What are the best practices for setting up SPF, DKIM and DMARC for email authentication?

Summary

Proper setup of SPF, DKIM, and DMARC is critical for email authentication, sender reputation, and deliverability. It involves creating accurate SPF records listing authorized sending sources, implementing DKIM with appropriate key sizes and secure signatures, and configuring DMARC policies to handle unauthenticated emails while monitoring reports. Gradual implementation, DKIM alignment, and adherence to SPF record limitations are essential. Competent ESPs sign with DKIM and authenticate with SPF, consolidating to a single SPF record

Key findings

  • Authentication Imperative: Email traffic must be authenticated via SPF, DKIM, and DMARC to ensure deliverability and sender reputation.
  • SPF Configuration: SPF records are TXT records that should authorize all sending sources including office IP and ESP mailservers, consolidating to one record.
  • DKIM Implementation: DKIM involves generating a public/private key pair; receiving mail servers verify signatures against the public key.
  • DMARC Policy & Reporting: DMARC allows domain owners to specify policies on handling unauthenticated emails and gives feedback via reports.
  • DKIM Alignment: Implementing DKIM on the same domain provides DKIM domain alignment which is critical for passing DMARC validation.
  • Implementation importance: Setting up authentication and reviewing it for correctness, especially SPF, is critical.
  • Third-Party Senders: When using third-party senders, you must ensure they support SPF and DKIM authentication with your domain.

Key considerations

  • Gradual Rollout: Implement SPF, then DKIM, then DMARC, monitoring at each stage.
  • DKIM key size: Ensuring a DKIM key of at least 2048 bit should be a minimum requirement
  • SPF Limit Adherence: Care should be taken to keep SPF records below the limit of 10 DNS lookups to avoid authentication failures
  • TXT record usage: SPF record is a TXT record that should authorize all sending sources.
  • Competent signers: Competent ESPs sign with DKIM and authenticate with SPF.
  • Initial state: Starting with DMARC p=none helps you determine if there are configuration errors.

What email marketers say
19Marketer opinions

Implementing SPF, DKIM, and DMARC is crucial for email authentication and improving deliverability. Best practices include ensuring all sending sources are included in the SPF record, implementing DKIM with a sufficient key size and proper signature, and setting up DMARC to instruct receiving servers on how to handle unauthenticated emails while monitoring reports for issues. Gradual implementation, starting with SPF, then DKIM, and finally DMARC with a 'p=none' policy, is recommended. Maintaining SPF record limits, verifying record correctness, and aligning SPF and DKIM domains are vital for success.

Key opinions

  • Authentication Importance: Email traffic should always be authenticated with SPF, DKIM, and DMARC to improve deliverability and sender reputation.
  • DKIM Alignment: Implementing DKIM on the same domain provides DKIM domain alignment, which is crucial for DMARC compliance.
  • DMARC Initial Policy: Start with a DMARC policy of 'p=none' to monitor email traffic and identify legitimate sending sources before enforcing stricter policies.
  • Authentication Review: Regularly review authentication setups, especially SPF, for correctness and avoid relying solely on free online testing sites.
  • Third-Party Senders: When using third-party senders, ensure they support SPF and DKIM authentication with your domain.
  • SPF/DKIM alignment importance: SPF and DKIM alignment for DMARC compliance is very important for passing DMARC checks
  • DMARC reporting: Monitoring DMARC reports can help you remediate missed authentication problems
  • Using DKIM records: Every sender should configure custom DKIM records at their ESP and that DMARC none is a stepping stone to DMARC reject

Key considerations

  • Gradual Implementation: Implement SPF first, then DKIM, and finally DMARC, to gradually test and monitor your authentication setup.
  • SPF Record Limits: Keep your SPF record below the 10 DNS lookup limit to avoid authentication failures.
  • Record Verification: Use tools to verify that your SPF and DKIM records are set up correctly and are valid.
  • Subdomain Usage: Consider sending marketing emails from a subdomain to isolate the reputation of marketing emails from transactional emails.
  • DKIM Key Size: Use a DKIM key size of at least 2048 bits for improved security.
  • Using DKIM records: Every sender should configure custom DKIM records at their ESP and that DMARC none is a stepping stone to DMARC reject
Marketer view

Email marketer from Postmark recommends using tools like MXToolbox or online SPF/DKIM checkers to verify that your SPF and DKIM records are set up correctly and are valid. This helps to identify and resolve any syntax errors or configuration issues.

March 2023 - Postmark
Marketer view

Email marketer from Sendinblue highlights the importance of SPF and DKIM alignment for DMARC compliance. This means that the domain used in the 'From' address must match the domain used for SPF and DKIM authentication. Alignment is crucial for passing DMARC checks.

