What Are SPF, DKIM, & DMARC Records and How to Set Them Up (Step-by-Step)

All email providers have made it mandatory to set up SPF, DKIM, and DMARC for high-volume senders.

Yet a lot of people skip this step and jump straight into polishing email copy, running A/B tests, and cleaning lists… only to watch their emails land in spam.

Yes, that’s true! 

When these records aren’t set up correctly, it can affect your deliverability rates and sender reputation.

In this guide, I’ll explain what SPF, DKIM, and DMARC really are, why they matter for deliverability, and show you exactly how to set them up step by step.

 Let’s get started!

What is SPF (How it Works)

SPF (Sender Policy Framework) is an email authentication method that lists the servers authorized to send emails from your domain. 

This helps email providers ensure that the message really came from you and not a spammer. 

SPF (Sender Policy Framework) is a way to tell the world which mail servers are allowed to send emails from your domain. It helps stop spammers from pretending to send emails as you.

It is a line of text that contains the email server’s information related to your domain and is added to your domain’s DNS TXT record.

How an SPF Record Looks Like

Here’s an example SPF record that includes IP addresses and ESPs allowed to send emails from your domain:

v=spf1 ip4:203.0.113.15 ip4:198.51.100.42 ip6:2001:db8::1 ip6:2001:db8:abcd::25 include:_spf.google.com include:_spf.mailchimp.com ~all

Let’s break down each part of an SPF record:

• v=spf1: This shows the SPF version. It’s the same for everyone.
• ip4:203.0.113.15 ip4:198.51.100.42: This mentions the IPv4 servers allowed to send email using your domain.
• ip6:2001:db8::1 ip6:2001:db8:abcd::25: It lists the IPv6 servers allowed to send emails for your domain.
• include:_spf.google.com include:_spf.mailchimp.com : This shares the ESPs allowed to send emails using your domain. The exact value depends on your Email Service Provider (ESP), so always refer to their documentation.
• ~all: Instructs to treat emails from unlisted servers with suspicion, but not block them immediately.

Apart from that, these are the other types of all tags:

• +all: It allows anyone to send an email using your domain (never use this, as it can lead to spoofing).
• –all: Rejects all mail that is sent from unlisted servers and ESP in the SPF value (Known as hard fail).
• ?all: With this, you are not confirming or denying whether this sender is allowed. You are leaving the decision to the recipients’ server.

Other (less common) SPF tags

Most users never need these, but it’s still good to know:

• mx: Authorizes IPs listed in your domain’s MX records (your mail servers).
• a: Authorizes the IP address your domain points to (often your website server). Used only if that server sends mail.
• exists: Used for advanced setups where the sender must pass a custom DNS check before email is allowed.

How to Set Up SPF

Before I show you all the ways to set up your SPF record, here are some things to keep in mind: 

• You can only have one SPF record per domain.
• Keep the total number of a, mx, and include: lookups under 10. Crossing that usually fails the SPF.
• Only use one all tag in your records.
• A single SPF string can only be 255 characters.
  If your record is longer, split it into multiple quoted strings, like this:

v=spf1 include:_spf.google.com""include:sendgrid.net ~all

Now that we covered the basics, here I have shared how you can set up SPF for popular ESPs:

• How to Set up SPF in Your DNS
• SPF in Google Workspace
• SPF in Zoho Workspace
• SPF in Microsoft/Office 365 accounts

How to Set up SPF in Your DNS

I will use GoDaddy as an example here since it is one of the most popular domain providers.

If your domain is hosted elsewhere, don’t worry. The steps are mostly the same, and it is easy to find guides for respective registrars. 

Now, here is how I set up SPF records in GoDaddy:

1. Sign in to your GoDaddy account.
2. Click on your name and choose My Products.
3. Choose the domain you want to add the SPF record.
4. Select DNS and choose Add New Record.
5. Next, select TXT from the Type menu.
6. Now, enter the following details
   1. Name: Use @ for your main domain. For subdomain, use the name of the subdomain (Eg, for company.domain, use company). 
   2. Value: Paste your SPF record here.Maximum 512 characters.
   3. TTL (Time to Live): It instructs how long the server should cache information. Best to leave it at the default is 1 hour.

