SPF, DKIM & DMARC Explained: How to Set Them Up

Email authentication is no longer optional. Gmail, Yahoo, and Microsoft all enforce strict sender verification, and domains without proper SPF, DKIM, and DMARC records face inbox placement failures, rejected messages, and reputational damage. This guide covers what each protocol does, how they interlock, and exactly how to configure them.

What Each Protocol Does

SPF, DKIM, and DMARC address different aspects of email authentication. None of them alone is sufficient. Together, they form a layered defense against domain spoofing and phishing.

SPF: Authorized Sending IPs

The Sender Policy Framework (SPF), defined in RFC 7208, allows a domain owner to publish a DNS TXT record listing the IP addresses and third-party services authorized to send mail on behalf of that domain. When a receiving mail server gets a message, it checks the envelope sender (MAIL FROM) against the SPF record of the sending domain. If the originating IP is not listed, SPF fails.

SPF does not verify the visible "From" header that end users see. It only validates the envelope sender, which is why SPF alone cannot prevent display-name spoofing.

You can validate your SPF record instantly with our free SPF checker.

DKIM: Cryptographic Message Signing

DomainKeys Identified Mail (DKIM), specified in RFC 6376, adds a digital signature to outgoing email headers. The sending server signs designated header fields and the message body using a private key. The corresponding public key is published in DNS under a selector-specific subdomain (e.g., selector1._domainkey.example.com).

Receiving servers retrieve the public key and verify the signature. If the message was altered in transit or the signature does not match, DKIM verification fails.

DKIM proves that the message content has not been tampered with and that it was signed by a key associated with the claimed domain. Use our DKIM verification tool to confirm your signatures are valid.

DMARC: Policy and Reporting

Domain-based Message Authentication, Reporting, and Conformance (DMARC), defined in RFC 7489, ties SPF and DKIM together by introducing two critical concepts: alignment and policy.

DMARC requires that the domain in the visible "From" header aligns with the domain validated by SPF or DKIM (or both). It then tells receiving servers what to do when alignment fails: nothing (none), quarantine the message, or reject it outright.

DMARC also provides a reporting mechanism. Aggregate reports (rua) give you visibility into who is sending mail using your domain. Forensic reports (ruf) provide details on individual authentication failures.

Check your DMARC configuration with the DMARC analyzer.

How SPF, DKIM, and DMARC Work Together

A common misconception is that passing SPF or DKIM alone satisfies DMARC. It does not. DMARC requires alignment: the domain validated by SPF or DKIM must match the domain in the "From" header.

Here is the authentication flow:

1. The receiving server checks SPF by comparing the sending IP to the SPF record of the envelope sender domain.
2. The receiving server checks DKIM by verifying the cryptographic signature against the public key in DNS.
3. The receiving server evaluates DMARC. If either SPF or DKIM passes and the passing domain aligns with the "From" header domain, DMARC passes.
4. If DMARC fails, the receiving server applies the published DMARC policy (none, quarantine, or reject).

This layered approach means that even if a third-party service breaks SPF alignment (common with forwarding), a valid DKIM signature can still satisfy DMARC.

Step-by-Step Setup

Step 1: Configure SPF

Create a DNS TXT record for your domain. A typical SPF record looks like this:

v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.10 -all

Key rules:

• Start with v=spf1.
• Use include: for third-party senders (Google Workspace, Mailchimp, SendGrid, etc.).
• Use ip4: or ip6: for your own mail servers.
• End with -all (hard fail) or ~all (soft fail). Hard fail is recommended for production.
• Stay under the 10 DNS lookup limit mandated by RFC 7208. Each include, a, mx, and redirect counts as a lookup.

Validate the result with the SPF checker.

Step 2: Configure DKIM

DKIM setup varies by email provider, but the general process is:

1. Generate a public/private key pair. Most providers (Google Workspace, Microsoft 365, Amazon SES) do this for you.
2. Publish the public key as a DNS TXT record under selector._domainkey.yourdomain.com.
3. Enable DKIM signing in your email platform.

A DKIM DNS record looks like this:

selector1._domainkey.example.com  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB..."

If you use multiple sending services, each one needs its own DKIM selector. Verify all selectors using the DKIM verification tool.

Step 3: Configure DMARC

Publish a DNS TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:[email protected]; pct=100

Start with p=none to monitor without affecting delivery. Review aggregate reports to identify legitimate senders that may not yet be authenticated. Once all legitimate sources pass SPF or DKIM with alignment, escalate to p=quarantine and eventually p=reject.

The DMARC analyzer validates your record syntax and policy.

