DNS NINJAS
Get Started
picture of an email being authenticated with DNS settings before sending

Email Authentication 101 (SPF, DKIM & DMARC)

Why Email Authentication Matters

If your emails are landing in spam or getting blocked, poor email authentication is often the cause.

Email providers like Gmail, Outlook, and Yahoo use authentication protocols—SPF, DKIM, and DMARC—to verify whether an email is legitimate. Without proper setup, your business emails (from your email account, from your website [eCommerce orders, form submissions], and marketing emails may never reach people’s email inboxes.

In this guide, we’ll break down SPF, DKIM, and DMARC, explain how they work, and show you how to configure them for better email deliverability.

Email Authentication 101

SPF

SPF = Sender Policy Framework. Its purpose is to prevent email spoofing by verifying the mail servers sending emails can send them on behalf of your domain.

How It Works:

  • Your domain’s SPF record lists the authorized mail servers allowed to send email for your domain.
  • When an email is received, the recipient’s mail server checks the SPF record to verify that the sender (sending email server) is authorized to send on behalf of your domain.
  • If the email is sent from an unauthorized server, it may be marked as spam or rejected.

How to Set Up SPF

  1. Check your domain’s SPF record using an SPF lookup tool (we like MX Tool’s checker here).
  2. Add or update your SPF record in your DNS settings (TXT record format).
  3. Ensure it includes all legitimate email senders (e.g., your email provider, CRM, newsletter service, SMTP provider, Zoom, and others).
  4. Test your SPF record to confirm it’s working correctly (re-test using MX Tools checker above.

Example of an SPF record:

v=spf1 a mx include:_spf.google.com include:_spf.mlsend.com ~all

This record contains information that allows mail servers from the website’s A record IP, the incoming email server IP (MX), Google’s mail servers and Mailerlite’s servers.

DKIM

DKIM = DomainKeys Identified Mail. It’s main purpose is to add a digital signature to your emails to verify they haven’t been altered in transit.

How It Works:

  • DKIM uses public-key cryptography to sign outgoing emails.
  • The recipient’s email server checks the DKIM signature against the public key in your DNS records.
  • If the signature is valid, it confirms the email is legitimate and wasn’t tampered with.

How to Set Up DKIM

  1. Generate a DKIM key pair from your email provider.
  2. Add the public key to your domain’s DNS as a TXT record.
  3. Enable DKIM signing in your email provider’s settings.
  4. Test your DKIM setup to ensure it’s working.

Example DKIM Record:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADC...

This is a long piece of code that you paste into your DNS records as a TXT record.

DMARC

DMARC = Domain-based Message Authentication, Reporting & Conformance

Its purpose is to instruct an incoming mail server on how you would like it to handle SPF/DKIM failures for your domain, and it also prevents domain spoofing.

How It Works

  • DMARC builds on SPF and DKIM to define what happens if an email fails authentication.
  • It allows domain owners to specify whether to monitor, quarantine, or reject unauthorized emails.
  • DMARC also provides reports on email activity, helping you track and prevent spoofing attempts.

How to Set Up DMARC

  1. Create a DMARC record with your preferred policy (none, quarantine, or reject).
  2. Add it as a TXT record in your domain’s DNS.
  3. Monitor DMARC reports to understand email authentication trends.
  4. Gradually tighten your DMARC policy to enhance security.

Example DMARC Record:

v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100

This record instructs incoming mail servers to place an email in the spam/junk mail folder if it doesn’t pass SPF or DKIM, and apply this to 100% of emails. It also requests DMARC reports be sent to an email address at your domain.

Why Are SPF, DKIM & DMARC Essential for Businesses?

Four main reasons:

  1. It pevents email spoofing and phishing attacks
  2. It improves email deliverability and inbox placement
  3. It protects your domain’s reputation
  4. It provides information on how your emails are handled and where they’re sent from

If you want to learn in-depth about DMARC and how to fully configure, test, and monitor reports, see our Ultimate Guide to DMARC and email authentication.

Get Your Email Authentication Right with DNS Ninjas

Setting up SPF, DKIM, and DMARC correctly can be complex, but DNS Ninjas makes it easy. We help businesses secure their email infrastructure and boost deliverability.

See our pricing here.

By following these steps, you can protect your domain, improve email deliverability, and ensure your messages reach their intended recipients.

Want Help From The Ninjas?

Get Started

Related Posts

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Privacy Notice