Free Verifier Bulk Verifier API Pricing
Tools
SPF/DKIM/DMARC Checker Fake Email Checker Domain Checker Disposable Checker Deliverability Checker
Sign Up Free

How to Set Up SPF, DKIM & DMARC — Complete DNS Setup Guide

Set up all three email authentication protocols step by step. Required by Google and Yahoo for bulk senders. Verify with our SPF checker and email verifier.

Step-by-Step Instructions

  1. Identify all sending sources — List every service sending email for your domain: mail server, ESP, CRM, transactional email service, and any other tools.
  2. Create your SPF record — Add a TXT record: v=spf1 include:_spf.google.com include:sendgrid.net ~all. Replace includes with your services. Keep under 10 lookups.
  3. Generate and add DKIM keys — In your ESP admin, generate 2048-bit RSA DKIM keys. Add the public key as a TXT record at selector._domainkey.yourdomain.com.
  4. Create your DMARC record — Add TXT at _dmarc.yourdomain.com: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100. Start with p=none.
  5. Test your configuration — Use our SPF, DKIM, and DMARC checkers to verify all records.
  6. Monitor DMARC reports 2-4 weeks — Review aggregate reports. Fix any legitimate sources failing authentication before tightening the policy.
  7. Tighten DMARC policy — Change to p=quarantine, then after monitoring, upgrade to p=reject for maximum protection against domain spoofing.

Tips

Make DNS changes during low-traffic periods. Allow 24-48 hours for propagation. Keep SPF under 10 lookups. Each ESP needs its own DKIM key.

Why This Matters

SPF, DKIM, and DMARC are the three pillars of email authentication, and without all three properly configured, your emails are significantly more likely to land in spam folders or be rejected outright. As of 2024, Google and Yahoo require bulk senders (those sending 5,000+ emails per day) to have all three protocols in place, and other major inbox providers are following suit. These are no longer optional best practices — they are mandatory requirements. Failing to implement them means your marketing campaigns, transactional emails, and even password reset messages may never reach your recipients, regardless of how clean your email list is.

Beyond deliverability, these protocols protect your brand from being impersonated in phishing attacks. Without DMARC enforcement, anyone can send emails that appear to come from your domain, potentially scamming your customers, partners, and employees. Domain spoofing attacks damage brand trust in ways that can take years to repair. A properly configured DMARC policy with enforcement (p=quarantine or p=reject) tells receiving servers to block or quarantine any email that fails authentication, effectively preventing unauthorized senders from abusing your domain name. This protects both your reputation and the people who trust your brand.

Pro Tips

  • Start DMARC with p=none and monitor — Never jump straight to p=reject on your first DMARC deployment. Start with p=none to collect reports without affecting delivery. This monitoring phase reveals all legitimate services sending email on behalf of your domain, including ones you may have forgotten about. Spend 2-4 weeks reviewing aggregate reports before tightening the policy.
  • Use SPF flattening to stay under the 10-lookup limit — SPF records are limited to 10 DNS lookups. If you use multiple email services (Google Workspace, SendGrid, Mailchimp, HubSpot, etc.), you can easily exceed this limit, which causes SPF to fail entirely. Use an SPF flattening service or tool that resolves includes into IP addresses to reduce lookup count while maintaining coverage for all your sending services.
  • Rotate DKIM keys annually — Like passwords, DKIM keys should be rotated periodically. Generate a new 2048-bit key pair at least once per year, publish the new public key with a different selector, update your sending service to use the new private key, and remove the old selector after a transition period. This limits the impact if a key is ever compromised.
  • Set up a dedicated email address for DMARC reports — DMARC aggregate reports can be voluminous, especially for high-volume senders. Create a dedicated mailbox like dmarc-reports@yourdomain.com and consider using a DMARC report analysis service to parse the XML reports into readable dashboards. This makes it practical to monitor authentication results continuously without drowning in raw data.
  • Test with multiple verification tools — After making DNS changes, verify your records using multiple checkers, not just one. Different tools catch different issues. Use our SPF, DKIM, and DMARC checkers, then also send test emails to mail-tester.com and check headers in Gmail (Show Original) to confirm authentication passes end-to-end in real-world conditions.

Common Mistakes to Avoid

  • Publishing multiple SPF records — Your domain must have exactly one SPF TXT record. If you add a second SPF record instead of modifying the existing one, both records become invalid and all SPF checks will fail. This is one of the most common DNS configuration errors and instantly breaks email authentication for your entire domain. Always edit your existing SPF record to add new includes rather than creating a new record.
  • Using 1024-bit DKIM keys — While 1024-bit DKIM keys still technically work, they are considered weak by modern standards and some security-conscious receivers may treat them with suspicion. Always generate 2048-bit RSA keys for DKIM. The larger key provides significantly stronger cryptographic protection and is now the recommended minimum by all major email providers.
  • Forgetting to authenticate third-party senders — Every service that sends email on behalf of your domain must be included in your SPF record and configured with DKIM signing. If you add a new marketing tool, transactional email service, or CRM integration and forget to update SPF and DKIM, emails from that service will fail authentication and may be blocked. Maintain a living document that lists every authorized sending service and update your DNS records whenever you add or remove one.
  • Jumping to DMARC p=reject too quickly — Enabling DMARC enforcement before you have identified and authenticated all legitimate sending sources will cause legitimate emails to be rejected. This can block critical transactional emails like order confirmations, password resets, and invoices. Follow the graduated path: p=none for monitoring, p=quarantine at 10% then 50% then 100%, and finally p=reject only after you have confirmed zero legitimate failures in your DMARC reports.

Frequently Asked Questions

Yes, for maximum email security and deliverability you need all three. SPF validates the sending server, DKIM validates message integrity, and DMARC ties them together with a policy. Google and Yahoo now require all three for bulk senders. Use our SPF checker and related tools to verify your setup.

DNS changes typically propagate within 1-4 hours, though full global propagation can take up to 48 hours depending on TTL settings. Start with a DMARC policy of p=none during setup to avoid rejecting legitimate email while DNS propagates. Monitor reports before changing to p=quarantine or p=reject.

Add each service to your SPF record using include: directives (e.g., include:_spf.google.com include:sendgrid.net). Each service needs its own DKIM key configured. Keep SPF under 10 DNS lookups total. If you exceed the limit, consider flattening your SPF record or using a dedicated SPF management service.

Verify Your Email List — Free, Fast, Accurate

Get 100 daily free verifications. No credit card required. Visit our email verifier for complete verification.

Try Free Email VerifierView Pricing

Try our free email verifier — verify any email instantly, no signup required. Need bulk verification? Upload your list and clean thousands of emails in minutes.

Developers: integrate email verification into your app with our RESTful API — SDKs for 7 languages.