Skip to content

Email Authentication Guide

SPF, DKIM, and DMARC are email authentication methods that help prevent spam and phishing. This guide explains what they do and how to set them up.

Why Email Authentication Matters

Without authentication, anyone can send email pretending to be from your domain. Authentication helps:

  • Prevent spoofing - Stop attackers from impersonating your domain
  • Improve deliverability - Authenticated emails are less likely to be marked as spam
  • Protect your reputation - Avoid being blacklisted due to spammers using your domain

SPF (Sender Policy Framework)

SPF tells the world which servers are allowed to send email for your domain.

How It Works

  1. You publish a list of authorised servers in a DNS TXT record
  2. Receiving servers check if the sending server is on that list
  3. If not authorised, the email may be rejected or marked as spam

SPF Record Format

v=spf1 [mechanisms] [qualifier]all

Common mechanisms:

Mechanism Meaning Example
include: Authorise another domain's SPF include:_spf.google.com
a Authorise the domain's A record IP a
mx Authorise the domain's mail servers mx
ip4: Authorise a specific IPv4 address ip4:203.0.113.50
ip6: Authorise a specific IPv6 address ip6:2001:db8::1

Qualifiers:

Qualifier Meaning
~all Soft fail (mark but don't reject)
-all Hard fail (reject unauthorised)
?all Neutral (no policy)

Example SPF Records

Google Workspace: 

v=spf1 include:_spf.google.com ~all

Microsoft 365: 

v=spf1 include:spf.protection.outlook.com ~all

Multiple services: 

v=spf1 include:_spf.google.com include:mailgun.org ip4:203.0.113.50 ~all

SPF Tips

  • Only one SPF record per domain
  • Keep it under 10 DNS lookups (includes count towards this)
  • Start with ~all (soft fail), move to -all once tested

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to your emails that proves they haven't been tampered with.

How It Works

  1. Your mail server signs outgoing emails with a private key
  2. You publish the matching public key in DNS
  3. Receiving servers verify the signature using the public key

DKIM Record Format

DKIM records are published at selector._domainkey.yourdomain.com:

selector._domainkey.example.com.  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3..."

Components:

Part Meaning
selector Identifier for the key (set by your email provider)
v=DKIM1 DKIM version
k=rsa Key type
p= The public key (base64 encoded)

Setting Up DKIM

  1. Your email provider generates a key pair
  2. They give you a DNS record to publish (with the public key)
  3. You add the TXT record to your DNS
  4. They sign outgoing emails with the private key

DKIM Tips

  • The selector is unique to each provider (e.g., google, selector1, k1)
  • You can have multiple DKIM records (different selectors)
  • Don't share or publish your private key

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC tells receiving servers what to do when SPF or DKIM fails, and requests reports about your domain's email.

How It Works

  1. You publish a DMARC policy in DNS
  2. Receiving servers check SPF and DKIM
  3. If both fail, they follow your DMARC policy (none, quarantine, reject)
  4. They can send you reports about authentication results

DMARC Record Format

DMARC records are published at _dmarc.yourdomain.com:

_dmarc.example.com.  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"

Key tags:

Tag Meaning Values
v Version DMARC1 (required)
p Policy none, quarantine, reject
rua Aggregate report address mailto:you@example.com
ruf Forensic report address mailto:you@example.com
pct Percentage to apply policy 1 to 100
sp Subdomain policy none, quarantine, reject

Policy levels:

Policy Action
none Monitor only (no action)
quarantine Send to spam folder
reject Block the email entirely

Example DMARC Records

Monitoring only (start here): 

v=DMARC1; p=none; rua=mailto:dmarc@example.com

Quarantine failures: 

v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@example.com

Reject failures (strictest): 

v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com

DMARC Tips

  • Start with p=none to collect data before enforcing
  • Use pct=10 to gradually roll out stricter policies
  • Review reports to identify legitimate senders you may have missed

Implementation Checklist

Step 1: Set Up SPF

  • Identify all services that send email for your domain
  • Create SPF record including all senders
  • Add TXT record to DNS
  • Test with an SPF checker tool

Step 2: Set Up DKIM

  • Enable DKIM in your email provider
  • Get the DNS record from your provider
  • Add TXT record to DNS
  • Test with a DKIM checker tool

Step 3: Set Up DMARC

  • Start with p=none policy
  • Add _dmarc TXT record to DNS
  • Monitor reports for 2-4 weeks
  • Gradually increase to quarantine then reject

Testing Your Setup

Online Tools

  • MXToolbox - Check SPF, DKIM, DMARC records
  • Mail-tester.com - Send a test email and get a score
  • Google Admin Toolbox - Check DNS records

Send a Test Email

  1. Send an email to a Gmail account
  2. Open the email and click "Show original"
  3. Look for spf=pass, dkim=pass, dmarc=pass

Common Issues

"SPF PermError: Too many DNS lookups"

SPF is limited to 10 DNS lookups. Solutions:

  • Remove unused include: entries
  • Use IP addresses instead of includes where possible
  • Use an SPF flattening service

"DKIM signature not found"

  • Verify the DNS record is published correctly
  • Check the selector matches what your provider uses
  • Ensure DKIM is enabled in your email provider

"DMARC alignment failed"

The domain in From: must match the SPF or DKIM domain. Common causes:

  • Sending through a third-party service without proper setup
  • Forwarded emails (forwarding breaks SPF)