spam. Gmail and Yahoo now require all three for bulk senders, and most enterprise mail filters quietly downgrade unauthenticated mail regardless of volume.

This guide walks through real records, the order to deploy them, and the mistakes that break delivery. Examples assume you control DNS at your registrar (Cloudflare, Route53, etc.) and use a sending provider like Google Workspace, Microsoft 365, Postmark, or SendGrid.

Why all three records matter

Each protocol solves a different problem, and DMARC only works if at least one of the others passes and aligns with your From domain.

  • SPF — lists which IPs/servers are allowed to send mail for your domain.
  • DKIM — cryptographically signs outbound mail so receivers can verify it wasn't altered.
  • DMARC — tells receivers what to do when SPF or DKIM fails, and where to send reports.

Skip DMARC and you have no enforcement. Skip DKIM and forwarded mail breaks (SPF doesn't survive forwarding). Skip SPF and you're missing the simplest baseline check.

Step 1: Inventory every service that sends mail as you

Before touching DNS, list every sender. Missing one is the #1 cause of broken rollouts.

  1. Your primary mailbox (Google Workspace, Microsoft 365).
  2. Transactional providers (Postmark, SendGrid, Mailgun, AWS SES, Resend).
  3. Marketing tools (Mailchimp, HubSpot, Klaviyo, Customer.io).
  4. App platforms that send on your behalf (Stripe receipts, Intercom, Zendesk, GitHub, Shopify).
  5. Anything on your own servers (cron jobs, contact forms, WordPress plugins).

Each one needs its include in SPF and usually its own DKIM selector.

Step 2: Build a single, correct SPF record

You can only have one SPF record per domain. Multiple TXT records starting with v=spf1 will cause a permerror and fail every check.

Example for a domain using Google Workspace, Postmark, and Mailchimp:

v=spf1 include:_spf.google.com include:spf.mtasv.net include:servers.mcsv.net -all

SPF rules that bite people

  • 10 DNS lookup limit. Each include: counts. Chained includes count too. Exceed it and SPF returns permerror.
  • Use -all (hard fail), not ~all (soft fail) once you've confirmed all senders are listed. Soft fail is a temporary measure, not a destination.
  • Don't add +all. Ever. It authorises the entire internet.
  • Subdomains need their own SPF record if they send mail. SPF doesn't inherit.

Step 3: Add DKIM for every sender

DKIM is published per selector, so each service gets its own record. Your provider gives you the exact host and value.

Example DKIM record from Google Workspace:

Host: google._domainkey.yourdomain.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ...

DKIM tips

  • Use 2048-bit keys where supported. Some DNS providers need the value split into 255-char chunks — most do this automatically.
  • Rotate keys at least annually. Most providers handle this if you enable automatic rotation.
  • Verify with a DKIM lookup tool after publishing. A missing trailing character silently breaks signatures.

Step 4: Deploy DMARC in monitor mode first

Never start with p=reject. You'll bounce real mail you didn't know about. Start with p=none and a reporting address you actually read.

Host: _dmarc.yourdomain.com
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; fo=1; adkim=s; aspf=s; pct=100

Breakdown:

  • p=none — monitor only, no action taken.
  • rua — aggregate XML reports (daily summaries from receivers).
  • ruf — forensic reports on individual failures (not all providers send these).
  • adkim=s / aspf=s — strict alignment. Use r (relaxed) if subdomains send on your behalf.
  • pct=100 — apply policy to 100% of mail.

Reading the reports

Raw DMARC XML is brutal. Use a parser — Postmark's free DMARC monitoring, Valimail, or dmarcian. After 2–4 weeks you'll see:

  • Every IP sending as your domain.
  • Which are passing SPF, DKIM, both, or neither.
  • Volume from unexpected sources (shadow IT, forgotten apps, spoofers).

Step 5: Move to quarantine, then reject

Once reports show 95%+ of legitimate mail passing aligned DKIM or SPF, tighten the policy.

  1. p=quarantine; pct=10 — quarantine 10% of failing mail.
  2. Watch reports for a week. No surprises? Increase to 25, 50, 100.
  3. p=quarantine; pct=100 for another 1–2 weeks.
  4. p=reject; pct=100 — full enforcement.

For a small domain with few senders, this can take 4–6 weeks. For a large org with marketing tools and acquired brands, plan on 3–6 months.

Step 6: Don't forget the parked and subdomain cases

Attackers love domains you forgot about.

  • Non-sending domains: Publish a null SPF and rejecting DMARC. v=spf1 -all and v=DMARC1; p=reject;.
  • Subdomains: Set an explicit sp=reject in your DMARC record so subdomains inherit reject, even if they have no own record.
  • BIMI: Once you're at p=quarantine or stricter, you can publish a BIMI record to show your logo in Gmail and Apple Mail.

Common failure patterns to check

  • Two SPF records on the same host (often left behind from a migration).
  • SPF over 10 lookups — flatten with a service like EasyDMARC or remove unused includes.
  • DKIM published but not enabled in the sending provider's dashboard.
  • DMARC pointing to an rua mailbox no one monitors.
  • Alignment failures because marketing tools send from mail.yourdomain.com while From is yourdomain.com — use relaxed alignment or fix the envelope domain.

Verify your setup end-to-end

After publishing, send a test message to a Gmail account and check Show original. You want to see SPF: PASS, DKIM: PASS, and DMARC: PASS — all three. Anything less means something is misaligned.

For ongoing monitoring beyond DMARC reports, WebSentry scans your domain's DNS and email auth records as part of its overall security grade, flagging missing DMARC, weak SPF policies (~all or +all), and orphaned records that drift over time. It's easy to ship clean records on day one and forget that a new marketing tool quietly broke alignment six months later.

Run a free scan at websentry.dev to see how your SPF, DKIM, and DMARC stack up alongside your SSL, headers, and CSP — and catch the misconfigurations before a phisher does.

Check your own site

Run a free security scan and see if your site has the issues covered in this article. Results in under 30 seconds.

Run a free scanCreate free account
PreviousWhat Is a Content Security Policy and Why Does It Matter?Next Does HTTPS Affect SEO Rankings? What Google Actually Rewards