The complete SPF, DKIM, and DMARC setup guide (2025 edition)

deliverability_danDeliverability Expert

1y ago

With Google and Yahoo enforcing stricter sender requirements in 2024-2025, proper email authentication is no longer optional. Here is the definitive setup guide.

SPF (Sender Policy Framework)

SPF tells receiving servers which IP addresses are authorized to send email from your domain. Add a TXT record to your DNS:

v=spf1 include:_spf.google.com include:spf.brew.new -all

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to your emails. Your ESP will provide a CNAME or TXT record to add. This proves the email was not tampered with in transit.

DMARC (Domain-based Message Authentication)

DMARC ties SPF and DKIM together and tells receivers what to do when checks fail. Start with monitoring mode:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100

After collecting reports for 2-4 weeks, move to p=quarantine and eventually p=reject.

Common mistakes

Having multiple SPF records (you can only have one)
Using +all instead of -all in SPF
Jumping straight to DMARC p=reject without monitoring
Forgetting to authenticate subdomains

#spf#dkim#dmarc#authentication

195

6 Comments

devops_dave1y ago

One thing to add: when using multiple ESPs, make sure your SPF record includes all of them. We had deliverability issues because our new ESP wasn't in the SPF record.

smtp_steve1y ago

This is the clearest explanation of DMARC progression I have seen. Bookmarked.

gdpr_guruCompliance Specialist1y ago

Great guide. I would also recommend using a DMARC reporting tool like dmarcian or Valimail to parse the XML reports. Reading raw DMARC reports is painful.

api_andreaDeveloper1y ago

Most modern ESPs handle this automatically during setup. Brew walked us through the DNS records and verified everything was correct before we started sending.

platform_pete1y ago

The SPF 10-lookup limit catches so many people. If you use multiple SaaS tools that send email on your behalf, you can hit it quickly. SPF flattening services like dmarcian help.

inbox_irisEmail Consultant1y ago

DKIM key rotation is overlooked. We set calendar reminders to rotate keys every 6 months. It is a 10-minute task that prevents potential issues down the road.