91% of cyberattacks begin with a phishing email. Without proper SPF, DKIM, and DMARC records, anyone can send emails that appear to come from your domain. This is called email spoofing, and it's the foundation of Business Email Compromise (BEC) — a $2.7 billion annual cybercrime category according to the FBI.
Even if you don't send marketing emails, your domain needs email authentication. Attackers specifically target domains without DMARC enforcement because spoofed emails from those domains are more likely to reach inboxes.
This guide walks you through setting up all three records with copy-paste DNS configurations for Google Workspace, Microsoft 365, and custom mail servers.
Also see: Email Spoofing Prevention Guide, What Is DMARC? Explained, DNS Security Best Practices, and Website Security Checklist 2026.
Why Email Authentication Matters
Email authentication serves three critical purposes:
- Prevents spoofing: Stops attackers from sending emails as your domain
- Improves deliverability: Authenticated emails are less likely to land in spam
- Provides visibility: DMARC reports show who is sending email as your domain
Without DMARC enforcement, an attacker can send an email from ceo@yourdomain.com to your finance team requesting a wire transfer — and it will look completely legitimate in the recipient's inbox.
SPF Records: Setup & Best Practices
What SPF Does
SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are authorized to send email for your domain. When a receiving server gets an email from your domain, it checks the SPF record to verify the sending server is authorized.
SPF Record Syntax
# Basic SPF record structure
v=spf1 [mechanisms] [qualifier]
# Example: Allow Google Workspace and your web server
v=spf1 include:_spf.google.com ip4:203.0.113.50 -all
# Mechanisms:
# include: — Authorize another domain's SPF record
# ip4: — Authorize a specific IPv4 address or range
# ip6: — Authorize a specific IPv6 address or range
# a: — Authorize the domain's A record IP
# mx: — Authorize the domain's MX record servers
# Qualifiers:
# -all — Hard fail: reject unauthorized senders (recommended)
# ~all — Soft fail: mark as suspicious but deliver
# ?all — Neutral: no policy (useless)
# +all — Pass all: allow anyone (DANGEROUS)SPF Best Practices
- Always end with
-all(hard fail) — not~all - Stay under 10 DNS lookups — each
include:,a:,mx:counts as one - Don't use
+all— this authorizes the entire internet to send as your domain - Use IP addresses instead of
a:mechanisms when possible to reduce lookups - Only one SPF record per domain — multiple TXT records with
v=spf1cause failures
SPF records are limited to 10 DNS lookups. Exceeding this causes a permerror, which means your SPF check fails for all emails. Common offenders: include:_spf.google.com alone uses 3-4 lookups. Use AI QA Monkey's DNS Checker to count your current lookups.
DKIM: Setup for Major Providers
What DKIM Does
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The receiving server uses your public key (published as a DNS record) to verify the signature, proving the email wasn't tampered with in transit.
DKIM Record Format
# DKIM DNS record (TXT type)
# Name: selector._domainkey.yourdomain.com
# Value:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ...
# Components:
# v=DKIM1 — Version (required)
# k=rsa — Key type (rsa is standard)
# p= — Public key (base64 encoded)
# t=s — Strict mode (optional, recommended)DKIM Key Size
Use 2048-bit keys minimum. 1024-bit keys are considered weak and can be factored. Most providers now default to 2048-bit.
DMARC: Policy Configuration
What DMARC Does
DMARC tells receiving mail servers what to do when an email fails SPF and DKIM checks. It also provides reporting so you can see who is sending email as your domain.
DMARC Record Syntax
# DMARC DNS record (TXT type)
# Name: _dmarc.yourdomain.com
# Stage 1: Monitor only (start here)
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100
# Stage 2: Quarantine (after 2-4 weeks of monitoring)
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100
# Stage 3: Reject (full enforcement — the goal)
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; pct=100; adkim=s; aspf=s
# Parameters:
# p= — Policy: none, quarantine, or reject
# rua= — Aggregate report email (daily summaries)
# ruf= — Forensic report email (individual failures)
# pct= — Percentage of emails to apply policy to (use 100)
# adkim= — DKIM alignment: s=strict, r=relaxed
# aspf= — SPF alignment: s=strict, r=relaxedNever start with p=reject. Begin with p=none for 2-4 weeks to collect reports and identify all legitimate email sources. Then move to p=quarantine for 2 weeks. Only set p=reject when you're confident all legitimate senders are properly authenticated.
