SPF, DKIM, and DMARC: What They Are, Why You Need Them, and How to Set Them Up

Billions of spoofed emails are sent every day — phishing, spoofing, and fraud using someone else's domain. Three protocols — SPF, DKIM, and DMARC — form the modern standard for email authentication. Since 2024, Google and Yahoo require them for all bulk senders. Without them, your emails land in spam or get rejected entirely.

This guide covers each protocol: what it does, how it works, and how to configure it properly. At the end — a verification checklist and common mistakes.

What Is SPF and How It Works

SPF (Sender Policy Framework) is a DNS TXT record that specifies which servers are authorized to send email on behalf of your domain.

When a recipient (Gmail, Outlook, Yahoo) receives an email, it checks the sending server's IP address against the SPF record of the domain in the Return-Path header. If the IP isn't listed, the email is flagged as suspicious.

SPF Record Syntax

v=spf1 ip4:192.168.1.1 include:_spf.google.com include:sendgrid.net ~all

Key mechanisms:

• ip4: / ip6: — allow a specific IP or subnet
• include: — include another domain's SPF (for third-party services: Google Workspace, SendGrid, Mailchimp)
• a — allow the IP from the domain's A record
• mx — allow IPs of the domain's MX servers
• ~all — soft fail for everything else (recommended initially)
• -all — hard fail (strict mode, recommended after full setup)

Common SPF Mistakes

• More than 10 DNS Lookup — SPF allows a maximum of 10 include/a/mx/redirect lookups. Exceeding this = PermError, the record is ignored
• Multiple SPF records — a domain must have exactly one TXT record starting with v=spf1
• +all or missing all — allows sending from any IP, defeating the purpose

What Is DKIM and How It Works

DKIM (DomainKeys Identified Mail) is a digital signature mechanism that confirms an email was genuinely sent from your domain and wasn't altered in transit.

How it works:

1. The sending server signs the email headers and body with a private key
2. The signature is added to the DKIM-Signature header
3. The recipient extracts the public key from the DNS record selector._domainkey.example.com
4. If the signature matches — the email is authentic

DKIM DNS Record

selector._domainkey.example.com  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhki..."

Where selector is the key name (e.g., google, s1, default). A domain can have multiple DKIM keys with different selectors for different services.

Generating DKIM Keys

Use the Enterno.io DKIM Generator — it creates a key pair (2048-bit RSA) and a ready-to-use DNS record. Key length matters: 1024-bit is considered outdated; 2048-bit is the minimum.

Common DKIM Mistakes

• 1024-bit key — too short; Gmail and major providers may reduce trust
• Wrong selector — the selector in DNS must match the one in the DKIM-Signature header
• Truncated public key — TXT records longer than 255 characters need to be split into multiple strings in DNS

What Is DMARC and How It Works

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a policy that tells recipients what to do with emails that fail SPF and DKIM checks.

DMARC combines SPF and DKIM into a unified system: an email must pass at least one check (SPF or DKIM) with domain alignment.

DMARC DNS Record

_dmarc.example.com  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100"

Key tags:

• p=none — monitoring only (start here)
• p=quarantine — send to spam
• p=reject — reject entirely (maximum protection)
• rua= — email for aggregate reports (XML)
• ruf= — email for forensic reports on failures
• pct= — percentage of emails the policy applies to (100 = all)

Path to Full Protection

1. Start with p=none — collect reports for 2-4 weeks
2. Analyze reports — identify all legitimate email sources
3. Configure SPF and DKIM for each sending service
4. Move to p=quarantine with pct=10, gradually increasing
5. Final step: p=reject; pct=100 — full protection

How It All Works Together

When receiving an email, the mail server performs three checks in sequence:

1. SPF: Is the sender's IP in the allowed list? Does the Return-Path domain match From?
2. DKIM: Is the signature valid? Does the DKIM-Signature domain match From?
3. DMARC: Did at least one check pass with alignment? What's the policy: none/quarantine/reject?

The result determines the email's fate: inbox delivery, spam folder, or full rejection.

How to Verify Your Setup

Use Enterno.io tools to check your configuration:

• Email Deliverability — comprehensive SPF, DKIM, DMARC check for any domain
• DKIM Generator — create and validate DKIM keys
• MX Lookup — check MX records and mail DNS configuration
• DNS Lookup — view all DNS records including TXT

Checklist: Email Authentication Setup

• Single SPF record listing all legitimate senders
• SPF DNS lookup count does not exceed 10
• SPF ends with ~all or -all
• DKIM configured for each sending service (main server, Google Workspace, marketing tools)
• DKIM keys are at least 2048-bit
• DMARC record created (_dmarc.example.com)
• rua= specified for receiving reports
• Test email passes all three checks (verify with Email Deliverability tool)
• After 2-4 weeks of monitoring: move from p=none to p=quarantine, then p=reject

Google and Yahoo Requirements (2024+)

Since February 2024, Google and Yahoo require senders of 5,000+ emails per day to have:

• Valid SPF and DKIM for the sending domain
• DMARC record (at minimum p=none)
• From domain alignment with SPF/DKIM domains
• One-click unsubscribe (List-Unsubscribe header)
• Spam complaint rate below 0.3%

Non-compliance results in bulk spam filtering or delivery blocking.

Summary

SPF, DKIM, and DMARC are not optional — they are the mandatory minimum for any domain sending email. Start with monitoring (p=none), gradually tighten the policy, and your emails will be reliably delivered while your domain stays protected from spoofing.