SPF DKIM and DMARC Setup Guide to Improve Email Delivery

Tim0

Understanding and Configuring SPF, DKIM, and DMARC for Domain Security

When managing a domain and its email delivery, properly configuring SPF, DKIM, and DMARC records is essential. These DNS-based email authentication methods ensure that emails sent from your domain are legitimate, reduce the risk of spoofing, and improve deliverability. Below is a practical walkthrough based on real-world adjustments we made for a domain.

1. Setting Up SPF (Sender Policy Framework)

What is SPF?

SPF allows you to define which mail servers are authorized to send email on behalf of your domain. Mail servers receiving your emails use the SPF record to validate authenticity.

Example SPF Record:

v=spf1 include:_spf.example.com include:sparkpostmail.com ~all

This record:

  • Authorizes _spf.example.com (primary mail servers)
  • Authorizes sparkpostmail.com (third-party service)
  • Uses ~all (softfail) to mark all other senders as suspicious

Adding a Specific IP:

If you need to authorize a particular IP (e.g., 96.127.154.162), simply add it:

v=spf1 ip4:96.127.154.162 include:_spf.example.com include:sparkpostmail.com ~all

✅ Direct ip4: entries do not count toward the 10 DNS lookup limit.

2. Configuring DKIM (DomainKeys Identified Mail)

What is DKIM?

DKIM provides a cryptographic signature to verify that emails were not altered in transit and truly originated from your domain.

Setup Steps:

  • Your email provider generates a DKIM key pair (public + private).
  • The public key is added as a TXT record in DNS under a selector (e.g., selector1._domainkey.example.com).
  • The private key is stored by your mail server and used to sign outgoing emails.

✅ Always confirm DKIM alignment with your domain when configuring.

3. Implementing DMARC (Domain-based Message Authentication, Reporting & Conformance)

What is DMARC?

DMARC builds on SPF and DKIM to tell receiving mail servers how to handle emails that fail authentication. It also provides reporting.

Example Record with Quarantine:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-failures@example.com; sp=quarantine; adkim=r; aspf=r;
  • p=quarantine → Emails failing SPF/DKIM are sent to spam.

Recommended Adjustment:

v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-failures@example.com; sp=none; adkim=r; aspf=r;
  • p=none → Non-compliant messages are reported but delivered normally, avoiding spam folder placement.
  • Useful while monitoring before moving to stricter policies (quarantine or reject).

4. Best Practices

  • ✅ Use only one SPF record per domain.
  • ✅ Keep SPF DNS lookups ≤ 10.
  • ✅ Regularly monitor DMARC reports.
  • ✅ Start DMARC with p=none before tightening enforcement.
  • ✅ Periodically review mail flows when adding new providers.

Conclusion

Properly configuring SPF, DKIM, and DMARC strengthens your domain’s email security and improves deliverability. Begin with SPF + DKIM, monitor via DMARC (p=none), and gradually move toward stricter enforcement once confident all legitimate mail sources are covered.

By following these steps, you minimize spoofing risks, protect your domain reputation, and ensure your emails reliably reach inboxes instead of spam folders.

Leave a Reply

Your email address will not be published. Required fields are marked *