Provider-Specific Configurations
Google Workspace
# SPF Record (TXT)
# Name: @
v=spf1 include:_spf.google.com -all
# DKIM: Generate in Google Admin Console
# Admin Console → Apps → Google Workspace → Gmail → Authenticate email
# Google provides the DKIM record to add to DNS
# DMARC Record (TXT)
# Name: _dmarc
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100Microsoft 365
# SPF Record (TXT)
# Name: @
v=spf1 include:spf.protection.outlook.com -all
# DKIM: Enable in Microsoft 365 Defender
# Security portal → Email & collaboration → Policies → DKIM
# Add two CNAME records:
# selector1._domainkey → selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
# selector2._domainkey → selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
# DMARC Record (TXT)
# Name: _dmarc
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100Amazon SES
# SPF Record (TXT)
# Name: @
v=spf1 include:amazonses.com -all
# DKIM: Amazon SES provides 3 CNAME records
# Add all three to your DNS as instructed in SES console
# DMARC Record (TXT)
# Name: _dmarc
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100Custom Mail Server (Postfix)
# SPF Record — replace with your server IP
v=spf1 ip4:203.0.113.50 ip6:2001:db8::1 -all
# Generate DKIM keys with OpenDKIM
sudo apt install opendkim opendkim-tools
sudo opendkim-genkey -s mail -d yourdomain.com -b 2048
# This creates mail.private (private key) and mail.txt (DNS record)
# Add the contents of mail.txt as a TXT record:
# Name: mail._domainkey
# Value: v=DKIM1; k=rsa; p=MIGfMA0GCSq...
# Configure Postfix to sign with DKIM
# /etc/opendkim.conf
Domain yourdomain.com
KeyFile /etc/opendkim/keys/yourdomain.com/mail.private
Selector mailTesting Your Configuration
Command-Line Testing
# Check SPF record
dig TXT yourdomain.com +short | grep spf
# Check DKIM record (replace 'google' with your selector)
dig TXT google._domainkey.yourdomain.com +short
# Check DMARC record
dig TXT _dmarc.yourdomain.com +short
# Send a test email and check headers
# Look for: Authentication-Results header
# spf=pass, dkim=pass, dmarc=passAutomated Testing
Use AI QA Monkey's free DNS, SPF & DMARC Checker for a comprehensive validation that checks:
- SPF syntax and DNS lookup count (10 limit)
- DKIM key presence and strength (1024 vs 2048-bit)
- DMARC policy enforcement level
- Subdomain takeover risks
- Dangling CNAME records
- MX record configuration
Validate Your Email Authentication
Free DNS & email security scan — checks SPF, DKIM, DMARC, and more in 60 seconds.
Check DNS Records NowCommon Issues & Troubleshooting
SPF: "Too many DNS lookups"
You've exceeded the 10-lookup limit. Solutions:
- Replace
include:withip4:for services with static IPs - Use SPF flattening tools to resolve includes into IP addresses
- Remove unused
include:statements from old services - Use a subdomain for transactional email (e.g.,
mail.yourdomain.com)
DKIM: "No DKIM record found"
- Verify the selector name matches what your mail server uses
- Check for DNS propagation (can take up to 48 hours)
- Ensure the TXT record value doesn't have line breaks or extra spaces
- Some DNS providers have character limits — split long records if needed
DMARC: "Alignment failure"
DMARC requires that the domain in SPF/DKIM aligns with the "From" header domain. Common causes:
- Third-party services sending with their own domain in the envelope sender
- Email forwarding breaking SPF alignment
- DKIM signing with a different domain than the "From" address
Solution: Use adkim=r; aspf=r (relaxed alignment) initially, then tighten to strict once all sources are properly configured.
Frequently Asked Questions
What is the difference between SPF, DKIM, and DMARC?
SPF specifies which mail servers can send email for your domain. DKIM adds a cryptographic signature proving emails haven't been tampered with. DMARC tells receiving servers what to do when SPF or DKIM checks fail.
What should my DMARC policy be?
Start with p=none to monitor. After 2-4 weeks, move to p=quarantine. Once confident, set p=reject for full enforcement.
How many DNS lookups can an SPF record have?
10 maximum. Each include:, a:, mx:, and redirect= counts as one lookup. Exceeding this causes a permerror.
How do I test my SPF, DKIM, and DMARC records?
Use AI QA Monkey's free DNS, SPF & DMARC Checker for instant validation of all three records — it checks syntax, lookup count, DKIM key strength, and DMARC policy enforcement level.