Getting SPF, DKIM, and DMARC right stops most spoofing and gives you clear visibility into who’s sending mail as your domain.
You’ll need DNS access (Cloudflare/registrar) and a mailbox or alias for DMARC aggregate reports (e.g., [email protected]).
Why these records matter
- SPF: declares which hosts/services may send mail for your domain.
- DKIM: cryptographic signature on each message; receivers detect tampering.
- DMARC: policy + reporting based on SPF/DKIM alignment with your visible From: domain.
Set up (tap to expand)
1) SPF — one record, kept lean
Create one TXT at the root (no duplicates).
v=spf1 include:_spf.google.com -all
v=spf1 include:spf.protection.outlook.com -all
# Add official includes from vendors you actually use
v=spf1 include:_spf.google.com include:sendgrid.net include:_spf.salesforce.com -all
SPF has a 10 DNS-lookup limit (each include:, a, mx, exists can count). Avoid ptr. If you’re near the limit, consolidate vendors or flatten responsibly.
2) DKIM — turn on signing
- Admin Console → Apps → Google Workspace → Gmail → Authenticate email.
- Choose/confirm selector (defaults to
google), Generate. - Publish TXT:
Name: google._domainkey
Type: TXT
Value: "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0B...<trimmed>..."
Back in Admin Console, click Start authentication.
- Defender/Exchange admin → DKIM for your domain.
- Publish two CNAMEs:
Name: selector1._domainkey
Type: CNAME
Value: selector1-yourdomain-com._domainkey.<tenant>.onmicrosoft.com
Name: selector2._domainkey
Type: CNAME
Value: selector2-yourdomain-com._domainkey.<tenant>.onmicrosoft.com
Return to the portal and Enable DKIM.
Keep DKIM enabled before enforcing DMARC. It’s the most reliable path to alignment across vendors.
3) DMARC — monitor first, then enforce
Start in monitor mode so you can see who’s sending on your behalf.
Name: _dmarc
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:[email protected]; fo=1; adkim=s; aspf=s; pct=100
rua: aggregate reports (daily XML). Use a dedicated alias.fo=1: ask for failure details where supported.adkim/aspf=s: strict alignment (recommended).- Leave for 1–2 weeks, fix legitimate senders.
# Step 2 — quarantine half
v=DMARC1; p=quarantine; pct=50; rua=mailto:[email protected]; adkim=s; aspf=s; fo=1
# Step 3 — full reject (include subdomains)
v=DMARC1; p=reject; sp=reject; rua=mailto:[email protected]; adkim=s; aspf=s; fo=1
Some receivers don’t send them; they may include message samples that could contain personal data. Use cautiously.
Verify and maintain
4) Verify your records
# SPF
dig +short TXT yourdomain.com
# DKIM (replace selector)
dig +short TXT google._domainkey.yourdomain.com
# DMARC
dig +short TXT _dmarc.yourdomain.com
- SPF aligned: envelope-from domain matches visible From (relaxed/strict).
- DKIM aligned: DKIM
d=domain matches visible From. - DMARC passes if either SPF-aligned or DKIM-aligned.
5) Common pitfalls (and fixes)
- Multiple SPF records → merge into one.
- Too many SPF lookups → remove unused vendors or use consolidated include.
- DKIM selector mismatch → DNS name must match the enabled selector.
- Forgot the marketing tool → add its SPF/DKIM or route via your domain.
- DMARC reject too soon → stay at
p=noneuntil legit senders align. - No reporting mailbox → auto-archive
dmarc-reports@and review weekly.
6) What “good” looks like
- >98% of traffic passes SPF or DKIM alignment.
- DMARC at p=reject (and sp=reject for subdomains).
- Strict alignment (
adkim=s,aspf=s). - Weekly review of DMARC aggregate reports; tickets for any new source.
- (Optional) BIMI once DMARC is at reject and brand assets are ready.
Next steps: tighten mail security with Cybersecurity and ensure SaaS mail is backed up via Cloud Productivity.