SPF, DKIM, DMARC — a guided tour

Three protocols, one goal: making sure your emails actually arrive. By the end of this guide you'll have all three configured on a fresh domain and understand exactly what each record means.

Why three protocols?

Email was designed in 1982 to be permissive — any server could claim to be sending mail on behalf of any domain. SPF, DKIM, and DMARC are three layered patches that, together, let receiving mail servers verify that an inbound message is genuinely authorized by the domain it claims to be from.

SPF answers "which IPs are allowed to send mail as example.com?"
DKIM answers "was this message actually signed by example.com's mail server?"
DMARC answers "what should happen if either of the above fails?"

Step 1 — Publish SPF

SPF is a TXT record at the apex of your domain. It lists the hosts allowed to send mail on your behalf. You'll typically include your transactional provider and your Workspace.

example.com IN TXT

"v=spf1 include:_spf.google.com include:mailgun.org ~all"

The ~all at the end is a soft-fail — receivers will mark rather than reject mail from non-listed senders. Once you trust your config, escalate to -all.

Step 2 — Set up DKIM

DKIM signs each outbound message with a cryptographic key. The public half of that key lives in DNS under a per-provider selector.

google._domainkey.example.com IN TXT

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."

Step 3 — Activate DMARC

DMARC ties SPF and DKIM together and tells the world what to do when one of them fails. Start with p=none and just collect reports for two weeks before tightening.

_dmarc.example.com IN TXT

"v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100"

Verify it all worked

Run a lookup on DNSfish — the result page will show inline badges next to each TXT confirming SPF parsed, DKIM published, and DMARC active. Then send yourself a test message and check the headers for spf=pass and dkim=pass.

Ready to test your domain?

Run a full mail audit in 38ms.