Here are some rules to keep in mind for DNS naming (doesn’t apply to SPF value):

• Periods allowed inside, but not at start/end or twice in a row
• Cannot start or end with a hyphen –
• Each section (between dots) can only have a maximum of 63 characters
• The total name max characters should be 255.
• Only use ASCII characters.

SPF in Google Workspace

Before I show you the steps, here are some things to keep in mind:

• If you bought your domain through a Google partner or already added records while onboarding, you don’t need to redo it.
• You choose your primary domain when signing up for Google Workspace (there’s no “add primary domain” option later).
• Google recommends adding your SPF at your domain provider.

Here is the entire process to add SPF through Google Workspace:

Step 1: Add your domain to Google Workspace

1. Sign in to the Google Admin console.
2. Go to Menu > Account > Domains.
3. Choose Manage domains, and click Add a domain.
4. Enter your domain name.
5. Choose the domain type between:
   1. Secondary domain: Use this if you want to replace your primary domain or add a new domain for a separate team.
   2. User alias domain: Choose this if you want to add alternate email addresses for your existing users (Google Workspace will automatically create email aliases).
      
6. Click Add > start verification, and follow the instructions.

Step 2: Add SPF at your DNS provider

After adding the domain to Google Workspace, head back to your Domain registrar to add the SPF record.

Here is an example of an SPF record that allows emails from Google Workspace:

v=spf1 include:_spf.google.com ~all

You can refer to the Google support document to know the SPF value to use if you are using more than one ESP along with Google.

SPF in Zoho Workspace

Once you add your domain to Zoho Mail, it automatically provides the exact SPF value you need.

It is usually shared during the domain setup process while signing up.

However, you can also find it inside your Zoho Admin panel:

1. Open Zoho Mail > click your profile and choose Admin Console.
2. From the sidebar, choose Domain.
3. Click Add > type in your domain name and click Add.
4. Follow the steps to verify your domain.

After this, you can follow these steps to find your SPF record: 

1. Go to Settings > Deliverability > Domain Authentication.
2. From here, click Setup next to the domain you want to get the SPF record.
3. Under the SPF section, click Copy next to the dialogue box of the TXT record to add.
4. After that, just follow the steps above to add the SPF record to your DNS TXT.

If you are only using Zoho services for your email services, your SPF value will look like this:

v=spf1 include:zohomail.com -all

SPF in Microsoft/Office 365 accounts

You don’t need to add an SPF record if you’re only using your Microsoft Online Email Routing Address (MOERA) domain for email, as Microsoft owns and manages all the onmicrosoft.com along with their DNS records, including SPF.

However, if you’re sending emails from a custom domain (apart from just @yourdomain.onmicrosoft.com), then you must add an SPF record at your domain registrar. 

Here are the steps:

1. Go to the Microsoft 365 admin center.
2. Click Settings > Domain > choose Add domain
3. Now, enter the name of the domain, then select Next.
4. Choose a method to verify your domain.
5. Here, you’ll get the option to add DNS records. Choose a method suitable for you.
6. Once done, hit Finish.

If your domain registrar supports Domain Connect, Microsoft will automatically set up your DNS records for you. 

For that, you need to sign in and approve the connection that’s it.

Usually, the syntax of the SPF TXT record for a custom domain in Microsoft 365 looks like this:

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net ip4:203.0.113.25 -all

What is DKIM

DKIM (DomainKeys Identified Mail) is a digital signature used to verify the origin of an email. 

It helps to prevent anyone from intercepting the message in between and corrupting it.

How to Set Up DKIM

Now, to set up DKIM for your emails, you need to generate a custom DKIM key within the ESPs. I have shared the steps for popular services below.

DKIM in Google Workspace

Make sure you have admin access to your Google Workspace. After adding your domain:

Step 1: Generate DKIM in Google Workspace

1. Log in to the admin console of your Google Workspace.
2. Go to Apps > Google Workspace > Gmail.
3. Click Authenticate email.
4. Select your domain in the menu.
5. Next, click Generate New Record.
6. Choose the DKIM key bit length.
7. Pick a prefix selector. By default, it is Google. But if you already have a prefix with the same name, pick a different one.
8. Click Generate, and Google will produce the DKIM TXT record values.

Step 2: Add DKIM to Your DNS

9. Now head over to the DNS settings of your Domain provider and add the following information:
   1. DNS Host name (TXT record name): Add a name to your DNS host name (eg, google._domainkey.yourdomain.com)
   2. TXT record value: Paste the DKIM value you generated here.
   3. Type: TXT
10. Once done, save the record.

