SPF, DKIM, and DMARC: Email Security Setup Guide
A complete guide to configuring SPF, DKIM, and DMARC for your domain. Prevent email spoofing, improve deliverability, and protect your brand.
Overview
SPF, DKIM, and DMARC are three DNS-based email authentication protocols that work together to prevent attackers from sending emails that appear to come from your domain. Without them, anyone can send an email that looks like it came from [email protected] — and most recipients will not be able to tell the difference.
These protocols are:
- SPF (Sender Policy Framework) — specifies which mail servers are allowed to send email for your domain
- DKIM (DomainKeys Identified Mail) — adds a cryptographic signature to outgoing emails proving they have not been tampered with
- DMARC (Domain-based Message Authentication, Reporting & Conformance) — tells receiving servers what to do when SPF or DKIM fails, and sends you reports
Why This Matters
- 89% of email-based attacks use spoofed sender addresses
- Google and Yahoo require DMARC for bulk senders (enforced since February 2024)
- Emails without proper authentication are more likely to land in spam folders
- Compliance frameworks (CMMC, NIST, Cyber Essentials) require email authentication
Step 1: Set Up SPF
SPF is a DNS TXT record that lists the IP addresses and services authorised to send email for your domain.
For Microsoft 365
v=spf1 include:spf.protection.outlook.com -all
For Google Workspace
v=spf1 include:_spf.google.com -all
With additional services
If you also send email through a marketing platform (Mailchimp, HubSpot, etc.), include their SPF record:
v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all
Key rules
| Mechanism | Meaning |
|---|---|
include: | Authorise another domain's SPF record |
ip4: | Authorise a specific IPv4 address or range |
-all | Hard fail — reject anything not listed (recommended) |
~all | Soft fail — mark as suspicious but deliver (use during testing) |
SPF records have a 10 DNS lookup limit. Each include: counts as one lookup. If you exceed 10, SPF will permanently fail. Use an SPF flattening tool if you have many senders.
Verify your SPF record
Resolve-DnsName -Name "yourdomain.com" -Type TXT | Where-Object { $_.Strings -match "v=spf1" }
Step 2: Set Up DKIM
DKIM signs outgoing emails with a private key. The receiving server checks the signature against a public key published in your DNS.
For Microsoft 365
- Go to Microsoft Defender XDR (security.microsoft.com) > Email & collaboration > Policies & rules > Threat policies > DKIM. Alternatively, you can configure DKIM in the Exchange admin center > Mail flow > DKIM.
- Select your domain
- Toggle Sign messages for this domain with DKIM signatures to Enabled
- Microsoft will provide two CNAME records to add to your DNS:
Host: selector1._domainkey
Points to: selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com
Host: selector2._domainkey
Points to: selector2-yourdomain-com._domainkey.yourdomain.onmicrosoft.com
- Add both CNAME records, then click Enable in the portal
For Google Workspace
- Go to Google Admin Console > Apps > Google Workspace > Gmail > Authenticate email
- Click Generate new record
- Add the TXT record to your DNS:
Host: google._domainkey
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGS... (your public key)
- Click Start authentication after the DNS record propagates
Verify DKIM
Resolve-DnsName -Name "selector1._domainkey.yourdomain.com" -Type CNAME
Step 3: Set Up DMARC
DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails.
Start with monitoring (recommended)
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1
This record:
p=none— do not block anything yet, just monitorrua=— send aggregate reports to this address (daily XML summaries)ruf=— send forensic reports for individual failuresfo=1— send a forensic report if either SPF or DKIM fails
Add as a DNS TXT record
Host: _dmarc
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:[email protected]
Progress to enforcement
After 2-4 weeks of monitoring with no unexpected failures:
Quarantine (move suspicious emails to spam):
v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]
Increase pct gradually from 25 to 50 to 100.
Reject (block spoofed emails entirely):
v=DMARC1; p=reject; rua=mailto:[email protected]
Do not jump straight to p=reject without monitoring first. Legitimate email sources you forgot about (marketing platforms, CRM systems, printers that send scan-to-email) will be blocked, causing business disruption.
DMARC policy options
| Policy | Action | When to Use |
|---|---|---|
p=none | Monitor only, no blocking | Initial setup, collecting data |
p=quarantine | Send to spam/junk folder | Transition phase |
p=reject | Block the email entirely | Full enforcement (goal) |
Reading DMARC Reports
Aggregate reports are XML files sent daily by receiving servers. They show:
- How many emails were sent from your domain
- Which passed/failed SPF and DKIM
- Which IP addresses sent those emails
Raw XML reports are hard to read. Use a free report analyser:
- DMARC Analyzer (dmarcanalyzer.com)
- Postmark DMARC (dmarc.postmarkapp.com)
- EasyDMARC (easydmarc.com)
These tools ingest the reports and show you a dashboard of passing vs. failing sources.
Verification Checklist
Run these checks after configuring all three records:
# Check SPF
Resolve-DnsName -Name "yourdomain.com" -Type TXT | Where-Object { $_.Strings -match "v=spf1" }
# Check DKIM (Microsoft 365)
Resolve-DnsName -Name "selector1._domainkey.yourdomain.com" -Type CNAME
# Check DMARC
Resolve-DnsName -Name "_dmarc.yourdomain.com" -Type TXT
All three should return valid records. You can also use online tools like MXToolbox to verify the full chain.
Common Mistakes
| Mistake | Impact | Fix |
|---|---|---|
| Multiple SPF records | Both records invalidated | Merge into one record |
Using ~all instead of -all | Spoofed emails still delivered | Change to -all after confirming all senders are listed |
| DKIM not enabled after adding DNS | Emails not signed | Enable DKIM signing in your email provider's admin console |
Jumping to p=reject | Legitimate emails blocked | Start with p=none, monitor, then gradually enforce |
| Not including all senders in SPF | Marketing emails fail SPF | Audit all services that send email on your behalf |
DMARC with no rua= address | No visibility into failures | Always include a report address |
A Note on ARC (Authenticated Received Chain)
Many email providers now also check for ARC (Authenticated Received Chain) headers. ARC preserves email authentication results across intermediate mail servers that modify messages (such as mailing lists, forwarding services, and security gateways). Without ARC, forwarded emails often fail DKIM and SPF checks even though they are legitimate.
You do not need to configure ARC in DNS. It is handled automatically by mail servers that support it (Microsoft 365 and Google Workspace both support ARC). However, it is worth knowing about because:
- If you use mailing lists or email forwarding, ARC helps receiving servers trust your messages even when SPF/DKIM break due to forwarding
- When investigating DMARC failures, ARC headers in the email source can help you determine whether a failure was caused by legitimate forwarding
Summary
| Protocol | What It Does | Record Type | Where to Add |
|---|---|---|---|
| SPF | Lists authorised senders | TXT on root domain | DNS |
| DKIM | Signs emails cryptographically | CNAME or TXT on selector subdomain | DNS |
| DMARC | Enforcement policy + reporting | TXT on _dmarc subdomain | DNS |
The goal is to reach p=reject with both SPF and DKIM passing for all legitimate email. This blocks virtually all email spoofing attacks against your domain.
Related Articles
Was this article helpful?