Vatsal Shah Want to secure your email communications? – Set up your SPK, DKIM, and DMARC (authentication records)
Is your email delivery and deliverability low? – Check if you have set up your SPF, DKIM, and DMARC correctly.
You must have read and heard about authentication records and why it is important to set them up.
But how do you set them up correctly?
That’s what I am going to show in my blog – a step-by-step process on how to set up your SPF, SKIM, and DMARC records.
Moreover, I’ll also answer some questions I get asked frequently, like best practices, how to check if your records are correctly setup, and more.
Keep reading further!
Improve Email Deliverability – TOC
What is SPF and How to Set It Up?
The first of the 3 email security protocols you’ll see is SPF.
Here’s what I’ll cover:
A Quick Intro to SPF
Sender Policy Framework (SPF) basically contains a list of mail servers you have allowed to send emails using your domain name.
You can also give instructions if a mail server receives an email from a server not listed in your SPF record.
Depending on your setup, the server can:
- Mark it as suspicious and possibly send it to spam (Soft Fail – ~all)
- Reject it completely (Hard Fail – -all)
- Stay neutral and allow email (Neutral – ?all)
SPF is a text-based record that is stored in your Domain Name System (DNS), and this is how it looks:
v=spf1 include:_spf.your-email-provider.com -all
- v=spf1 → Indicates that this is an SPF record.
- include:_spf.your-email-provider.com → Specifies the authorized mail servers.
- -all → Enforces a hard fail for unauthorized servers.
How does it work? – When you send an email, your recipients’ mail servers will check your SPF record and verify whether the server your email is from is authorized or not.
If the server is verified, the email passes through.
If not, appropriate action will be taken based on your SPF policy (-all, ~all, or ?all)
Pro Tip:
If you are still testing and not sure about your email server list, start with ~all (Soft Fail) to monitor and avoid accidentally blocking legitimate emails.
Once you’re confident, you can switch to -all (Hard Fail) for stronger protection against spoofing.
As you can see, SPF is quite important for protecting your reputation and even keeping other email users safe from malicious emails.
How To Set Up SPF?
SPF is quite easy to set up — you don’t need any technical knowledge to do it!
Let me show you how:
- Step 1: Log into your domain hosting platform (like GoDaddy, Namecheap, etc.). I have used Cloudflare to give you an idea.
- Step 2: Find the “DNS Management” or “Domain Settings” section. In this section, you can add or modify your DNS record.
- Step 3: Create a new TXT record. In the “Name” or “Host field”, enter @ or leave it blank (depending on your platform).
- Step 4: Add the text “v=spf1 include:_spf.your-email-provider ~all”. Replace _spf.your-email-provider.com with the correct SPF value based on your email service provider.
SPF Records for Popular Email Service Providers
Google Workspace: v=spf1 include:_spf.google.com ~all
Microsoft 365: v=spf1 include:spf.protection.outlook.com ~all
Zoho Mail: v=spf1 include:zoho.com ~all
- Step 5: Save it, and you’re done!
It’s that easy, but it does get quite hectic if you have to do this manually for a lot of domains.
Next, I’ll answer a common question I get asked a lot (Even I had this question when I started out)
Do I Need to Set Up Different SPF Records for Different ESPs?
Short answer – Nope!
Detailed answer 👇
You can only set up one SPF record per domain.
But you can use the “include:” parameter to allow multiple email service providers.
For example – If you’re using both Google Workspace and Microsoft 365, this will be your SPF record:
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all
DKIM is next!
What is DKIM and How to Set It Up?
The second authentication record you need to set up is email DKIM.
- A Quick Intro to DKIM
- How To Set Up DKIM?
- Do I Need to Set Up Different DKIM Records for Different ESPs?
A Quick Intro to DKIM
DomainKeys Identified Mail (DKIM) is an authentication record that is used to make sure your emails are authentic and haven’t been tampered with in transit.
The DKIM has two parts:
- A private key that is used to create a digital signature for all your outgoing emails.
- A public key that is stored in your DNS record that the recipient mail servers can use to verify the authenticity of your email.
This is how it looks:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9m 5wUIBZHH1o2zJxgZm7hrK29FWyGzH8KqRBYE2QJQZx8F4zy/KHQcY54sAZL JQJx6EvNPOF9+fMjFqQWECQmYAQIDAQAB
- v=DKIM1 → This specifies the version of DKIM being used.
- k=rsa → Indicates the key type (RSA is the most common encryption method used for DKIM).
- p= → Contains the public key used to verify the email’s signature.
So, how does it work?
Quite simple – When you send an email, your ESP will use the private key to generate a digital signature and attach it to your email.
Your recipients’ mail server will use your public key to decrypt the digital signature and verify two things:
- The email was not altered in transit.
- The email was genuinely sent by your domain.
If the signature is valid, the email is delivered to the inbox.
If the signature is invalid or no DKIM record is found, the email may be marked as spam or rejected.
How To Set Up DKIM?
Setting up DKIM will take a few more steps than SPF, but it’s still easy to follow.
I’ll guide you on how you can create, add, and authenticate your DKIM records:
- Step 1: Log in to your email service provider’s admin panel and find the “DKIM” or the “Email Authentication Settings” section.
- Step 2: Generate a New DKIM Record. You will get the “DNS Host Name” that you have to enter and the “TXT record” value.
- Step 3: Go back to “DNS Management” in your domain hosting platform, as I showed you in the SPF setup.
- Step 4: Click on “Add Record” and navigate to “Type.” Select “TXT,” as shown in the screenshot below.
