Do I really need all three—SPF, DKIM and DMARC?

Yes. SPF validates the sending server, DKIM validates message integrity, and DMARC ties them together with a policy and reporting mechanism. Since February 2024, Google and Yahoo require all three for bulk senders (5,000+ messages per day). Even for smaller senders, having all three dramatically reduces the chance of your emails landing in spam.

How long does it take for SPF, DKIM and DMARC records to become active?

DNS propagation typically takes between 15 minutes and 48 hours, depending on the TTL (Time To Live) value of your DNS zone and your registrar. Most changes are effective within 1-2 hours. You can verify propagation with tools like MXToolbox or Google Admin Toolbox.

What happens if my DMARC policy is set to reject and something is misconfigured?

Emails that fail both SPF and DKIM alignment will be rejected outright by receiving servers—meaning they will never reach the recipient. This is why a phased rollout is critical: start with p=none to collect reports, move to p=quarantine, and only switch to p=reject once you are confident all legitimate sending sources are authenticated.

Email Deliverability: Step-by-Step SPF, DKIM and DMARC Setup Guide

Why Email Deliverability Matters More Than Ever

Every day, roughly 347 billion emails are sent worldwide. Nearly half of them are spam. To fight back, inbox providers like Gmail, Outlook, and Yahoo have dramatically tightened their filtering rules—and the bar keeps rising.

Since February 2024, Google and Yahoo enforce strict email authentication requirements for any sender dispatching more than 5,000 emails per day. If your domain lacks properly configured SPF, DKIM, and DMARC records, your carefully crafted newsletters, transactional emails, and sales outreach may never reach the inbox.

The good news? Setting up these three protocols is a one-time DNS configuration that pays dividends forever. In this guide, we walk you through every step—no prior DNS expertise required.

Understanding the Three Pillars of Email Authentication

Before diving into configuration, let’s clarify what each protocol does and how they interrelate.

SPF (Sender Policy Framework)

SPF lets you declare which mail servers are authorized to send email on behalf of your domain. When a receiving server gets a message from you@yourdomain.com, it checks your domain’s SPF record in DNS. If the sending server’s IP address is listed, the SPF check passes.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to the header of every outgoing email. The receiving server retrieves your public key from DNS and uses it to verify that the message hasn’t been tampered with in transit. Think of it as a digital wax seal on a letter.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC is the policy layer that ties SPF and DKIM together. It tells receiving servers what to do when an email fails authentication (none, quarantine, or reject) and provides a reporting mechanism so you can monitor abuse.

How They Work Together

Layer	What It Validates	DNS Record Type	Key Benefit
SPF	Sending server IP	TXT	Prevents unauthorized servers from sending as you
DKIM	Message integrity	TXT (public key)	Proves the email wasn’t altered in transit
DMARC	Policy + alignment	TXT	Instructs receivers on failures; enables reporting

A message is considered DMARC-compliant if it passes either SPF or DKIM and the domain in the check aligns with the From: header domain. This concept of alignment is crucial and often overlooked.

Step 1: Configure SPF

1.1 Inventory Your Sending Sources

Before writing a single DNS record, list every service that sends email from your domain:

Your own mail server (e.g., Postfix, Exchange)
Marketing platforms (Mailchimp, Sendinblue/Brevo, ActiveCampaign)
Transactional email services (SendGrid, Amazon SES, Mailgun)
CRM systems (HubSpot, Salesforce)
Help desk tools (Zendesk, Freshdesk)
Your web host (if your CMS sends emails directly)

Missing a single source is the number-one cause of SPF failures. At Lueur Externe, when we audit client domains, we find that over 60% have at least one legitimate sender missing from their SPF record.

1.2 Build Your SPF Record

An SPF record is a single TXT record added to the root of your domain. Here’s the syntax:

v=spf1 ip4:203.0.113.10 include:_spf.google.com include:amazonses.com include:spf.brevo.com -all

Let’s break it down:

v=spf1 — Declares this is an SPF record (mandatory prefix).
ip4:203.0.113.10 — Authorizes a specific IPv4 address (your own server).
include:_spf.google.com — Authorizes Google Workspace servers.
include:amazonses.com — Authorizes Amazon SES.
include:spf.brevo.com — Authorizes Brevo (formerly Sendinblue).
-all — Anything not listed is not authorized (hard fail).

1.3 SPF Best Practices

Stick to one SPF record per domain. Multiple TXT records starting with v=spf1 will cause a PermError.
Stay under the 10-lookup limit. Each include:, a, mx, and redirect counts as a DNS lookup. Exceeding 10 lookups causes the entire SPF check to fail. Use an SPF flattening tool if needed.
Use -all (hard fail) instead of ~all (soft fail) once you’re confident in your record. Soft fail is fine during testing, but hard fail provides stronger protection.
Avoid +all — this authorizes the entire internet to send as you.

