Email Authentication Setup Guide
Protect your domain from email spoofing and phishing attacks. This guide walks you through setting up SPF, DKIM, and DMARC records to authenticate your emails and improve deliverability.
Why Email Authentication Matters
Benefits of Email Authentication
- Prevent Spoofing: Stop attackers from sending emails as your domain
- Improve Deliverability: Authenticated emails are less likely to be marked as spam
- Protect Brand: Prevent phishing attacks using your domain name
- Compliance: Required for many B2B communications
- Visibility: Get reports on who is sending email as your domain
SPF (Sender Policy Framework)
SPF specifies which mail servers are authorized to send email for your domain. It's a TXT record in your DNS that lists approved sending sources.
Basic SPF Record
DNS TXT Record for yourdomain.com
v=spf1 include:_spf.google.com include:sendgrid.net ~allSPF Syntax Explained
| Mechanism | Meaning | Example |
|---|---|---|
v=spf1 | SPF version (required) | Always start with this |
include: | Include another domain's SPF | include:_spf.google.com |
ip4: | Allow specific IP address | ip4:192.168.1.1 |
a | Allow domain's A record IP | a |
mx | Allow domain's MX servers | mx |
~all | Soft fail (recommended to start) | Mark as spam but accept |
-all | Hard fail | Reject unauthorized senders |
Common SPF Records by Provider
Google Workspace
v=spf1 include:_spf.google.com ~allMicrosoft 365
v=spf1 include:spf.protection.outlook.com ~allSendGrid + Google
v=spf1 include:_spf.google.com include:sendgrid.net ~allDKIM (DomainKeys Identified Mail)
DKIM adds a digital signature to your emails. The receiving server verifies this signature against a public key in your DNS, proving the email wasn't modified in transit.
Setting Up DKIM
- Generate DKIM keys - Your email provider usually does this automatically
- Add the public key to DNS - Create a TXT record at
selector._domainkey.yourdomain.com - Enable DKIM signing - Configure your email server to sign outgoing emails
Example DKIM Record
DNS TXT Record: google._domainkey.yourdomain.com
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...DMARC (Domain-based Message Authentication)
DMARC tells receiving servers what to do when SPF or DKIM checks fail. It also enables you to receive reports about email authentication.
DMARC Policies
| Policy | Action | Recommended For |
|---|---|---|
p=none | Monitor only, no action | Initial setup, monitoring |
p=quarantine | Send to spam folder | After monitoring period |
p=reject | Reject the email | Full protection |
DMARC Record Examples
Step 1: Monitor Only (Start Here)
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.comStep 2: Quarantine (After 2-4 Weeks)
v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@yourdomain.comStep 3: Reject (Full Protection)
v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensics@yourdomain.comImplementation Order
Recommended Setup Sequence
- Week 1: Set up SPF record with all your sending sources
- Week 1: Enable DKIM signing on your email provider
- Week 2: Add DMARC with p=none to start monitoring
- Week 3-4: Review DMARC reports for unauthorized senders
- Week 5: Move to p=quarantine
- Week 8+: Move to p=reject for full protection
Troubleshooting
SPF "Too many DNS lookups" error
SPF has a 10 DNS lookup limit. Solutions:
- Remove unused include statements
- Use IP addresses instead of includes where possible
- Use SPF flattening services
DKIM signature not verifying
Common causes:
- Wrong selector name in DNS
- DNS propagation not complete (wait 24-48 hours)
- Key truncated when copying (check for line breaks)
- Email being modified by forwarding services
Legitimate emails failing DMARC
Check these common issues:
- Third-party services not in your SPF record
- Forwarded emails (consider ARC)
- Mailing lists modifying emails
- Use our DNS checker to verify records