What DNS Records Do I Need to Configure for SPF, DKIM, and DMARC?

What DNS Records Do I Need to Configure for SPF, DKIM, and DMARC?

To ensure your emails land in inboxes and are protected against spoofing, you need to set up three essential DNS records: SPF, DKIM, and DMARC. These records help verify your email’s legitimacy and improve deliverability. Let’s break them down step by step.

1. Setting Up SPF (Sender Policy Framework)

SPF is a DNS TXT record that specifies which mail servers are authorized to send emails on behalf of your domain. This helps prevent spammers from forging your domain in email headers.

Steps to Configure SPF:

  1. Access Your DNS Settings: Log in to your domain provider (e.g., Cloudflare, GoDaddy, Namecheap, etc.).

  2. Add a New TXT Record:

    • Type: TXT

    • Name/Host: @ (or your domain name)

    • Value: v=spf1 include:mailserver.com -all

      • Replace mailserver.com with your actual email provider (e.g., spf.google.com for Gmail, spf.protection.outlook.com for Microsoft).

  3. Save the Changes and wait for DNS propagation (can take up to 48 hours).

Best Practice: Use ~all instead of -all to allow soft fails instead of hard rejections in case of misconfigurations.

2. Setting Up DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to your emails, allowing receiving mail servers to verify that the email wasn’t altered in transit.

Steps to Configure DKIM:

  1. Generate Your DKIM Key:

    • If using Google, Microsoft, or another provider, they will generate a DKIM key for you.

  2. Access Your DNS Settings:

    • Type: TXT

    • Name/Host: selector._domainkey.yourdomain.com

    • Value: The long DKIM key provided by your email service.

  3. Save the Changes and allow up to 24-48 hours for DNS propagation.

Best Practice: Use a 2048-bit key for stronger security.

3. Setting Up DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC instructs receiving mail servers on what to do with emails that fail SPF or DKIM checks and allows domain owners to get reports on fraudulent emails sent using their domain.

Steps to Configure DMARC:

  1. Access Your DNS Settings:

    • Type: TXT

    • Name/Host: _dmarc.yourdomain.com

    • Value:

      v=DMARC1; p=none; rua=mailto:your-email@yourdomain.com; ruf=mailto:your-email@yourdomain.com; fo=1;

      • p=none: Only monitor (change to quarantine or reject for stricter policies).

      • rua: Receives aggregate reports.

      • ruf: Receives forensic reports.

  2. Save the Changes and wait for the DNS to update.

Best Practice: Start with p=none to monitor, then gradually move to p=quarantine or p=reject once you are confident in your configuration.

Final Checks & Troubleshooting

  • Use Tools: Check your DNS settings using  DNS checker under Tools menu of XemailAudit.

  • Allow Time for Propagation: DNS records can take up to 48 hours to propagate.

  • Review DMARC Reports: Analyze reports to ensure legitimate emails are not being blocked.

By properly configuring SPF, DKIM, and DMARC, you strengthen your email security and improve inbox placement rates, reducing the chances of your emails ending up in spam. 

    • Related Articles

    • How to Add and Verify your Domain to XemailAudit ?

      Adding your domain to XemailAudit is essential for receiving accurate email audit reports and ensuring top-notch email deliverability. Since the data comes from Google Postmaster, domain verification may take a little time. But don’t worry—we’ve made ...

    • What is Spam Watch? And How to Enable It?

      ? Need help? Watch the Video Tutorial Spam Watch is a real-time monitoring feature that helps you track where your email campaigns land—whether in the inbox or spam folder—so you can take immediate action if deliverability issues arise. With Spam ...