July 2021 - Sendinblue
Marketer view

Email marketer from Email on Acid emphasises the importance of regularly monitoring DMARC reports to identify potential authentication issues and unauthorized use of your domain. Adjustments to your SPF and DKIM records, as well as your DMARC policy, can be made based on these reports.

April 2024 - Email on Acid
Marketer view

Email marketer from Email Marketing Forum suggests sending marketing emails from a subdomain (e.g., mail.example.com) rather than the primary domain (example.com). This isolates the reputation of marketing emails from transactional emails, protecting the main domain's reputation.

May 2021 - Email Marketing Forum
Marketer view

Email marketer from Mailjet shares that implementing SPF, DKIM, and DMARC not only enhances your sender reputation but also improves email deliverability. A correct implementation helps to prevent your emails from being marked as spam, ensuring they reach the intended recipients.

May 2024 - Mailjet
Marketer view

Marketer from Email Geeks advises ensuring authentication passes alignment tests with at least one domain matching the visible 'from' and recommends DKIM as the easiest and most universal solution.

January 2023 - Email Geeks
Marketer view

Email marketer from Reddit suggests starting with a DMARC policy of 'p=none' to monitor email traffic and identify legitimate sending sources before enforcing stricter policies like 'p=quarantine' or 'p=reject'. This reduces the risk of blocking legitimate emails.

June 2022 - Reddit
Marketer view

Email marketer from GlockApps suggests working with third-party senders to ensure they support SPF and DKIM authentication with your domain. If they don't, consider using a different provider or implementing a dedicated sending domain for those services.

June 2024 - GlockApps
Marketer view

Email marketer from Cloudflare advises keeping your SPF record below the 10 DNS lookup limit by using 'include' mechanisms sparingly. Too many lookups can cause SPF checks to fail, impacting deliverability.

May 2022 - Cloudflare
Marketer view

Marketer from Email Geeks explains that p=none is a valid interim step for DMARC, especially with a monitored rua mailbox for auditing authentication practices.

July 2023 - Email Geeks
Marketer view

Email marketer from ProofPoint advocates for implementing BIMI (Brand Indicators for Message Identification) after setting up SPF, DKIM, and DMARC. BIMI allows your brand logo to be displayed in the inbox, increasing brand recognition and trust.

July 2024 - ProofPoint
Marketer view

Marketer from Email Geeks states email traffic should always be authenticated.

June 2024 - Email Geeks
Marketer view

Email marketer from SparkPost advises to implement SPF first, then DKIM, and finally DMARC. This allows you to gradually test and monitor your authentication setup before moving to a stricter DMARC policy.

June 2024 - SparkPost
Marketer view

Marketer from Email Geeks says every sender should configure custom DKIM records at their ESP and that DMARC none is a stepping stone to DMARC reject.

October 2021 - Email Geeks
Marketer view

Marketer from Email Geeks points out that of MailChimp, MailerLite, ConvertKit, and Active Campaign, only ConvertKit supports alignment of Return-Path and visible From: address, so only ConvertKit needs a SPF record. Everything else just needs DKIM.

September 2021 - Email Geeks
Marketer view

Marketer from Email Geeks says monitoring DMARC (p=none) provides reporting to remediate missed authentication problems and identifies shadow IT.

October 2022 - Email Geeks
Marketer view

Marketer from Email Geeks strongly recommends implementing DKIM on the same domain to provide DKIM domain alignment and DMARC compliance.

June 2024 - Email Geeks
Marketer view

Marketer from Email Geeks recommends setting up authentication and reviewing it for correctness, especially SPF, and cautions against relying solely on free online testing sites.

August 2024 - Email Geeks
Marketer view

Marketer from Email Geeks says to include sending sources you want to authorize, exclude those you don't, limit the number of inclusions, and have only one SPF record.

December 2021 - Email Geeks

What the experts say
6Expert opinions

Setting up SPF, DKIM, and DMARC involves authenticating email using distinct mechanisms and requires careful configuration. SPF records need to include all possible sending sources, DKIM relies on public/private key pairs for signing and verification, and DMARC allows domain owners to define policies for handling unauthenticated emails and receiving feedback. Competent ESPs use both SPF and DKIM authentication and competent senders ensure alignment for authentication. It is also important to ensure you have only one SPF record.