- Step 5: Paste the “DNS Host Name” in the Name box and the “TXT record”, which is your DKIM key in the appropriate Content/Value section
- Step 6: Save your DKIM record on the domain hosting platform admin panel.
- Step 7: Go back to your ESP admin panel and find the option to start the authentication process or enable DKIM Signing.
A few more extra steps compared to SPF, but it’s not that hard!
Your DKIM record will take 24 to 48 hrs to be set up and authenticated.
I’ll show you how you can verify if you have set up the record properly in the coming section.
Do I Need to Set Up Different DKIM Records for Different ESPs?
Yes, you’ll have to create different DKIM record entries for different ESPs, as each provider generates its own unique DKIM keys.
Next is DMARC.
What is DMARC and How to Set It Up?
The third and last authentication record is DMARC.
- A Quick Intro to DMARC
- How To Set Up DMARC?
- Do I Need to Set Up Different DMARC Records for Different ESPs?
A Quick Intro to DMARC
DMARC or Domain-based Messaging Authentication Reporting and Conformance is built on your SPF and SKIM authentication.
You can use DMARC to instruct mail servers on the next steps if the emails they receive fail SPF and DKIM checks.
You can instruct the mail servers to:
- Reject: Your email will not be delivered.
- None: Your email will be delivered to the recipient.
- Quarantine: Your email will be sent to the spam folder.
In addition to this, you will also get email reports each time there is an authentication failure.
This is how your DMARC will look:
v=DMARC1; p=quarantine; rua=mailto:your-reporting-email@example.com
- v=DMARC1 → Specifies the DMARC version being used.
- p=quarantine → Instructs the receiving server to send failed emails to the spam folder.
- rua=mailto:your-reporting-email@example.com → Sends reports to a designated email address for monitoring.
Pro Tip:
I recommend setting “p=none” initially.
Once you’re confident that your authentication is working as expected, you can adjust the policy to “p=quarantine” or “p=reject” for stricter protection.
How To Set Up DMARC?
You’ll actually find setting up DMARC very simple; it’s similar to SPF. Let me show you:
- Step 1: Follow Steps 1 to Step 3 from “How To Set Up SPF?”
- Step 2: Add a new record and select the type as “TXT”.
- Step 3: In the “Name/Host” field, enter _dmarc.yourdomain.com, and in the Value or Content field, enter your DMARC record “v=DMARC1; p=reject; rua=mailto:your-reporting-email@example.com.”.
- Step 4: Click on “Save Record.”
Replace “yourdomain.com” with your actual domain and “your-reporting-email@example.com.” with the email address where you want to receive your DMARC email reports.
Note:
Different ESPs will have different DNS selector (DNS Host Name)
And that’s all you have to do!
Do I Need to Set Up Different DMARC Records for Different ESPs?
No! Like SPF, DMARC is a domain-based authentication protocol.
This means you only need to set it up once through your DNS settings, and you’ll be good to go!
How to Check if Your Authentication Records Are Set Up?
You now know how to set up your authentication records, but how can you check and verify if you have set them up correctly?
You can use free record checkers like MXToolBox to check if your authentication records are correct and working as expected.
Here’s what I use:
These tools have helped me quickly verify if I have set up the records correctly and also troubleshoot any issues on the spot.
Next, I’ll answer why you should set up these records (if you’re still wondering why).
Why Should You Set Up Authentication Records?
Setting up your email authentication records is non-negotiable, especially if you’re using it for business purposes.
Extra, especially if you’re sending mass emails like marketing emails, sales outreach emails, etc.
Starting in February 2024, Google and Yahoo have strictly mandated that all bulk email senders set up SPF and DKIM and have at least one of these configured to pass with DMARC.
Besides, without these records, you will be vulnerable to hackers and spammers, who can spoof your domain and misuse it for malicious purposes.
So, with the records set up, you gain the trust of ESPs, and you potentially eliminate one of the biggest reasons why your emails end up in spam.
Set Up Your Authentication Records And Start Emailing!
I’ve covered everything you need to know about authentication records — what they are, how to set them up, and how to validate them.
Even why you should set them up!
The Next Step?
Go set up your records and start doing what you do best — whether it’s sending marketing campaigns, running sales outreach, or simply making sure your emails reach inboxes.
How to Set Up SPF, DKIM, and DMARC: FAQs
1. What Are the Best Practices for SPF Set Up?
In my experience, the best practices for SPF setup include:
- Avoid the overly permissive “+all” setting, as it authorizes all IP addresses associated with a server to send emails on your behalf
- Regularly audit your SPF settings to remove servers you no longer use
- Only include dedicated IP addresses in the SPF TXT record
- Include “~all” to allow for DMARC authentication to work as intended
2. Can You Create Multiple DKIM Keys for Your Email?
Yes! You can generate as many DKIM keys as allowed by your DNS provider. In my opinion, generating multiple DKIM keys will help you rotate them for increased security.
3. What Is the Best Key Size for DKIM Records?
The best size for DKIM records in 2048-bit keys. In fact, from what I’ve seen, most ISPs and ESPs have switched the practice of maintaining 2048-bit keys for enhanced email protection.
4. What Is the Best Setting for DMARC?
If you’re just starting and don’t have in-depth knowledge, I recommend policy “p=none”. This won’t block or spam your emails. Once you’re confident that everything is set up correctly and your emails are passing authentication, you can adjust the policy to a stricter setting like “p=quarantine” or “p=reject”.
