You send an important email and it never arrives. The recipient sees nothing. It slipped directly into spam. Nine times out of ten, the cause is missing or broken email authentication. Setting up SPF, DKIM, and DMARC correctly is not optional in 2026. Google, Yahoo, and Microsoft have all made these records mandatory. Without them, even your best campaigns will land in the spam folder.
This guide walks you through every step of the setup process in plain language. By the end you will have all three records live on your domain and you will know exactly how to verify they are working.
What SPF, DKIM and DMARC Do and Why All Three Matter
These three protocols work as a team. Think of them as layers of identification that prove to receiving mail servers that your email is genuinely from you and has not been tampered with.
SPF, or Sender Policy Framework, is a list you publish in your DNS that tells receiving servers which IP addresses and services are authorised to send email from your domain. When a mail server receives a message claiming to be from you, it checks that list. If the sending server is on it, the check passes. If not, the server grows suspicious.
DKIM, or DomainKeys Identified Mail, works differently. It adds a cryptographic signature to every email you send. The receiving server looks up a public key you have published in your DNS and uses it to verify the signature is genuine and that nobody altered the message in transit. Think of it as a tamper-evident seal on a letter.
DMARC, or Domain-based Message Authentication Reporting and Conformance, ties SPF and DKIM together. It tells receiving servers what to do when an email fails one or both checks and it sends you reports so you can see who is sending email from your domain, including any bad actors trying to impersonate you.
| Important: 2026 Sender Requirements
Google and Yahoo require SPF and DKIM for all senders since February 2024. Microsoft extended similar enforcement from May 2025. Without these records, your emails may bounce or land in spam even if your content is perfect. |
Step 1: Setting Up Your SPF Record
Before creating anything, log into your DNS provider. This is usually the same place where you registered your domain, such as GoDaddy, Namecheap, Cloudflare, or Google Domains. You need access to add and edit TXT records.
First, check whether an SPF record already exists because your domain can only have one. Go to MXToolbox, enter your domain, and check. If one exists, you will modify it. If not, you will create one from scratch.
Writing Your SPF Record
Every SPF record starts with v=spf1, followed by the services authorised to send from your domain, and ends with a qualifier. For most businesses using Google Workspace the record looks like this:
v=spf1 include:_spf.google.com ~all
If you also use a service like Mailchimp alongside Google Workspace, chain them together like this:
v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
The ~all at the end is a soft fail. It tells servers to treat unrecognised senders with suspicion but not reject them outright. This is the right setting when you are first getting started. Avoid +all completely as it authorises every server on the internet, which defeats the entire purpose.
| Common Mistake to Avoid
Keep your SPF record under 10 DNS lookups. Each include statement counts as one lookup. Exceeding this limit causes a PermError that breaks SPF completely. If you use many sending tools, consider an SPF flattening service. |
Adding the SPF Record to Your DNS
- Log into your DNS provider dashboard
- Navigate to DNS management
- Add a new TXT record
- Set the host or name field to @ (representing your root domain)
- Paste your SPF value into the content field
- Save the record and wait up to 48 hours for propagation
Step 2: Setting Up Your DKIM Record
DKIM requires a private and public key pair. Your email sending service generates these for you. The private key stays with your email provider and signs every outgoing message. The public key goes into your DNS.
The process for generating the key pair varies by provider. In Google Workspace, go to Apps, then Google Workspace, then Gmail, then Authenticate Email. In Microsoft 365, look in the Defender portal under Email and Collaboration.
Publishing the DKIM Record
Once your email provider generates the key, it will give you a TXT record value and a specific subdomain to publish it under. The subdomain usually follows this format:
selector._domainkey.yourdomain.com
The selector is a name chosen by your email provider, such as google or s1. Add a new TXT record in your DNS using that subdomain as the host and paste the DKIM key value in the content field. Use 2048-bit keys if your provider supports them. They are significantly more secure than the older 1024-bit standard.
| Multiple Sending Tools
If you use multiple email sending platforms, each one needs its own DKIM record. You can have multiple DKIM records on the same domain as long as each uses a different selector name. |
Step 3: Setting Up Your DMARC Record
Now that SPF and DKIM are in place, DMARC can do its job. Always wait 24 to 48 hours after setting up SPF and DKIM before enabling DMARC so the records have time to propagate. DMARC is a TXT record you add at this exact location in your DNS:
_dmarc.yourdomain.com
Start With Monitoring Mode First
Do not start with a strict policy. Begin with p=none, which tells receiving servers to take no action on failed emails but to send you reports about what they are seeing. A safe starting record looks like this:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
The rua tag tells servers where to send aggregate reports. After two to four weeks of reviewing those reports and confirming all your legitimate sending tools pass authentication, you can tighten the policy step by step.
| DMARC Policy | What It Does | When to Use It |
| p=none | Monitor only. No action taken. Reports sent to you. | Starting out. First 2 to 4 weeks. |
| p=quarantine | Failed emails routed to spam folder. | After reviewing reports and fixing alignment issues. |
| p=reject | Failed emails blocked and returned to sender. | When confident all legitimate mail passes authentication. |
How to Verify Everything Is Working
After publishing all three records, send a test email to a Gmail address you control. Open it, click the three dots, and select Show Original. Look for the authentication results near the top. You want to see spf=pass, dkim=pass, and dmarc=pass. If any show fail or none, go back to that record and check for typos or missing includes.
- SPF check: MXToolbox SPF Checker
- DKIM check: MXToolbox DKIM Lookup
- DMARC check: MXToolbox DMARC Check
Common Mistakes That Break Authentication
- Multiple SPF records: A domain can have only one SPF TXT record. If you have two, both fail.
- Too many DNS lookups: Each include statement counts toward a limit of 10. Exceeding it causes a PermError and breaks SPF entirely.
- DKIM key not activated: Many providers generate the key but require a separate step to activate signing. Verify that signing is actually enabled.
- Jumping straight to p=reject: Starting with the strictest DMARC policy without monitoring first can block your own legitimate emails.
- Not updating SPF when adding new tools: Every time you add a new email platform or CRM, you must add it to your SPF record.
What to Do After Authentication Is Set Up
Authentication is your foundation, but it is not the whole story. Once SPF, DKIM, and DMARC are in place, the next thing to look at is your email sender reputation, which determines where inside the inbox your emails actually land.
If you want a professional review of your entire email setup including authentication, infrastructure, and reputation, FormulaInbox offers a free inbox placement test that shows you exactly where your emails are landing right now across all major providers.
For a deeper look at your full sending environment, our email deliverability audit covers authentication, infrastructure, sender reputation, and content analysis in a single engagement with a clear prioritised roadmap to resolve any issues found.
