SPF, DKIM, and DMARC: What They Are and How to Set Them Up
Learn what SPF, DKIM, and DMARC are, why they matter for email deliverability, and how to set them up step by step.
What Are SPF, DKIM, and DMARC?
SPF, DKIM, and DMARC are three email authentication protocols that prove your emails are legitimate and not forged by spammers. SPF verifies the sending server is authorized, DKIM attaches a cryptographic signature to each message, and DMARC ties them together with a policy that tells receiving servers what to do when checks fail. If you send cold email or any business email, getting your SPF DKIM DMARC setup right is non-negotiable for landing in the inbox.
This guide walks you through each protocol, shows you exactly what DNS records to create, and explains common mistakes that tank deliverability.
Why Email Authentication Matters
Deliverability Depends on Authentication
Gmail, Outlook, and Yahoo all check SPF, DKIM, and DMARC before deciding whether your email reaches the inbox or the spam folder. As of 2024, Google and Yahoo require bulk senders to have all three configured. Without proper email authentication, your messages are essentially unsigned letters—easy to ignore, easy to distrust.
Spoofing and Phishing Protection
Email authentication stops bad actors from sending emails that look like they come from your domain. Without DMARC enforcement, anyone can forge your From address. This isn’t just a security problem—it damages your domain reputation when spoofed emails get flagged as spam.
The Cold Email Connection
If you run outbound campaigns, email authentication setup is the foundation of your entire operation. Warming up inboxes, rotating domains, crafting great copy—none of it matters if your DNS records aren’t right. For a deeper look at how authentication fits into the bigger picture, read our email deliverability guide.
SPF Deep Dive: Sender Policy Framework
What SPF Does
SPF (Sender Policy Framework) is a DNS TXT record that lists every server authorized to send email on behalf of your domain. When a receiving mail server gets a message from your domain, it checks your SPF record to see if the sending IP is on the approved list. If it’s not, the message fails SPF.
How to Set Up an SPF Record
Your SPF record setup goes in your domain’s DNS as a TXT record on the root domain (no subdomain). Here’s the process:
- Log in to your DNS provider (Cloudflare, Namecheap, GoDaddy, etc.)
- Navigate to DNS management for your domain
- Add a new TXT record with the host/name set to
@ - Paste your SPF value
SPF Record Examples
Google Workspace only:
v=spf1 include:_spf.google.com ~all
Google Workspace + a third-party email service:
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all
Microsoft 365 only:
v=spf1 include:spf.protection.outlook.com ~all
SPF Syntax Breakdown
v=spf1— declares the SPF version (always spf1)include:— authorizes the servers listed in another domain’s SPF recordip4:203.0.113.0/24— authorizes a specific IP range~all— soft fail for unauthorized senders (recommended starting point)-all— hard fail for unauthorized senders (stricter)
Important: You can only have one SPF TXT record per domain. If you need multiple services, combine them into a single record using multiple include: statements. Having two SPF records will break authentication entirely.
DKIM Deep Dive: DomainKeys Identified Mail
What DKIM Does
DKIM adds a cryptographic signature to every outgoing email. The sending server signs the message with a private key, and the receiving server verifies it using a public key published in your DNS. This proves the email wasn’t tampered with in transit and genuinely came from your domain.
How to Set Up DKIM
Unlike SPF, you don’t write DKIM records manually. Your email provider generates the key pair and gives you the DNS record to publish. Here’s the general flow:
- In your email provider’s admin panel, find the DKIM/authentication settings
- Generate or view your DKIM key
- Copy the provided TXT (or CNAME) record
- Add it to your domain’s DNS
- Return to your provider and verify
DKIM Record Example
Google Workspace DKIM (CNAME method):
Host: google._domainkey
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2K4PavXoNY8eGK2u...
Microsoft 365 DKIM (CNAME method):
Host: selector1._domainkey
Type: CNAME
Value: selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com
DKIM Key Details
- The selector (e.g.,
google,selector1) identifies which key to use—domains can have multiple DKIM keys - The
p=value is the public key (the long string of characters) - Most providers use 2048-bit keys for stronger security
- DKIM records are often long—some DNS providers require you to split them into multiple strings
DMARC Deep Dive: Domain-Based Message Authentication
What DMARC Does
DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM. It tells receiving servers what to do when an email fails authentication and gives you reports on who’s sending email from your domain. Think of it as the policy layer on top of SPF and DKIM.
