Three DNS records — SPF, DKIM, and DMARC — are the foundation of email security for any business. Without them, anyone can send emails that appear to come from your domain. With them, you prevent domain spoofing, protect your brand reputation, and block a major phishing attack vector. This guide walks you through setting up all three.
Understanding the Three Records
SPF lists which mail servers are authorized to send email from your domain. DKIM is a cryptographic signature added to outgoing emails proving they weren’t modified in transit. DMARC tells receiving servers what to do when email fails SPF or DKIM checks — and sends you reports about what’s happening with your domain’s email.
Step 1: Set Up Your SPF Record
Log into your DNS management portal. Create a new TXT record with Host/Name: @ and Value listing all authorized senders. For Google Workspace: v=spf1 include:_spf.google.com -all. For Microsoft 365: v=spf1 include:spf.protection.outlook.com -all. The -all at the end means “reject all email not from listed sources.”
Step 2: Set Up DKIM
For Google Workspace: Admin console → Apps → Google Workspace → Gmail → Authenticate email. Generate a DKIM key and copy the DNS record values. For Microsoft 365: Microsoft 365 Defender portal → Email & collaboration → Policies & rules → DKIM. Enable DKIM and copy the CNAME records to your DNS. DKIM propagation can take up to 48 hours.
Step 3: Set Up DMARC
Create a new TXT record: Host/Name: _dmarc. Start with monitoring mode: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com. After 30 days of reviewing reports, change to quarantine: p=quarantine. After 30 more days of clean reports, change to full rejection: p=reject. This is the goal — it completely blocks domain spoofing.
Step 4: Verify Your Configuration
Use MXToolbox (mxtoolbox.com) to verify your records: SPF Lookup, DKIM Lookup, and DMARC Lookup. All three should show as correctly configured before moving from monitoring to enforcement mode.
Ongoing DMARC Monitoring
Review your DMARC aggregate reports weekly during initial deployment. These XML reports show every server that sent email claiming to be from your domain. Free DMARC report parsers: Google Postmaster Tools, DMARC Analyzer (free tier), Valimail (free tier).
Not sure if your email authentication is configured correctly? A Phishing Risk Assessment includes a full SPF/DKIM/DMARC configuration audit with specific remediation steps — delivered in 48 hours for $27.