How to Set Up SPF, DKIM, and DMARC Records

Why Email Authentication Matters#

Email authentication prevents spoofing and improves deliverability. Without it, ISPs are more likely to send your emails to spam.

SPF (Sender Policy Framework)#

SPF tells receiving servers which IPs are allowed to send email for your domain.

Setup#

Add a TXT record to your domain's DNS:

yourdomain.com  TXT  "v=spf1 include:amazonses.com include:sendgrid.net ~all"

Key Rules#

• Only ONE SPF record per domain
• Use include: for each sending service
• End with ~all (softfail) or -all (hardfail)
• Max 10 DNS lookups (keep includes minimal)

Verify#

dig TXT yourdomain.com | grep spf

DKIM (DomainKeys Identified Mail)#

DKIM adds a cryptographic signature to your emails proving they haven't been tampered with.

Setup#

Your sending service provides DKIM records. Add them as CNAME or TXT records:

selector1._domainkey.yourdomain.com  CNAME  selector1.dkim.amazonses.com

Verify#

dig CNAME selector1._domainkey.yourdomain.com

DMARC (Domain-based Message Authentication)#

DMARC ties SPF and DKIM together and tells ISPs what to do with unauthenticated messages.

Setup (Start with monitoring)#

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100"

Enforcement Levels#

Gradual Enforcement#

1. Start with p=none for 2-4 weeks
2. Review DMARC reports (aggregate reports sent to rua address)
3. Fix any legitimate senders failing authentication
4. Move to p=quarantine with pct=25 (25% enforcement)
5. Gradually increase pct to 100
6. Finally move to p=reject

Warning: Never jump straight to p=reject — you might block legitimate email from services you forgot to authenticate.