Master Email Security: Set Up SPF, DKIM & DMARC for Your Domain

Setting Up SPF, DKIM, and DMARC Records for Your Domain

Email authentication is essential to ensure that your outgoing messages are trusted by receiving mail servers. Configuring SPF, DKIM, and DMARC records in your domain’s DNS improves deliverability, prevents spoofing, and protects your brand reputation. This guide walks you through the process of setting up each record type for common email providers like Google Workspace and Microsoft 365.

Why SPF, DKIM, and DMARC Matter

These three protocols work together to verify that emails sent from your domain are legitimate:

  • SPF (Sender Policy Framework) – Lists the servers allowed to send email on behalf of your domain.
  • DKIM (DomainKeys Identified Mail) – Uses a cryptographic signature to confirm message integrity and authenticity.
  • DMARC (Domain-based Message Authentication, Reporting and Conformance) – Instructs receiving servers how to handle messages that fail SPF and/or DKIM checks.

Correctly implementing all three reduces the chance of your emails being marked as spam or rejected.

Step 1: Configuring SPF Records

SPF records are added to your DNS as TXT records. They specify which mail servers are authorized to send email for your domain.

SPF for Google Workspace

  1. Log in to your DNS management console.
  2. Add a new TXT record with the following details:
    • Type: TXT
    • Host: @
    • Value: v=spf1 include:_spf.google.com ~all
    • TTL: Automatic or 3600

SPF for Microsoft 365

  1. Log in to your DNS management console.
  2. Add a new TXT record:
    • Type: TXT
    • Host: @
    • Value: v=spf1 include:spf.protection.outlook.com -all
    • TTL: Automatic or 3600

Tip: If you use multiple email providers, your SPF record must include all authorized sending hosts.

Step 2: Setting Up DKIM

DKIM adds a digital signature to outgoing emails, allowing recipients to verify that messages were not altered and came from your domain.

DKIM for Google Workspace

For the official documentation, please refer to the Google Help Section

  1. Sign in to the Google Admin Console as an administrator.
  2. Navigate to Apps > Google Workspace > Gmail > Authenticate Email.
  3. Generate a DKIM key. Google will provide a DNS TXT record with a selector (e.g., google._domainkey).
  4. Add the provided TXT record to your domain’s DNS.
  5. Return to the Admin Console and click Start Authentication.

Navigate to this link and sign in to your admin account. You will be greeted by this dashboard. Select Apps

 

Then select Google Workplace

Then select Gmail.

Then select Authenticate Email.


This will bring you to a page where you can generate a record to enter into your DNS settings to activate DKIM.

Once you have entered this information into your domain’s DNS settings, click on Start Authentication. DNS changes may take time to propagate before DKIM becomes active.

DKIM for Microsoft 365

For the official documentation, please refer to Microsoft’s Documentation.

To enable DKIM under your Microsoft account, you will need to sign in to the Microsoft 365 admin center under your Admin account. Please note that you will also need to have access to your domain’s DNS settings in order to perform this. To get started

  1. Before enabling DKIM, publish two CNAME records in your DNS:
    • Record 1:
      • Type: CNAME
      • Host: selector1._domainkey
      • Points to: selector1-<domainGUID>._domainkey.<initialDomain>
      • TTL: 3600
    • Record 2:
      • Type: CNAME
      • Host: selector2._domainkey
      • Points to: selector2-<domainGUID>._domainkey.<initialDomain>
      • TTL: 3600
  2. Sign in to the Microsoft 365 Admin Center.

Once you have navigated to the Microsoft admin center, click on the three-dash icon to open up the side navigation bar. From here, click on the Show All button.


From here, click on “Exchange”

This will bring up the Exchange Admin Center in a new tab. From here, click on the Protection setting.

Then select the DKIM section of this page.

Select your domain and click Enable.

Step 3: Implementing DMARC

DMARC builds on SPF and DKIM to provide policy enforcement and reporting. It tells receiving mail servers what to do with messages that fail authentication checks.

Important: Ensure SPF and DKIM are fully functional for at least 48 hours before adding a DMARC record.

DMARC for Google Workspace

For the official documentation on DMARC, please refer to Google’s Help Center Page on the subject

  1. Log in to your DNS management console.
  2. Add a TXT record:

DMARC for Microsoft 365

For the official documentation on DMARC, please refer to Microsoft’s Help Center Page on the subject

  1. Log in to your DNS management console.
  2. Add a TXT record:
    • Type: TXT
    • Host: _dmarc
    • Value: v=DMARC1; p=none
    • TTL: 3600

Start with p=none to monitor without affecting delivery. Later, you can change to p=quarantine or p=reject to enforce stricter policies.

Best Practices for DNS Record Management

  • Document all DNS changes and keep backups of original records.
  • Use a consistent TTL (e.g., 3600 seconds) for easier management.
  • Test your SPF, DKIM, and DMARC settings using email testing tools.
  • Review DMARC reports regularly to detect unauthorized sending sources.
  • Avoid multiple SPF records; combine all mechanisms into one.

FAQ

1. Can I set up DMARC without SPF or DKIM?

No. DMARC relies on SPF and/or DKIM to authenticate messages. You must configure at least one of these before implementing DMARC.

2. How long does it take for DNS changes to take effect?

Most DNS changes propagate within a few minutes to a few hours, but it can take up to 48 hours depending on TTL settings and network caching.

3. What does “p=none” mean in a DMARC record?

It tells receiving servers to take no action on failed messages but to send reports. This is useful for monitoring before enforcing stricter rules.

4. Can I use multiple SPF records for one domain?

No. Multiple SPF records can cause

Categories:
Tags: , , , , , , , ,