1.4 Add the Record to Your DNS

Log in to your DNS provider (Cloudflare, OVH, Route 53, GoDaddy, etc.).
Navigate to the DNS zone for your domain.
Add a new TXT record:
- Host/Name: @ (or leave blank, depending on your provider)
- Value: your SPF string
- TTL: 3600 (1 hour) or your provider’s default
Save and wait for propagation.

1.5 Verify Your SPF Record

Use one of these free tools:

MXToolbox SPF Lookup
Google Admin Toolbox — Check MX
dig TXT yourdomain.com from the command line

Step 2: Configure DKIM

2.1 Generate Your DKIM Key Pair

DKIM uses a private key (stored on your sending server) to sign outgoing messages and a public key (published in DNS) for verification.

How you generate keys depends on your sending service:

Google Workspace: Admin Console → Apps → Gmail → Authenticate email → Generate new record.
Amazon SES: SES Console → Verified identities → Select domain → DKIM tab → Generate DKIM keys (Easy DKIM).
Brevo / Mailchimp / SendGrid: Each provides DKIM keys in their domain authentication settings.
Self-hosted (Postfix/OpenDKIM): Use opendkim-genkey to create a 2048-bit key pair.

Example command for self-hosted servers:

opendkim-genkey -b 2048 -d yourdomain.com -s mail2024

This creates two files: mail2024.private (your signing key) and mail2024.txt (the DNS record to publish).

2.2 Publish the Public Key in DNS

Add a TXT record:

Host/Name: mail2024._domainkey (the selector followed by ._domainkey)
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhki... (your full public key)
TTL: 3600

2.3 DKIM Best Practices

Use 2048-bit keys minimum. 1024-bit keys are still functional but increasingly considered weak.
Rotate keys annually. Create a new selector (e.g., mail2025), publish it, switch your signing configuration, then remove the old record after a grace period.
Each sending service needs its own DKIM setup. If you send via Google Workspace AND SendGrid, configure DKIM for both.

2.4 Verify Your DKIM Record

Send a test email to a Gmail address and inspect the headers. Look for:

Authentication-Results: mx.google.com;
       dkim=pass header.i=@yourdomain.com header.s=mail2024

Alternatively, use MXToolbox’s DKIM Lookup with your selector and domain.

Step 3: Configure DMARC

3.1 Understand DMARC Policies

DMARC offers three enforcement levels:

Policy	Tag	Behavior
None	`p=none`	No action taken; reports only (monitoring mode)
Quarantine	`p=quarantine`	Failing messages are sent to spam/junk
Reject	`p=reject`	Failing messages are blocked entirely

3.2 Start with Monitoring (p=none)

Begin with the least restrictive policy so you can collect data without risking lost emails:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; fo=1;

rua — Aggregate report destination (XML summaries, usually sent daily).
ruf — Forensic report destination (individual failure details—not all providers send these).
fo=1 — Generate a forensic report if either SPF or DKIM fails (instead of both).

Add this as a TXT record:

Host/Name: _dmarc
Value: your DMARC string
TTL: 3600

3.3 Analyze Your Reports

Raw DMARC aggregate reports are XML files that look intimidating. Use a parser to make them readable:

Free: DMARC XML-to-Human Converter (dmarcian), MXToolbox DMARC Report Analyzer
Paid: Postmark DMARC, Valimail, dmarcian Pro

Key things to look for in reports:

Legitimate sources failing SPF or DKIM — You need to add them to your SPF record or configure DKIM for them.
Unknown IPs sending as your domain — Potential spoofing or forgotten services.
Alignment failures — The domain in the From: header doesn’t match the SPF or DKIM domain.

3.4 Tighten Your Policy Gradually

Once you’ve monitored for 2-4 weeks and confirmed all legitimate sources pass, move through the phases:

Phase 1: p=none — Monitor and fix issues (2-4 weeks)
Phase 2: p=quarantine; pct=25 — Quarantine 25% of failures (1-2 weeks)
Phase 3: p=quarantine; pct=100 — Quarantine all failures (1-2 weeks)
Phase 4: p=reject; pct=25 — Reject 25% of failures (1-2 weeks)
Phase 5: p=reject — Full enforcement

The pct tag is your safety net—it lets you apply the policy to only a percentage of messages while you build confidence.

