SPF, DKIM, and DMARC: Email Security Setup Guide
A complete guide to configuring SPF, DKIM, and DMARC for your domain. Prevent email spoofing, improve deliverability, and protect your brand.
Overviewsection
SPF, DKIM, and DMARC are three DNS-based email authentication protocols that work together to prevent attackers from sending emails that appear to come from your domain. Without them, anyone can send an email that looks like it came from ceo@yourdomain.com — and most recipients will not be able to tell the difference.
These protocols are:
- SPF (Sender Policy Framework) — specifies which mail servers are allowed to send email for your domain
- DKIM (DomainKeys Identified Mail) — adds a cryptographic signature to outgoing emails proving they have not been tampered with
- DMARC (Domain-based Message Authentication, Reporting & Conformance) — tells receiving servers what to do when SPF or DKIM fails, and sends you reports
Why This Matterssection
- 89% of email-based attacks use spoofed sender addresses
- Google and Yahoo require DMARC for bulk senders (enforced since February 2024)
- Emails without proper authentication are more likely to land in spam folders
- Compliance frameworks (CMMC, NIST, Cyber Essentials) require email authentication
Step 1: Set Up SPFsection
SPF is a DNS TXT record that lists the IP addresses and services authorised to send email for your domain.
For Microsoft 365section
v=spf1 include:spf.protection.outlook.com -all
For Google Workspacesection
v=spf1 include:_spf.google.com -all
With additional servicessection
If you also send email through a marketing platform (Mailchimp, HubSpot, etc.), include their SPF record:
v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all
Key rulessection
| Mechanism | Meaning |
|---|---|
include: | Authorise another domain's SPF record |
ip4: | Authorise a specific IPv4 address or range |
-all | Hard fail — reject anything not listed (recommended) |
~all | Soft fail — mark as suspicious but deliver (use during testing) |
SPF records have a 10 DNS lookup limit. Each include: counts as one lookup. If you exceed 10, SPF will permanently fail. Use an SPF flattening tool if you have many senders.
Verify your SPF recordsection
Resolve-DnsName -Name "yourdomain.com" -Type TXT | Where-Object { $_.Strings -match "v=spf1" }
Step 2: Set Up DKIMsection
DKIM signs outgoing emails with a private key. The receiving server checks the signature against a public key published in your DNS.
For Microsoft 365section
- Go to Microsoft Defender XDR (security.microsoft.com) > Email & collaboration > Policies & rules > Threat policies > DKIM. Alternatively, you can configure DKIM in the Exchange admin center > Mail flow > DKIM.
- Select your domain
- Toggle Sign messages for this domain with DKIM signatures to Enabled
- Microsoft will provide two CNAME records to add to your DNS:
Host: selector1._domainkey
Points to: selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com
Host: selector2._domainkey
Points to: selector2-yourdomain-com._domainkey.yourdomain.onmicrosoft.com
- Add both CNAME records, then click Enable in the portal
For Google Workspacesection
- Go to Google Admin Console > Apps > Google Workspace > Gmail > Authenticate email
- Click Generate new record
- Add the TXT record to your DNS:
Host: google._domainkey
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGS... (your public key)
- Click Start authentication after the DNS record propagates
Verify DKIMsection
Resolve-DnsName -Name "selector1._domainkey.yourdomain.com" -Type CNAME
Step 3: Set Up DMARCsection
DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails.
Start with monitoring (recommended)section
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; fo=1
This record:
p=none— do not block anything yet, just monitorrua=— send aggregate reports to this address (daily XML summaries)ruf=— send forensic reports for individual failuresfo=1— send a forensic report if either SPF or DKIM fails
Add as a DNS TXT recordsection
Host: _dmarc
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
Progress to enforcementsection
After 2-4 weeks of monitoring with no unexpected failures:
Quarantine (move suspicious emails to spam):
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@yourdomain.com
Increase pct gradually from 25 to 50 to 100.
Reject (block spoofed emails entirely):
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com
Do not jump straight to p=reject without monitoring first. Legitimate email sources you forgot about (marketing platforms, CRM systems, printers that send scan-to-email) will be blocked, causing business disruption.
DMARC policy optionssection
| Policy | Action | When to Use |
|---|---|---|
p=none | Monitor only, no blocking | Initial setup, collecting data |
p=quarantine | Send to spam/junk folder | Transition phase |
p=reject | Block the email entirely | Full enforcement (goal) |
Reading DMARC Reportssection
Aggregate reports are XML files sent daily by receiving servers. They show:
- How many emails were sent from your domain
- Which passed/failed SPF and DKIM
- Which IP addresses sent those emails
Raw XML reports are hard to read. Use a free report analyser:
- DMARC Analyzer (dmarcanalyzer.com)
- Postmark DMARC (dmarc.postmarkapp.com)
- EasyDMARC (easydmarc.com)
These tools ingest the reports and show you a dashboard of passing vs. failing sources.
Verification Checklistsection
Run these checks after configuring all three records:
# Check SPF
Resolve-DnsName -Name "yourdomain.com" -Type TXT | Where-Object { $_.Strings -match "v=spf1" }
# Check DKIM (Microsoft 365)
Resolve-DnsName -Name "selector1._domainkey.yourdomain.com" -Type CNAME
# Check DMARC
Resolve-DnsName -Name "_dmarc.yourdomain.com" -Type TXT
All three should return valid records. You can also use online tools like MXToolbox to verify the full chain.
Common Mistakessection
| Mistake | Impact | Fix |
|---|---|---|
| Multiple SPF records | Both records invalidated | Merge into one record |
Using ~all instead of -all | Spoofed emails still delivered | Change to -all after confirming all senders are listed |
| DKIM not enabled after adding DNS | Emails not signed | Enable DKIM signing in your email provider's admin console |
Jumping to p=reject | Legitimate emails blocked | Start with p=none, monitor, then gradually enforce |
| Not including all senders in SPF | Marketing emails fail SPF | Audit all services that send email on your behalf |
DMARC with no rua= address | No visibility into failures | Always include a report address |
A Note on ARC (Authenticated Received Chain)section
Many email providers now also check for ARC (Authenticated Received Chain) headers. ARC preserves email authentication results across intermediate mail servers that modify messages (such as mailing lists, forwarding services, and security gateways). Without ARC, forwarded emails often fail DKIM and SPF checks even though they are legitimate.
You do not need to configure ARC in DNS. It is handled automatically by mail servers that support it (Microsoft 365 and Google Workspace both support ARC). However, it is worth knowing about because:
- If you use mailing lists or email forwarding, ARC helps receiving servers trust your messages even when SPF/DKIM break due to forwarding
- When investigating DMARC failures, ARC headers in the email source can help you determine whether a failure was caused by legitimate forwarding
Summarysection
| Protocol | What It Does | Record Type | Where to Add |
|---|---|---|---|
| SPF | Lists authorised senders | TXT on root domain | DNS |
| DKIM | Signs emails cryptographically | CNAME or TXT on selector subdomain | DNS |
| DMARC | Enforcement policy + reporting | TXT on _dmarc subdomain | DNS |
The goal is to reach p=reject with both SPF and DKIM passing for all legitimate email. This blocks virtually all email spoofing attacks against your domain.
Related Articles
Was this article helpful?