All Collections
How to set up your DKIM, SPF and DMARC?
How to set up your DKIM, SPF and DMARC?
How to set up your DKIM, SPF and DMARC?
Tara Mcwhite avatar
Written by Tara Mcwhite
Updated over a week ago

DKIM, SPF, DMARC are crucial set-ups that will protect your reputation and increase the chance of replies. Overall, it improves your email deliverability.

We highly recommend taking care of it as soon as possible.

Before going into any detail, note that DKIM, SPF and DMARC records are part of your DNS settings, which you can find on your domain provider.

This means it's all on your domain provider end, not Cliently.

We can help you with this since it's a step towards achieving success on your campaigns.

What does DKIM stand for and mean?

DomainKeys Identified Mail (DKIM) is a mechanism for verifying an email's integrity and authentication. It does this by using public-key cryptography to sign a message with a private key that corresponds to the user's domain name. This allows DKIM-compliant servers to verify that the message actually comes from the specified domain and not someone else in order to prevent email spoofing.

What does SPF stand for and mean?

Sender Policy Framework (SPF) is an email authentication system. SPF verifies the authenticity of a mail server by allowing servers to "recognize" each other and creating a trust relationship between them. This means that if you are sending your email from one email account, and the email is coming from a different account, the receiving server will verify the legitimacy of the sender's domain before accepting it.

What does DMARC stand for and mean?

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a protocol that allows an email service provider to specify how incoming emails are checked. This allows the email service provider to give users more control over how their accounts are protected against email spoofing, phishing, and malware. DMARC uses DNS messages to verify the sender's identity and the email address of the receiving system.

The "criteria" attribute of a DMARC record allows a DMARC sender to specify details of what it wants to be done with the incoming email. This allows an email service provider, like Gmail or Yahoo! Mail, to more accurately identify which emails they should/shouldn't treat as legitimate.

Once the DMARC DNS entry is published, any receiving mail server can authenticate the incoming email by referring to the instructions published by the domain owner within that DNS entry. If the email passes the authentication, it will be delivered and can be trusted. If the email fails the check, depending on what instructions are held within that DMARC record, it could be delivered as well as quarantined or rejected.

Why do you need DMARC, SPF and DKIM?

Phishing and email spam are the best ways for hackers to enter a network. Hackers find weak spots in companies by using email attachments that contain harmful exploits, ransomware, cryptojacking scripts, or data leakages.

DMARC, SPF and DKIM are three important hallmarks of email authentication. These protocols work together to create the most secure email experience around. DMARC protects against spoofing, SPF a standard that prevents spoofing from mail servers. The DKIM protocol protects your domain from being spoofed by sending data to the recipient's email server in order to verify it is actually from your domain name.

The need for all three email protocols isn't widely known, but they serve complementary functions and will likely be used by businesses in the foreseeable future.

How to set it up?

Below are all the examples that apply in case Google is your domain provider and your mail provider.

Check your provider's FAQ before copying/pasting the values and all providers have their own FAQ.

Setting up DKIM -

This is a three-stage process – first, you need to generate a DKIM domain key:

  • Sign in to your Google Workspace Admin console, then select Apps -> Google Workspace -> Gmail -> Authenticate email

  • Select your domain from the drop-down list and click the Generate new record button.

  • Copy the generated text.

2) Now you need to create an accompanying record to tie that key to your email domain:

  • Log into your domain provider’s admin console.

  • Locate the advanced DNS settings page.

  • Create a new TXT record with the name google._domainkey and then assign it the values generated in Step One. It should look something like: v=DKIM1; k=rsa; p=ALb9a35QAA35in7qDAB (although the ‘p’ section of yours will likely be much longer).

  • Click Save to apply the changes.

3) The final step is to tell Google Apps to use DKIM in order to protect your email:

  • Log into the Google Workspace Admin console again.

  • Select Apps -> Google Workspace -> Gmail -> Authenticate email

  • Choose the correct domain from the drop-down.

  • Click Start authentication.

You may need up to 48 hours before the setting will automatically be applied everywhere.

Setting up SPF-

  • Sign in to your domain account on your domain host's website (not your Google Admin Console). This could be a website like GoDaddy or DomainNameCheap.

  • Go to the page for updating your domain’s DNS records.

DNS Management, Name Server Management, or Advanced Settings.

  • Find your TXT records and make sure you have an existing SPF record on your domain that starts with "v=spf1..."

  • If your domain already has an SPF record, remove it.

  • Create a TXT record with these values:

Name/Host/Alias - Enter @ or leave blank

Other DNS records for your domain might indicate the correct entry.

Time to Live (TTL) - Enter 3600 or leave the default.

Value/Answer/Destination - Enter v=spf1 ~all

Sometimes, it can take as much as 48 hours to take effect.

Setting up DMARC

  • Go to your domain administrator’s site. Find DNS Management or Settings.

  • Add this TXT record to your DNS:

Host Name: _dmarc

VALUE (with email): v=DMARC1; p=quarantine;; pct=90; sp=none

The minimum is "v=DMARC1; p=none;" (you need to change the bold part)

The email version will send reports to the email that you put in there.

This is really optional. Here is the value without the email:

VALUE (no email): v=DMARC1; p=quarantine; pct=90; sp=none

Did this answer your question?