ESS
All Guides
Deliverability

Email Authentication: SPF, DKIM & DMARC Setup Guide

Mike Torres
December 28, 2024
15 min read
6 sections

Why Email Authentication Matters

Email authentication protocols prove to receiving mail servers that your emails are legitimately from you and have not been tampered with in transit. Without authentication, anyone can send email claiming to be from your domain — and mailbox providers will treat your real emails with suspicion.

In 2024, Google and Yahoo made authentication mandatory for bulk senders. If you send more than 5,000 emails per day to Gmail users, you must have valid SPF, DKIM, and DMARC records or your emails will be rejected.

Setting Up SPF

SPF (Sender Policy Framework) tells receiving servers which IP addresses and services are authorized to send email from your domain.

To set up SPF, add a TXT record to your domain's DNS:

v=spf1 include:_spf.google.com include:sendgrid.net -all

Replace the include statements with your actual sending services. Common includes:

  • Google Workspace: include:_spf.google.com
  • Brew: include:_spf.brew.new
  • SendGrid: include:sendgrid.net
  • Mailchimp: include:servers.mcsv.net

Remember the 10 DNS lookup limit. Each include: counts as one lookup, and nested includes within those records count too. Use SPF flattening tools if you approach the limit.

Setting Up DKIM

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your emails. Setup varies by ESP but generally involves:

  1. Generate a DKIM key pair in your ESP dashboard
  2. Add the public key as a TXT record in your DNS (usually at a selector subdomain like s1._domainkey.yourdomain.com)
  3. Verify the record in your ESP

The DNS record looks something like:

s1._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB..."

Always use 2048-bit keys. Most ESPs generate these by default, but verify your key length. Plan to rotate keys annually.

Setting Up DMARC

DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together and defines what happens when authentication fails.

Start with a monitoring-only policy:

_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com"

After monitoring for 2-4 weeks and confirming all legitimate sources pass authentication:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=25

Gradually increase the pct value, then move to p=reject for full enforcement.

Testing Your Records

After configuring your records, verify them using these methods:

  • MXToolbox — check SPF, DKIM, and DMARC records for syntax errors
  • Mail Tester — send a test email and get a deliverability score
  • Google Postmaster Tools — monitor authentication rates for Gmail specifically
  • DMARC Analyzer — parse aggregate reports into readable dashboards

Send test emails to Gmail, Outlook, and Yahoo accounts and inspect the headers. Look for spf=pass, dkim=pass, and dmarc=pass in the Authentication-Results header.

Common Mistakes

  • Multiple SPF records — you can only have one SPF TXT record per domain. Multiple records cause both to fail.
  • Exceeding DNS lookup limits — more than 10 lookups in your SPF record chain causes a permanent error
  • Using +all in SPF — this authorizes everyone and defeats the purpose entirely
  • Jumping to p=reject — always start with p=none to monitor first, or you will block legitimate email
  • Forgetting subdomains — DMARC applies to the exact domain. Add records for subdomains that send email too
  • Not monitoring DMARC reports — set up the rua tag and actually read the reports to catch issues early