Email authentication helps protect your domain from spoofing and phishing attacks while improving email deliverability. This guide covers setting up three essential DNS records: SPF, DKIM, and DMARC.
SPF specifies which mail servers are authorized to send email on behalf of your domain. It's a DNS TXT record that lists approved IP addresses and mail servers.
How it works: When someone receives an email claiming to be from your domain, their mail server checks your SPF record to verify the sending server is authorized.
DKIM adds a digital signature to outgoing emails using cryptographic keys. The signature is verified using a public key published in your DNS.
How it works: Your mail server signs outgoing emails with a private key, and recipients verify the signature using the public key in your DNS records.
DMARC builds on SPF and DKIM by telling receiving servers what to do with emails that fail authentication checks and provides reporting on email authentication results.
How it works: DMARC policies instruct recipients whether to quarantine, reject, or allow emails that fail SPF/DKIM checks, and can send reports back to you about authentication attempts.
First, identify all services that send email for your domain:
SPF records are TXT records that start with v=spf1
Basic SPF record structure:
v=spf1 include:_spf.google.com include:servers.mcsv.net -all
Common SPF mechanisms:
include:domain.com - Include another domain's SPF recordip4:192.168.1.1 - Authorize specific IPv4 addressip6:2001:db8::1 - Authorize specific IPv6 addressa - Authorize the domain's A record IPmx - Authorize the domain's MX record IPs-all - Fail all other sources (recommended)~all - Soft fail other sources (less strict)Example SPF records:
# Basic hosting provider only
v=spf1 include:mail.yourhost.com -all
# Google Workspace + Mailchimp
v=spf1 include:_spf.google.com include:servers.mcsv.net -all
# Multiple services
v=spf1 include:_spf.google.com include:sendgrid.net include:_spf.salesforce.com -all
@ or your domain nameYou'll need to generate a DKIM key pair. Most email services provide this automatically, but you can also generate them manually.
Free DKIM key generators:
Google Workspace:
Microsoft 365:
Mailchimp:
If generating manually, you'll create two records:
Private key: Keep this secure on your mail server Public key: Publish this in DNS as a TXT record
DKIM DNS record format:
Name: selector._domainkey.yourdomain.com
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...
selector._domainkey (replace "selector" with your chosen selector name)DMARC records are TXT records added to _dmarc.yourdomain.com
Basic DMARC record:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
DMARC policy options:
p=none - Monitor only (recommended to start)p=quarantine - Send failing emails to spam folderp=reject - Reject failing emails entirelyCommon DMARC tags:
v=DMARC1 - Version (required)p=policy - Policy for domain alignment failuressp=policy - Policy for subdomainsrua=mailto:email - Send aggregate reports to this emailruf=mailto:email - Send forensic reports to this emailpct=percentage - Percentage of emails to apply policy toadkim=r|s - DKIM alignment mode (relaxed/strict)aspf=r|s - SPF alignment mode (relaxed/strict)Example DMARC records:
# Monitoring phase
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; pct=100
# Gradual enforcement
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=25
# Full enforcement
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; fo=1
_dmarcp=none policyp=quarantine with pct=25p=reject once confident in setupMost hosting providers follow this pattern:
By following this guide and using the recommended free tools, you'll have robust email authentication that protects your domain reputation and improves email deliverability.