Setting Up SPF, DKIM and DMARC: The Complete Guide 2025

SPF, DKIM and DMARC are the three DNS records that determine whether your emails land in the inbox or the spam folder. Since 2024, Google requires these authentication standards from all bulk senders — ignoring them means your emails will reliably end up in spam or be rejected outright. This guide walks you through the setup step by step.

What Is Email Authentication and Why Does It Matter?

Email authentication is a set of technical standards that allows email providers to verify whether an email actually comes from the claimed sender domain. The problem: the original email protocol (SMTP) has no built-in sender verification. Anyone can technically send an email with any sender address.

The three authentication standards solve this problem in different ways:

Why all three are necessary:

SPF alone can be bypassed by attackers who spoof the "From" address. DKIM alone gives no instruction on what to do with unsigned emails. Only DMARC combines both and defines a binding policy.

Since February 2024, Google requires that all senders sending more than 5,000 emails per day to Gmail must set up SPF, DKIM and DMARC. Microsoft is following suit in 2025. For cold email outreach, these standards are no longer optional — they are mandatory.

Setting Up SPF — Step by Step

What Is an SPF Record?

An SPF record is a TXT entry in your DNS settings that lists which servers are allowed to send emails on your behalf. Receiving mail servers check this entry when an email arrives from your domain.

The Basic Structure of an SPF Record

v=spf1 include:_spf.google.com ~all

This record says: "All servers from Google Workspace are authorized to send emails for this domain. All other servers should be marked as suspicious."

Each part has a specific meaning:

SPF Records for the Most Common Email Providers

Adding an SPF Record in DNS

In Cloudflare:

1. Dashboard → Your Domain → DNS → Records
2. Add record: Type TXT, Name @, TTL Auto
3. Content: paste your SPF record
4. Save — proxy status must be set to "DNS only"

In IONOS:

1. Control Center → Domains & SSL → DNS
2. Add record → Type TXT
3. Hostname: @, Value: SPF record

In Strato:

1. Customer Center → Domain Management → DNS Settings
2. Add TXT record, leave prefix empty

Most important rule: Only one single SPF record is allowed per domain. If you use multiple email providers, combine them in one record:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ip4:123.45.67.89 ~all

Setting Up DKIM — The Digital Signature

How DKIM Works

DKIM (DomainKeys Identified Mail) uses a key pair: a private key on your mail server and a public key in your DNS settings. Each outgoing email is signed with the private key. The receiving server reads the public key from DNS and verifies the signature — proving that the email came from you and was not altered in transit.

DKIM Setup in Google Workspace

1. Open Google Admin Console (admin.google.com)
2. Navigate to Apps → Google Workspace → Gmail → Email Authentication
3. Select your domain
4. Click "Generate new record" (2048-bit recommended)
5. Google shows you the TXT record to enter in DNS
6. Add the record to your DNS provider (Name: google._domainkey, Type: TXT)
7. Wait 15-30 minutes, then click "Start DKIM Authentication"

DKIM Setup in Microsoft 365

1. Exchange Admin Center → Mail Flow → DKIM
2. Select your domain
3. Enable DKIM signatures
4. Microsoft shows you two CNAME records
5. Add both CNAME records to your DNS
6. Wait for DNS propagation, then enable in M365

What a DKIM Record Looks Like

Name: google._domainkey.yourdomain.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

The long string after p= is your public key — generated by your email provider and unique to each domain.

Important: You never need to know or enter the private key. Your email provider manages it automatically.

Setting Up DMARC — The Policy

What DMARC Does

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the conductor: it connects SPF and DKIM and defines what happens to emails that fail one or both checks. It also provides you with reports so you can see who is sending emails on your behalf.

The DMARC Staged Rollout Model

Never start with a strict policy. The right approach:

Setting Up the DMARC Record

Phase 1 (Start):

Name: _dmarc.yourdomain.com
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1

Phase 4 (Full protection):

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; fo=1; adkim=s; aspf=s

DMARC Parameters Explained

Tip for the rua address: Create a dedicated mailbox like dmarc-reports@yourdomain.com since you will receive many automated reports. Alternatively, DMARC analysis services like dmarcian.com or Postmark can process and visualize these reports for you.

