SPF, DKIM, DMARC Setup: The 2026 Email Authentication Walkthrough

What each record actually does

SPF (Sender Policy Framework) publishes a list of IP addresses authorized to send mail from your domain. Receivers check the sending IP against this list and reject mail from unauthorized IPs.

DKIM (DomainKeys Identified Mail) cryptographically signs each outgoing message with a private key. The matching public key lives in your DNS so receivers can verify the signature and confirm the message wasn't tampered with in transit.

DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together. It tells receivers what to do when a message fails (reject, quarantine, or just monitor) and where to send aggregate reports.

The full specs: RFC 7208 (SPF), RFC 6376 (DKIM), RFC 7489 (DMARC).

Setup for Google Workspace

Step 1 — SPF record.

In your DNS provider, add a TXT record at the root (`@`) of your domain:

`v=spf1 include:_spf.google.com ~all`

The `~all` (soft fail) is correct during initial setup. Move to `-all` (hard fail) only after DMARC monitoring confirms no legitimate mail is failing.

Step 2 — DKIM record.

In the Workspace Admin Console: Apps → Google Workspace → Gmail → Authenticate email → Generate new record. Choose 2048-bit key length (the higher option). Copy the resulting TXT record and the host (typically `google._domainkey`) and add to your DNS.

Wait for DNS propagation (5–60 min), then click Start Authentication in the Workspace console.

Step 3 — DMARC record.

Add a TXT record at `_dmarc.{yourdomain.com}`:

`v=DMARC1; p=quarantine; rua=mailto:dmarc@{yourdomain.com}; ruf=mailto:dmarc@{yourdomain.com}; pct=100; aspf=r; adkim=r`

Start with `p=quarantine`. After 30 days of clean DMARC reports, move to `p=reject`.

Setup for Microsoft 365

Step 1 — SPF record.

In your DNS provider, add a TXT record at the root (`@`):

`v=spf1 include:spf.protection.outlook.com -all`

Microsoft 365 SPF is hardened enough to use `-all` from the start.

Step 2 — DKIM record.

In the Microsoft 365 Defender portal: Email & Collaboration → Policies & rules → Threat policies → Email authentication settings → DKIM. Select your domain → Enable.

Microsoft will give you two CNAME records to add to your DNS (`selector1._domainkey` and `selector2._domainkey`). Add both, wait for propagation, then return to the portal and toggle DKIM signing on.

Step 3 — DMARC record.

Same as the Workspace step 3. Add a TXT record at `_dmarc.{yourdomain.com}`:

`v=DMARC1; p=quarantine; rua=mailto:dmarc@{yourdomain.com}; pct=100; aspf=r; adkim=r`

Start with `p=quarantine`, move to `p=reject` after 30 clean days.

The DMARC alignment trap

This is where most setups silently fail.

DMARC requires that the From: domain visible to recipients matches (aligns with) either the SPF `MAIL FROM` domain or the DKIM `d=` domain.

If you send a campaign through a third-party platform (Mailchimp, SendGrid, etc.) that uses its own SPF/DKIM domains under the hood, your From: address might look correct but DMARC alignment fails — and the message goes to spam despite SPF and DKIM technically passing.

The fix: when sending through a third-party platform, configure CNAME-based DKIM signing using your own domain (every reputable platform supports this). Then DKIM passes and aligns.

For self-hosted sending or direct Workspace/M365 sending, alignment is automatic. The trap only catches third-party-platform setups.

Verifying it actually works

Three checks:

1. Send a test message to `check-auth@verifier.port25.com`. You'll get an automated reply showing SPF, DKIM, and DMARC pass/fail status.

**2. Use MXToolbox** to inspect each record. Search for `txt:{yourdomain.com}` and `txt:_dmarc.{yourdomain.com}`.

3. Send a test to a Gmail address and view the original message (in Gmail: ⋮ → Show original). The header will show:

`SPF: PASS, DKIM: PASS, DMARC: PASS`

If any line shows FAIL or NEUTRAL, you have a configuration issue to fix before sending any cold email.

Common mistakes

• Multiple SPF records on the same domain. SPF spec allows only one TXT record starting with `v=spf1`. If you have two (e.g. one from a previous provider), merge them into a single record with multiple `include:` directives.
• Using `p=none` long-term. `p=none` is monitor-only — it does not satisfy Google's bulk-sender requirements. Move to `p=quarantine` within 30 days of setup.
• Skipping DKIM rotation. DKIM keys should be rotated annually. Most providers automate this; verify yours does.
• Forgetting to add subdomain DMARC. A DMARC record at `example.com` does not cover `subdomain.example.com`. Add a separate DMARC record per subdomain that sends mail.
• Hard-failing SPF (`-all`) before DMARC monitoring confirms safety. You'll silently block legitimate mail (often from internal forwarding). Always start with `~all`, monitor DMARC reports for 7+ days, then harden to `-all`.

Frequently asked questions

Do I need DMARC if I have SPF and DKIM?

Yes. Since Google and Yahoo's February 2024 bulk-sender update, DMARC is required for any sender pushing 5,000+ emails/day to Gmail or Yahoo addresses, and the filtering bar tightened for all senders. Without DMARC, your mail is treated as suspect.

What's the difference between p=none, p=quarantine, and p=reject?

`p=none` tells receivers to take no action when DMARC fails — purely monitoring. `p=quarantine` tells receivers to deliver failing mail to spam. `p=reject` tells receivers to bounce failing mail entirely. Start at quarantine; move to reject after 30 days of clean DMARC reports.

How long does DNS propagation take?

5–60 minutes for most modern DNS providers (Cloudflare, Route53, GoDaddy). Some providers cache aggressively for up to 24 hours. Use DNS Checker to confirm global propagation before testing.

Can I use SPF only and skip DKIM?

No. SPF breaks on email forwarding (the forwarder's IP isn't in your SPF record), so any meaningful percentage of your audience using auto-forwarding rules will see SPF fail. DKIM survives forwarding intact and is mandatory for modern deliverability.

What does the DMARC report look like?

Aggregate reports (`rua`) arrive daily as XML attachments showing how much mail was sent from your domain, what passed/failed authentication, and from which IPs. Forensic reports (`ruf`) are per-message failure samples. Most teams use a tool like Postmark DMARC or Dmarcian to parse the XML into a readable dashboard.

Sources & references

1. RFC 7208 — Sender Policy Framework— IETF
2. RFC 6376 — DomainKeys Identified Mail— IETF
3. RFC 7489 — DMARC— IETF
4. Google bulk sender requirements— Google
5. Microsoft 365 DKIM setup— Microsoft
6. MXToolbox DNS lookup— MXToolbox

Try EmailSneak free

Find the right people on the platforms they actually use, then send fewer, better emails. No credit card required.