Step 3: Activate DKIM

11.  After that, return to the authenticate email page and click Start Authentication.

DKIM in Zoho Workplace

After adding your domain to Zoho, you need to generate the DKIM code. For that →

1. Log in to the Control Panel (need to have administrator or super administrator access).
2. Choose Domains from the left menu, and select the domain you want to configure DKIM.
3. Then Email Configuration > DKIM
4. Click Add to add a new selector name (use the same name as the domain).
5. Once done, click Add. 
6. A new TXT record will be generated. Copy it
7. Now, create a TXT record with this value in the DNS Manager.
8. After that, come back to the DKIM page for your domain in Zoho and click Verify.

DKIM in Microsoft/Office 365 accounts

For domains using Microsoft Online Email Routing Address (MOERA) ending with .onmicrosoft.com, you do not need to add any DKIM values, as it is managed by Microsoft.

However, if you want, you can edit the DKIM value. 

These are the steps:

1. Sign in to the Microsoft 365 Defender admin center.
2. Search and open the DKIM page from the search bar.
   (You can also go to Email & Collaboration → Policies & Rules → Threat Policies → Email Authentication Settings → DKIM)
3. Here, select your domain name and click Create DKIM keys.
4. Now you will get two DKIM keys. Click Copy.
   The DKIM keys will look like these:
   selector1-yourdomain-com._domainkey.yourtenant.n-v1.dkim.mail.microsoft
5. Next, go to your DNS provider and 
6. Log in to your DNS provider and open DNS settings
7. Choose Add Record → CNAME.
8. Here, add the DKIM keys for each selector.
9. Once done, click Save.
10. Now, go back to the DKIM page in the Defender portal and select your domain.
11.  Turn on Sign messages for this domain with DKIM signatures.
12. You will see a pop which shares that says it will take a while to synchronize the data.
13. Click Ok.

Set up DKIM for Custom mail servers.

Setting up DKIM for a custom server can be a bit different from the ones for ESPs.

I have shared an outline about the process. However, I would recommend checking the detailed documentation from the tools to set up your own email server with DKIM.

1. You need to first generate the DKIM keys. For that, you need to choose a DKIM signing tool. These are the popular options:
   1. OpenDKIM: This is the most popular (Linux-based)
   2. dKIMproxy: Use it for proxy-based signing
   3. Exchange DKIM Signer: It is best for Microsoft Exchange
2. Once you choose the tool, use it to create the DKIM keys.
3. Update the public key in your DNS as a TXT file. Set up your email server and add the private key to it.

What is DMARC

DMARC, or Domain-based Message Authentication, Reporting, and Conformance, is an email authentication protocol.

It helps in protecting your domain from phishing and spoofing attacks. 

DMARC can only be set up after adding DKIM or SPF.

DMARC instructs the recipient server on what to do with the email if it fails the authentication tests (SPF and DKIM).

Here is an example DMARC record:

v=DMARC1; p=reject; rua=mailto:postmaster@example.com, mailto:dmarc@example.com; pct=100; adkim=s; aspf=s

Now what do each of these components stand for?

• v= –  This indicates the version of the DMARC policy used.
• p= – It instructs on what policy to apply if email fails authentication (none, quarantine, reject).
• rua= – This tag mentions the email addresses to which the DMARC reports should be sent.
• pct – Percentage of emails the policy applies to. If it’s not included, then it means it applies to all.
• adkim= – DKIM alignment mode (s = strict, r = relaxed)
• aspf= – SPF alignment mode (s = strict, r = relaxed)

How to Set Up DMARC

As I have said, it is very much required to set up your SPF and DKIM in order for DMARC to work. 

Once that is done, wait for 48 hours so that the values will be synchronized before setting up DMARC.

And it is set up directly in your Domain’s DNS record.

Now, let us look at how you can set up DMARC records:

1. First, you need to generate your DMARC record. You can use any free tools in the market. Here we are using MX Toolbox.
2. Here, choose the policy and reporting emails (You can add multiple options using a comma). 
3. Now, head over to your Domain registrar and open DNS settings.
4. Add a TXT file with the values from the DMARC generator.

Make sure to monitor the DMARC reports and update them based on that.