Step 4: Run a Full Diagnostic

After configuring all three records, run a full domain analysis to verify everything works together. Check that:

• SPF resolves correctly and stays under lookup limits.
• DKIM signatures verify for all sending sources.
• DMARC alignment passes for both SPF and DKIM.
• No conflicting or duplicate records exist.

Common Mistakes

Multiple SPF records. DNS allows only one SPF TXT record per domain. Publishing two causes a PermError, and all SPF checks fail. Merge them into one record.

Exceeding the 10 DNS lookup limit. Every include adds lookups recursively. Flattening SPF records (replacing includes with IP addresses) can help, but requires maintenance when providers change their IPs.

Forgetting DKIM for third-party senders. If you add a new email service (marketing platform, transactional sender, CRM) and do not configure DKIM for it, those messages will fail DMARC alignment once you move to an enforcing policy.

Jumping straight to p=reject. Without monitoring, you risk blocking legitimate email. Always start with p=none, analyze reports, fix authentication gaps, then escalate.

Ignoring subdomains. DMARC policies do not automatically apply to subdomains unless you set sp=reject (or the desired subdomain policy) in your organizational domain's DMARC record. Attackers can spoof sub.yourdomain.com if you overlook this.

Provider-Specific Notes

Gmail and Yahoo (as of February 2024) require bulk senders to have valid SPF, DKIM, and a DMARC policy of at least p=none. Senders who fail these requirements see messages rejected or sent to spam.

Microsoft Outlook/365 uses its own composite authentication result in addition to DMARC, but still respects published DMARC policies. Configuring all three protocols correctly ensures consistent treatment across all major providers.

Testing with InboxTooling

Use the following tools to validate each layer of your authentication stack:

• SPF Check -- Parses your SPF record, counts DNS lookups, and flags syntax errors.
• DKIM Verify -- Retrieves and validates DKIM public keys for any selector.
• DMARC Analyze -- Checks your DMARC record for correct syntax, policy, and reporting configuration.
• Full Report -- Runs all checks in one pass and produces a unified authentication report.

All tools are free to use with no account required.

FAQ

Do I need all three — SPF, DKIM, and DMARC?

Yes. SPF validates the sending server, DKIM validates the message integrity, and DMARC ties them together with a policy that tells receiving servers what to do when checks fail. Without all three, you leave gaps that attackers can exploit for spoofing and phishing. Major providers like Gmail and Yahoo now require all three for bulk senders.

Which should I set up first — SPF, DKIM, or DMARC?

Start with SPF because it is the simplest to publish — a single DNS TXT record listing your authorized senders. Next, configure DKIM for each sending service, which requires coordination with your email provider. Finally, add DMARC with p=none to begin monitoring alignment results before enforcing a policy. Use the Full Report tool after each step to verify your configuration.

What are the minimum email authentication requirements for Gmail and Yahoo in 2024?

Since February 2024, Gmail and Yahoo require all bulk senders (5,000+ messages per day) to have a valid SPF record, DKIM signing for all messages, and a published DMARC record with at least p=none. Senders must also include a one-click unsubscribe header and keep spam complaint rates below 0.3%. Failing these requirements results in messages being rejected or routed to spam.

What happens if SPF or DKIM fails but I have DMARC?

DMARC requires that at least one of SPF or DKIM passes with domain alignment. If SPF fails but DKIM passes and aligns with the From domain, the message still passes DMARC — and vice versa. However, if both fail, DMARC applies the policy you have set: p=none takes no action, p=quarantine sends the message to spam, and p=reject blocks it entirely. Check your current setup with the DMARC Analyze tool.

How do SPF, DKIM, and DMARC work together?

SPF checks that the sending server's IP is authorized by the domain's DNS record. DKIM checks that the message has a valid cryptographic signature matching a public key in DNS. DMARC then verifies that at least one of these checks passes with alignment — meaning the domain checked by SPF or DKIM matches the domain in the visible From header. This layered approach ensures that only authenticated, properly aligned messages pass, while spoofed messages are caught and handled according to the domain owner's policy.

Can I use DMARC without SPF or DKIM?

Technically you can publish a DMARC record without SPF or DKIM, but it will have no practical effect. DMARC evaluates SPF and DKIM alignment results, so if neither protocol is configured, every message will fail DMARC. At minimum, you need one of SPF or DKIM in place with proper alignment before DMARC adds value. For full protection, configure both SPF and DKIM before deploying DMARC, and validate everything with the SPF Check and DKIM Verify tools.

---

Stay on top of your email infrastructure. Sign up for the InboxTooling newsletter for deliverability tips, tool updates, and best practices.