3.5 Final DMARC Record Example

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; adkim=s; aspf=s; fo=1;

adkim=s — Strict DKIM alignment (the d= domain must exactly match the From: domain).
aspf=s — Strict SPF alignment (the Return-Path domain must exactly match the From: domain).

Strict alignment offers the strongest protection but requires careful configuration. Relaxed alignment (adkim=r; aspf=r) allows subdomains to align, which is more forgiving.

Common Pitfalls and How to Avoid Them

Exceeding the SPF 10-Lookup Limit

Every include mechanism triggers additional DNS lookups. Enterprise domains often chain includes that cascade into dozens of lookups. To check yours:

dig TXT yourdomain.com +short
# Then recursively check each include

Solution: Use SPF flattening (tools like Auto SPF or SPF Macro) to replace includes with direct IP addresses, or move some senders to a subdomain with its own SPF record.

Forgetting Subdomains

DMARC applies to the exact domain in the From: header. If you send marketing emails from news@marketing.yourdomain.com, you need SPF and DKIM configured for the marketing.yourdomain.com subdomain as well, or use relaxed alignment.

Pro tip: Add a DMARC record for subdomains you don’t use for email to prevent spoofing:

_dmarc.unused.yourdomain.com  TXT  "v=DMARC1; p=reject;"

Not Monitoring After Setup

Email infrastructure changes. You add a new CRM, switch ESP providers, or onboard a SaaS tool that sends email. Each change can break authentication. Review your DMARC reports monthly.

Ignoring the Impact on Email Forwarding

Email forwarding (e.g., university alumni addresses, mailing lists) can break SPF because the forwarding server’s IP isn’t in your SPF record. DKIM usually survives forwarding intact because the signature is part of the message header. This is one more reason why having both SPF and DKIM is essential—DKIM acts as a safety net when SPF fails due to forwarding.

Measuring the Impact on Deliverability

After implementing SPF, DKIM, and DMARC, track these metrics:

Inbox placement rate — Use tools like GlockApps or Mail-Tester to see where your messages land.
Bounce rate — Should decrease as receivers trust your authenticated messages.
Open rate — Typically improves by 5-15% when emails move from spam to inbox.
DMARC compliance percentage — Aim for 98%+ pass rates in your aggregate reports.
Google Postmaster Tools — Monitor your domain reputation, spam rate, and authentication results directly from Google.

Companies that move from no authentication to full p=reject DMARC often report a 10-15% increase in email engagement within the first quarter, simply because more of their messages are actually being seen.

BIMI: The Bonus Fourth Step

Once your DMARC policy is at quarantine or reject, you unlock the ability to implement BIMI (Brand Indicators for Message Identification). BIMI displays your brand logo next to your emails in supported inboxes (Gmail, Yahoo Mail, Apple Mail), boosting recognition and trust.

A BIMI record looks like this:

default._bimi.yourdomain.com  TXT  "v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/vmc.pem;"

BIMI requires a Verified Mark Certificate (VMC) from a certified authority, which typically costs around $1,000-$1,500/year. It’s not essential for everyone, but for brands sending high volumes of consumer-facing email, it’s worth the investment.

A Quick Checklist Before You Go

Use this checklist to make sure nothing slips through:

When to Call in the Experts

For a single domain with one or two sending services, this guide should get you across the finish line. But email infrastructure can get complex quickly—multiple domains, dozens of third-party senders, legacy systems, and strict compliance requirements (GDPR, HIPAA) all add layers of difficulty.

At Lueur Externe, our infrastructure team routinely configures email authentication for e-commerce platforms, SaaS companies, and organizations running complex multi-domain setups. As certified AWS Solutions Architects, we also handle the server-side configuration for clients running their own mail infrastructure on Amazon SES or EC2 instances. DNS misconfigurations can silently destroy your email deliverability for weeks before anyone notices—expert setup eliminates that risk from day one.

Conclusion

SPF, DKIM, and DMARC are no longer optional extras—they’re the baseline of email deliverability in 2024 and beyond. Without them, you’re effectively sending your emails with a “please spam me” sign attached.

The setup process is methodical but straightforward: inventory your senders, publish your SPF record, configure DKIM for each service, deploy DMARC in monitoring mode, analyze reports, and gradually tighten enforcement. Follow the steps in this guide, and you’ll join the ranks of authenticated senders who actually land in the inbox.

If you’d prefer to skip the learning curve and get it done right the first time, Lueur Externe offers comprehensive email deliverability audits and DNS configuration services. From SPF flattening to DMARC enforcement and BIMI implementation, we handle the technical details so you can focus on what matters—writing emails people actually want to read.

Get in touch with our team →