How to Check SPF, DKIM & DMARC Status

There are many tools in the market that make it easy to check your SPF, DKIM, & DMARC status of your email accounts.

But apart from that, there’s also a manual method. 

How to Check the Status of SPF, DMARC & DKIM Records Manually?

Send a test email to a different email address, and then:

1. Open the email from the recipient’s end and click the three dots at the side.
2. Choose Show original
3. You will be redirected to a new page. Here you can see if the email authentication is a pass.

How to Check the Status of SPF, DMARC & DKIM Records With Tools

Now, here’s how to check SPF, DKIM & DMARC records using popular tools:

1. Saleshandy

Saleshandy is a cold outreach platform that offers automated cold emailing, warm-up, and advanced deliverability features.

Once you connect your email accounts, the platform checks whether your SPF, DKIM, and DMARC are set up correctly.

Here’s how you can check:

1. Log in to your Salehsandy account.
2. From the sidebar, select Email Accounts.
3. Here, you will see the email authentication status of all the email accounts that you have added.

Apart from that, Inbox Radar by Saleshandy makes it easy to know where your emails are suffering from bad deliverability, and then try sending test emails from here.

and then see if the reason for poor email deliverability is that any record is missing.

2. Check SPF, DKIM & DMARC Using Free Public Tools

There are many tools in the market that make it easy to look at your email authentication records.

These are popular ones currently:

• MX Toolbox
• Dmarcly
• Google Admin Toolbox Check MX

Just open any of the tools and type in your domain name. It will take a second or two to show whether your domain has proper email authentication.

3. Zoho

Checking SPF, DMARC, and DKIM in Zoho is straightforward once your domain is connected.

Just follow these steps:

1. Log in to Zoho Mail Admin Console.
2. Go to Domains and choose the domain you want to check.
3. Then, click on Email Configuration > SPF.
4. Here you will see the status of your authentication.

Zoho will also highlight any missing or incorrect records and guide you to fix them.

4. Microsoft 365

Microsoft 365 also lets you verify your DNS authentication records easily. To check your SPF and DMARC:

1. Log in to the Microsoft 365 admin center
2. Open Settings > Domains. 
3. Select your domain and then check the DNS records.

As for DKIM, you need to:

1. Go to the Exchange Admin Center.
2. Choose Protection > DKIM settings.

If anything is missing, Microsoft will usually point out which records you need to add or update.

Set up SPF, DKIM, & DMARC to Improve Trust

Setting up SPF, DKIM, and DMARC is a non-negotiable.

Adding all of them will increase the trustworthiness of the emails from your domain. 

Trust me, these additions make a noticeable improvement in your deliverability.

However, I would suggest at least having an SPF record added, as it is the most basic one, but still a useful authentication.

But if you’re sending outreach, newsletters, or transactional emails at scale, SPF + DKIM + DMARC is non-negotiable. 

Also, even with perfect DNS settings, your emails can still end up in spam if you don’t choose the right cold emailing tool.

If you’re unsure which tool to choose, check out my guide on the best cold email software.

SPF, DKIM & DMARC FAQs

1. Where are SPF, DKIM, and DMARC records stored?

SPF, DKIM, and DMARC records are all stored in your domain’s DNS (Domain Name System) as TXT records. 

2. Can DKIM work without DMARC?

Yes, DKIM is a dedicated security key for your emails, and it only requires you to add the public key to your DNS.

Meanwhile, DMARC contains instructions to the recipient’s domain on what to do with your email if it fails verification.

So yeah, enabling both of them will help in improving your email credibility and deliverability.

3. How often should I rotate DKIM keys?

It is recommended to rotate DKIM keys every 6 to 12 months to maintain strong email authentication security and minimize the risk of misuse or compromise.

4. Does Gmail use SPF, DKIM, and DMARC?

Yes. Email authentication, like SPF, DKIM, and DMARC, is are widely accepted authentication method for emails. Even for personal accounts and for accounts that send emails in small numbers, it is required to have SPF or set up DKIM. For accounts that send more than 5,000 messages daily, you must set up SPF, DKIM, and DMARC.

5. Do I need to add an SPF record to my subdomain?

Yes, if you are sending emails from a subdomain, you need to add a separate SPF record specifically for that subdomain in your DNS settings. Subdomains do not automatically inherit SPF records from the main domain.