DMARC Policies Explained
| Policy | Tag | What Happens | When to Use |
|---|---|---|---|
| None | p=none |
No action taken; you receive reports only | Starting out, monitoring phase |
| Quarantine | p=quarantine |
Failing emails go to spam/junk | After confirming legitimate mail passes |
| Reject | p=reject |
Failing emails are blocked entirely | Full enforcement, maximum protection |
DMARC Setup Guide: Step by Step
Add a TXT record to your DNS with the host set to _dmarc:
Basic monitoring policy (recommended start):
Host: _dmarc
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
Quarantine policy:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100
Full reject policy:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100
DMARC Tag Reference
v=DMARC1— protocol versionp=— policy for your domain (none, quarantine, reject)rua=— email address to receive aggregate reportsruf=— email address for forensic (failure) reportspct=— percentage of messages the policy applies to (default 100)sp=— policy for subdomains
For cold email domains, start with p=none to collect data, then move to p=quarantine after 2–4 weeks of clean sending.
Common Mistakes in Email Authentication Setup
Even experienced senders get tripped up. Here are the mistakes we see most often:
- Multiple SPF records: Adding a second SPF TXT record instead of merging
include:statements into one. Two SPF records = both invalid. - Forgetting DKIM: SPF alone isn’t enough. Without DKIM, you fail DMARC alignment and your emails look suspicious.
- Jumping straight to
p=reject: If your SPF or DKIM isn’t perfectly configured, a reject policy will block your own legitimate emails. - Using
+allin SPF: This authorizes every server on the internet to send as your domain. Never do this. - Not checking propagation: DNS changes can take 24–48 hours. Sending campaigns before records propagate means failing authentication.
- Too many DNS lookups in SPF: SPF has a 10-lookup limit. Exceeding it causes a permanent error (permerror), and all SPF checks fail.
- Ignoring DMARC reports: The
ruareports tell you exactly what’s passing and failing. Not reading them means flying blind.
How to Verify Your Email Authentication Setup
Free Tools to Check DNS Records for Email
After setting up your records, verify everything is working:
- MXToolbox SPF Checker — validates your SPF record syntax and lookup count
- MXToolbox DKIM Lookup — checks your DKIM selector and public key
- MXToolbox DMARC Checker — validates your DMARC record and policy
- Mail-Tester.com — send a test email and get a full deliverability score
- Google Admin Toolbox — dig tool for checking TXT record propagation
Quick Command-Line Check
If you’re comfortable with the terminal, you can verify records directly:
# Check SPF record
dig TXT yourdomain.com +short
# Check DKIM record
dig TXT google._domainkey.yourdomain.com +short
# Check DMARC record
dig TXT _dmarc.yourdomain.com +short
How Email Authentication Connects to Cold Email Deliverability
Proper SPF DKIM DMARC configuration is the baseline for cold email. Without it, inbox providers have no reason to trust your messages. Here’s how each protocol directly impacts your outbound results:
- SPF passing means the sending server is authorized—Gmail won’t flag it as a spoofed message
- DKIM passing means the content wasn’t altered—this builds sender reputation over time
- DMARC aligned means both SPF and DKIM match the From domain—this is what triggers the "verified" checkmark in some email clients
When you’re warming up new inboxes, authentication has to be perfect from day one. Every email sent during warmup is building (or destroying) your domain reputation. A misconfigured DKIM record during warmup can set you back weeks.
For cold email at scale, you also need to think about authentication across multiple domains and inboxes. Each domain needs its own SPF, DKIM, and DMARC records. Managing this manually for 10, 20, or 50+ domains gets complicated fast.
Skip the Manual Setup: Let Infinity Inboxes Handle It
Setting up email authentication correctly across dozens of domains is tedious and error-prone. One typo in a DKIM record or a missing SPF include can silently kill your deliverability for days before you notice.
Infinity Inboxes handles all of this automatically. Every Google Workspace and Outlook inbox we provision comes with SPF, DKIM, and DMARC fully configured and verified before you send a single email. We also run automated warmup so your new inboxes build reputation from day one.
No DNS headaches. No guessing whether your records propagated. Just inboxes that are ready to send.