Common Mistakes and How to Avoid Them

Mistake 1: Multiple SPF Records

Problem: You have two TXT entries with v=spf1 in your DNS.

Symptom: SPF fails with "PermError — too many SPF records".

Solution: Combine everything into a single SPF record:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

Mistake 2: Setting Up DMARC Before SPF and DKIM

Problem: DMARC set to p=reject before SPF and DKIM are working.

Symptom: All legitimate emails are rejected.

Solution: Always follow this order: 1. Set up SPF, 2. Set up and verify DKIM, 3. Start DMARC with p=none.

Mistake 3: Too Many DNS Lookups in SPF Record

Problem: SPF allows a maximum of 10 DNS lookups when resolving the record.

Symptom: SPF fails with recipients who have many providers.

Solution: Minimize include: directives. Replace chains with direct IP addresses where possible. Use SPF flattening tools like dmarcian SPF Surveyor.

Mistake 4: Wrong Proxy Status in Cloudflare

Problem: TXT records are set to "Proxied" (orange cloud status).

Symptom: DNS resolution for SPF/DKIM/DMARC fails.

Solution: All DNS records for email authentication must be set to "DNS only" (grey status).

Mistake 5: Wrong DKIM Selector

Problem: The selector entered in DNS does not match the configured selector.

Symptom: DKIM signature not found.

Solution: For Google Workspace, the default selector is google. Check with: dig TXT google._domainkey.yourdomain.com

Mistake 6: Starting with p=reject Immediately

Problem: DMARC set to reject without a prior monitoring phase.

Symptom: Legitimate emails that are not yet fully authenticated are rejected — including newsletter services, CRM systems, etc.

Solution: Always start with p=none and analyze reports for at least 2-4 weeks.

Verification with Tools

After setup, verify all three records. Wait at least 15-30 minutes after DNS changes.

MXToolbox (mxtoolbox.com)

The standard for email diagnostics. Separate checkers for each record:

• SPF: mxtoolbox.com/spf.aspx — gives a green checkmark or exact error description
• DKIM: mxtoolbox.com/dkim.aspx — enter domain and selector (e.g. google)
• DMARC: mxtoolbox.com/dmarc.aspx — shows the complete record and syntax errors
• Blacklist: mxtoolbox.com/blacklists.aspx — checks against 100+ blacklists simultaneously

Google Admin Toolbox (toolbox.googleapps.com)

Particularly helpful for Google Workspace users. The "Check MX" tool verifies all email-relevant DNS records for your domain in one step.

mail-tester.com

The most practical test: send a real email to the generated test address and receive a spam score from 0-10 with a detailed report. Shows SPF, DKIM, DMARC, blacklist status and content issues all in one view.

Target score: 9/10 or higher.

Automatic Monitoring with anicampaign.io

anicampaign.io continuously checks SPF, DKIM and DMARC for your sending domains and notifies you immediately when issues arise — before your campaigns suffer.

Frequently Asked Questions

What is SPF and why do I need it?

SPF (Sender Policy Framework) is a DNS record that specifies which servers are allowed to send emails for your domain. Without SPF, email providers cannot verify your emails and will often route them to spam.

What is the difference between DKIM and SPF?

SPF checks whether the sending server is authorized, while DKIM cryptographically signs the email. They complement each other: SPF protects the sender, DKIM protects the message itself.

What happens if I configure DMARC incorrectly?

Incorrectly configured DMARC with a "reject" policy can cause all your emails to be rejected. Always start with p=none (monitoring mode) and only switch to "quarantine" or "reject" after 2-4 weeks.

How long does it take for DNS changes to take effect?

DNS propagation can take anywhere from 15 minutes to 48 hours, with 1-4 hours being typical. Tools like MXToolbox show you the current status.

Do I need SPF, DKIM and DMARC for cold email?

Yes, all three are essential for professional cold email outreach. Without proper authentication, your emails are very likely to end up in spam.