Setting Up DKIM, SPF, and DMARC: Complete Guide
A hands-on, step-by-step guide to configuring email authentication. Copy-paste DNS records, provider-specific instructions, and troubleshooting tips.
This is the practical companion to our DKIM, SPF, DMARC explainer. Less theory, more doing. Follow these steps to set up email authentication for your domain.
Before You Start
You'll need:
- Access to your domain's DNS settings
- Your email provider's authentication details (DKIM key, SPF include)
- 10-15 minutes
DNS changes can take up to 48 hours to propagate, but usually happen within minutes.
Step 1: Set Up SPF
SPF tells receiving servers which IPs can send email for your domain.
Find Your SPF Include
Your email provider will give you an SPF include statement. Common ones:
| Provider | SPF Include |
|----------|-------------|
| SendPigeon | include:spf.sendpigeon.com |
| Google Workspace | include:_spf.google.com |
| Microsoft 365 | include:spf.protection.outlook.com |
| Mailgun | include:mailgun.org |
| SendGrid | include:sendgrid.net |
| Postmark | include:spf.mtasv.net |
Add the DNS Record
Create a TXT record at your root domain:
Host/Name: @ (or leave blank, depending on provider)
Type: TXT
Value:
v=spf1 include:spf.sendpigeon.com ~all
Using multiple providers? Chain the includes:
v=spf1 include:spf.sendpigeon.com include:_spf.google.com ~all
Provider-Specific Instructions
Cloudflare:
- Go to DNS → Records
- Click "Add record"
- Type: TXT, Name: @, Content: your SPF record
- Save
Route 53:
- Go to Hosted zones → your domain
- Create record → Simple routing
- Record type: TXT, Value: your SPF record (wrap in quotes)
- Create
GoDaddy:
- My Products → DNS
- Add → TXT
- Host: @, TXT Value: your SPF record
- Save
Namecheap:
- Domain List → Manage → Advanced DNS
- Add New Record → TXT
- Host: @, Value: your SPF record
- Save
Verify SPF
Check your record is live:
dig TXT yourdomain.com +short
Or use MXToolbox SPF Checker.
You should see your SPF record in the output.
Step 2: Set Up DKIM
DKIM adds a cryptographic signature to your emails.
Get Your DKIM Key
Your email provider generates a public/private key pair. You add the public key to DNS; they sign with the private key.
In SendPigeon:
- Go to Domains → Add Domain
- Copy the DKIM record provided
The record will look something like:
sendpigeon._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA..."
Add the DNS Record
Host/Name: sendpigeon._domainkey (the selector varies by provider)
Type: TXT
Value: The key starting with v=DKIM1...
Handle Long Keys
DKIM keys are long. Some DNS providers have character limits. Solutions:
Split into multiple strings:
"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ" "KBgQC3QEKyU1fSma0kS2dG..."
Cloudflare: Handles long values automatically.
Route 53: Wrap each 255-char chunk in quotes.
GoDaddy: May need to contact support for keys over 255 chars.
Verify DKIM
Check your DKIM record:
dig TXT sendpigeon._domainkey.yourdomain.com +short
Replace sendpigeon with your actual selector.
Step 3: Set Up DMARC
DMARC tells receivers what to do when SPF/DKIM fail.
Start with Monitoring
Don't jump to strict enforcement. Start by collecting data:
Host/Name: _dmarc
Type: TXT
Value:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
This policy:
p=none- Don't take action on failures (just monitor)rua=mailto:...- Send aggregate reports to this address
Create a Reports Email
Set up dmarc-reports@yourdomain.com or use a DMARC monitoring service:
- Postmark DMARC (free)
- DMARC Analyzer
- Valimail
Verify DMARC
dig TXT _dmarc.yourdomain.com +short
Should return your DMARC policy.
Step 4: Test Everything
Send a Test Email
Send an email to a Gmail account. Open it and click the three dots → "Show original".
Look for:
SPF: PASS
DKIM: PASS
DMARC: PASS
Use Mail-Tester
- Go to mail-tester.com
- Send an email to the address shown
- Check your score
Aim for 9/10 or higher.
Check with MXToolbox
Run a full domain health check at mxtoolbox.com/SuperTool.aspx.
Step 5: Tighten DMARC (After 2-4 Weeks)
Once you've verified everything works and reviewed your DMARC reports:
Move to Quarantine
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com
Failures now go to spam instead of inbox.
Move to Reject
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com
Failures are blocked entirely. Only do this when you're confident all legitimate email is authenticated.
Troubleshooting
SPF: "Too many DNS lookups"
SPF allows max 10 DNS lookups. Each include counts, and nested includes count too.
Fix: Use an SPF flattening service or reduce includes.
DKIM: "No key found"
Check:
- Selector is correct (the part before
._domainkey) - Record propagated (wait or try different DNS)
- No typos in the key
DMARC: "Alignment failure"
The domain in your From header must match either:
- The domain that passed SPF, OR
- The domain that signed DKIM
Fix: Ensure you're sending from the same domain you authenticated.
Emails still going to spam
Authentication alone doesn't guarantee inbox placement. Also check:
- Sender reputation
- Content quality
- List hygiene
- Engagement rates
Quick Reference
Final DNS Records
# SPF (TXT record at root)
@ TXT "v=spf1 include:spf.sendpigeon.com ~all"
# DKIM (TXT record at selector._domainkey)
sendpigeon._domainkey TXT "v=DKIM1; k=rsa; p=YOUR_KEY"
# DMARC (TXT record at _dmarc)
_dmarc TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com"
Verification Commands
# Check SPF
dig TXT yourdomain.com +short
# Check DKIM
dig TXT selector._domainkey.yourdomain.com +short
# Check DMARC
dig TXT _dmarc.yourdomain.com +short
Timeline
- Day 1: Add SPF, DKIM, DMARC (p=none)
- Week 1-2: Monitor DMARC reports, fix issues
- Week 3: Move to p=quarantine
- Week 4+: Move to p=reject when confident
You're done. Your emails are now authenticated, and spoofing your domain just got a lot harder.