Setting Up DKIM, SPF, and DMARC: Complete Guide

This is the practical companion to our DKIM, SPF, DMARC explainer. Less theory, more doing.

TL;DR

What you'll set up:

SPF - TXT record at root domain
DKIM - TXT record at selector._domainkey
DMARC - TXT record at _dmarc

Time needed: 10-15 minutes. DNS propagation can take up to 48 hours but usually happens within minutes.

Before You Start

You'll need:

Access to your domain's DNS settings
Your email provider's authentication details (DKIM key, SPF include)

Step 1: Set Up SPF

SPF tells receiving servers which IPs can send email for your domain.

Find Your SPF Include

Your email provider will give you an SPF include statement:

Provider	SPF Include
SendPigeon	`include:spf.sendpigeon.com`
Google Workspace	`include:_spf.google.com`
Microsoft 365	`include:spf.protection.outlook.com`
Mailgun	`include:mailgun.org`
SendGrid	`include:sendgrid.net`
Postmark	`include:spf.mtasv.net`

Add the DNS Record

Create a TXT record at your root domain:

Field	Value
Host/Name	`@` (or leave blank)
Type	`TXT`
Value	`v=spf1 include:spf.sendpigeon.com ~all`

Using multiple providers?

Chain the includes:

v=spf1 include:spf.sendpigeon.com include:_spf.google.com ~all

Provider-Specific Instructions

Cloudflare:

Go to DNS → Records
Click "Add record"
Type: TXT, Name: @, Content: your SPF record
Save

Route 53:

Go to Hosted zones → your domain
Create record → Simple routing
Record type: TXT, Value: your SPF record (wrap in quotes)
Create

GoDaddy:

My Products → DNS
Add → TXT
Host: @, TXT Value: your SPF record
Save

Namecheap:

Domain List → Manage → Advanced DNS
Add New Record → TXT
Host: @, Value: your SPF record
Save

Verify SPF

Check your record is live:

dig TXT yourdomain.com +short

Or use MXToolbox SPF Checker.

Step 2: Set Up DKIM

DKIM adds a cryptographic signature to your emails.

Get Your DKIM Key

Your email provider generates a public/private key pair. You add the public key to DNS; they sign with the private key.

In SendPigeon:

Go to Domains → Add Domain
Copy the DKIM record provided

The record will look something like:

sendpigeon._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA..."

Add the DNS Record

Field	Value
Host/Name	`sendpigeon._domainkey` (selector varies by provider)
Type	`TXT`
Value	The key starting with `v=DKIM1...`

Handle long keys

DKIM keys are long. Some DNS providers have character limits.

Split into multiple strings:

"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ" "KBgQC3QEKyU1fSma0kS2dG..."

Cloudflare: Handles long values automatically
Route 53: Wrap each 255-char chunk in quotes
GoDaddy: May need to contact support for keys over 255 chars

Verify DKIM

dig TXT sendpigeon._domainkey.yourdomain.com +short

Replace sendpigeon with your actual selector.

Step 3: Set Up DMARC

DMARC tells receivers what to do when SPF/DKIM fail.

Start with Monitoring

Don't jump to strict enforcement. Start by collecting data with p=none.

Field	Value
Host/Name	`_dmarc`
Type	`TXT`
Value	`v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com`

This policy:

p=none - Don't take action on failures (just monitor)
rua=mailto:... - Send aggregate reports to this address

DMARC Monitoring Services

Set up dmarc-reports@yourdomain.com or use a monitoring service:

Verify DMARC

dig TXT _dmarc.yourdomain.com +short

Step 4: Test Everything

Send a Test Email

Send an email to a Gmail account. Open it and click the three dots → "Show original".

Look for:

SPF: PASS
DKIM: PASS
DMARC: PASS

Use Mail-Tester

Go to mail-tester.com
Send an email to the address shown
Check your score

Aim for 9/10 or higher.

Check with MXToolbox

Run a full domain health check at mxtoolbox.com/SuperTool.aspx.

Step 5: Tighten DMARC

Once you've verified everything works and reviewed your DMARC reports (after 2-4 weeks):

Move to Quarantine

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com

Failures now go to spam instead of inbox.

Move to Reject

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com

Failures are blocked entirely. Only do this when you're confident all legitimate email is authenticated.

Troubleshooting

SPF: Too many DNS lookups

SPF allows max 10 DNS lookups. Each include counts, and nested includes count too.

Fix: Use an SPF flattening service or reduce includes.

DKIM: No key found

Check:

Selector is correct (the part before ._domainkey)
Record propagated (wait or try different DNS)
No typos in the key

DMARC: Alignment failure

The domain in your From header must match either the domain that passed SPF or the domain that signed DKIM.

Fix: Ensure you're sending from the same domain you authenticated.

Emails still going to spam?

Authentication alone doesn't guarantee inbox placement. Also check:

Sender reputation
Content quality
List hygiene
Engagement rates

Quick Reference

Final DNS Records

# SPF (TXT record at root)
@ TXT "v=spf1 include:spf.sendpigeon.com ~all"

# DKIM (TXT record at selector._domainkey)
sendpigeon._domainkey TXT "v=DKIM1; k=rsa; p=YOUR_KEY"

# DMARC (TXT record at _dmarc)
_dmarc TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com"

Verification Commands

# Check SPF
dig TXT yourdomain.com +short

# Check DKIM
dig TXT selector._domainkey.yourdomain.com +short

# Check DMARC
dig TXT _dmarc.yourdomain.com +short

Timeline

Day	Action
Day 1	Add SPF, DKIM, DMARC (`p=none`)
Week 1-2	Monitor DMARC reports, fix issues
Week 3	Move to `p=quarantine`
Week 4+	Move to `p=reject` when confident

You're done. Your emails are now authenticated, and spoofing your domain just got a lot harder.

Next Steps

Check our email deliverability checklist for more best practices
Verify your setup with our email authentication checker
See our framework guides for sending emails from Next.js, Remix, and more
Browse our email templates for ready-to-use HTML
Set up an email sandbox for safe testing before going live