Key opinions

  • SPF Sources: SPF records must include all possible sending sources, such as office IP addresses and ESP mailservers.
  • DKIM Keys: DKIM implementation requires generating a public and private key pair, with the public key stored in DNS.
  • DMARC Policies: DMARC allows specifying policies for handling unauthenticated emails (reject, quarantine, or do nothing) and provides a feedback loop.
  • Competent ESP: Competent ESPs sign with DKIM and authenticate with SPF
  • SPF Record: Consolidate all SPF mechanisms into a single record

Key considerations

  • Authentication Setup: Set up SPF for the envelope from, DKIM for the mail from domain, and DMARC for the client domain.
  • Alignment: Aim for alignment for authentication, including setting up custom DKIM domains.
  • Policy Enforcement: Start with a DMARC policy of p=none and move to quarantine/reject as confidence increases.
Expert view

Expert from Email Geeks outlines the authentication setup: SPF for envelope from, DKIM for mail from domain, and DMARC for the client domain; suggests starting with p=none and moving to quarantine/reject.

July 2024 - Email Geeks
Expert view

Expert from Spamresource.com explains that DMARC allows domain owners to tell receiving mail systems what to do with email that fails authentication. You can tell the receiving server to reject the message, to quarantine it or to do nothing. DMARC also provides a feedback loop that allows domain owners to receive reports about mail that is using their domain name. This feedback loop is critical.

April 2022 - Spamresource.com
Expert view

Expert from Spamresource.com explains that your SPF record needs to include all possible sending sources. This commonly includes your office IP address, any mailservers on your network, and also mailservers your ESP uses. If you do not include the ESP mailserver in your SPF record, many recipients will reject your email.

September 2022 - Spamresource.com
Expert view

Expert from Spamresource.com shares that DKIM implementations usually require that you generate a public and private key. The public key goes into your DNS record. When you send a message, the email server then signs the outgoing message using the private key. The recipient server can then verify the signature by looking up the public key.

July 2024 - Spamresource.com
Expert view

Expert from Wordtothewise.com emphasizes that you should never have multiple SPF records. Instead, consolidate all SPF mechanisms into a single record to avoid authentication failures.

August 2022 - Wordtothewise.com
Expert view

Expert from Email Geeks suggests looking at alignment for authentication, setting up custom DKIM domains, and indicates every competent ESP signs with DKIM and authenticates with SPF.

September 2024 - Email Geeks

What the documentation says
5Technical articles

SPF, DKIM, and DMARC are essential for email authentication. SPF records, created as TXT records, authorize sending servers to prevent 'From' address forgery. DKIM adds digital signatures verified by receiving servers to ensure message integrity. DMARC builds on SPF and DKIM by providing reporting and enabling domain owners to specify how to handle authentication failures. A DKIM key size of at least 2048 bits is recommended, and proper SPF syntax is crucial.

Key findings

  • SPF Definition: SPF records authorize sending servers and prevent 'From' address forgery.
  • DKIM Signature: DKIM adds digital signatures to ensure messages haven't been forged or altered.
  • DMARC Reporting: DMARC provides reporting and enables policies for handling authentication failures.
  • Strong DKIM Key: DKIM requires a key size of at least 2048 bits.
  • Authentication Implementation: Implement SPF, DKIM, and DMARC to stop unauthorized use and increase trust

Key considerations

  • SPF Record Creation: Create SPF records as TXT records at your domain registrar.
  • DKIM Verification: Ensure receiving servers can verify DKIM signatures.
  • DMARC Policy Setting: Specify how receiving mail servers should handle authentication failures (none, quarantine, reject).
  • SPF Record Syntax: Follow RFC specifications for proper SPF record syntax.
Technical article

Documentation from Microsoft Defender explains that DKIM lets you add a digital signature to outgoing email messages. This signature is verified by receiving email servers to confirm that the message wasn't forged or altered in transit.

June 2024 - Microsoft Defender
Technical article

Documentation from Google Workspace Admin Help explains that an SPF record is a TXT record that lists all the servers authorized to send email from your domain. It is created at your domain registrar. It helps prevent spammers from forging the 'From' addresses on your messages.

March 2025 - Google Workspace Admin Help
Technical article

Documentation from DMARC.org explains that DMARC builds upon SPF and DKIM by adding a reporting function that allows domain owners to receive feedback about emails using their domain, even those sent by unauthorized sources. It allows domain owners to specify how receiving mail servers should handle messages that fail authentication checks (none, quarantine, reject).

December 2023 - DMARC.org
Technical article

Documentation from AuthSMTP recommends using a DKIM key size of at least 2048 bits for improved security. While 1024-bit keys are still supported, they are considered less secure and may not be sufficient in the future.

July 2023 - AuthSMTP
Technical article

Documentation from RFC explains that proper syntax for SPF records involves using the 'v=spf1' version tag, followed by mechanisms like 'include', 'a', 'mx', 'ip4', 'ip6', and qualifiers like '+', '-', '~', '?', ending with an 'all' mechanism to specify how to handle non-matching emails.

April 2021 - RFC