Guides & Docs

A practical guide to setting up DMARC & SPF

By
Matt Hayes
June 6, 2025
Guide

Complete Guide to Protecting Your Domain from Email Spoofing & Phishing

Email authentication can seem overwhelming, but it boils down to this:

  1. SPF — Says who’s allowed to send emails from your domain
  2. DKIM — Ensures messages weren’t tampered with
  3. DMARC — Tells inbox providers what to do if SPF/DKIM fail and gives you visibility

Setting this up protects your brand, boosts deliverability, and keeps scammers from pretending to be you.

If you send email from your domain (even via tools like Mailchimp or Klaviyo), you need SPF, DKIM, and DMARC to:

  • ✅ Stop scammers pretending to be you
  • 📬 Boost inbox placement
  • 📊 See who’s sending what from your domain

A couple of questions you maybe be ask before reading through the setup:

❓ “How do I know what our current setup is?”

Use a tool like MXToolbox to check SPF, DKIM, and DMARC records for your domain before making changes.

❓ “Where exactly do I paste this?”

Terms like TXT record, @, and _dmarc can feel like another language to you.

  • “Where do I find our DNS records?”
  • “Who even has access?”
  • “Will this break our site?”

🔧 Need access?

You (or your IT team) will need to log into your DNS host — usually GoDaddy, Cloudflare, or wherever your domain is registered. If you're unsure, ask whoever set up your website or email.

❓ “What if I do this wrong?”

The fear of breaking email is real.

  • “Will our emails stop sending if I mess up the SPF record?”
  • “What does ‘quarantine’ actually mean — does the user get the email?”

What would help: Add some reassurance and define what quarantine/reject mean in plain terms:

🔐 Don’t panic.

Starting with p=none means nothing will be blocked — you're just monitoring. You can safely collect data and escalate later.

OK lets get to it.

🔧 Step 1: Set Up SPF (Sender Policy Framework)

✅ What It Does:

SPF authorizes specific servers to send email on behalf of your domain. If someone else tries to send from your domain and they're not listed in your SPF record, the email can be flagged or rejected.

🛠️ How to Set It Up:

  1. Identify all legitimate email senders.Common sources include:
    • ESPs (e.g. Mailchimp, Klaviyo, Campaign Monitor)
    • Transactional platforms (e.g. Postmark, SendGrid)
    • Your own mail servers (e.g. Google Workspace, Microsoft 365)
  2. Craft your SPF record.An SPF record is a DNS TXT record that looks something like:makefile
    CopyEdit
    v=spf1 include:_spf.google.com include:mailgun.org ~all

    This record does three things:
    • v=spf1 = version
    • include: = allow other domains to send on your behalf
    • ~all = soft fail (can also be all for hard fail, but that’s riskier)
  3. Add it to your DNS.
    • Name: @ (or leave blank depending on your provider)
    • Type: TXT
    • Value: your SPF string from above

🧠 Pro Tip: You can only have one SPF record per domain. If you have more, they’ll be ignored. Combine all your services into a single string.

🔍 Check It:

Use tools like:

  • MXToolbox SPF Checker
  • Google Admin Toolbox

🔐 Step 2: Set Up DKIM (DomainKeys Identified Mail)

✅ What It Does:

DKIM adds a digital signature to each email. It proves that the email content wasn’t altered and that the sender is authorized by the domain owner.

🛠️ How to Set It Up:

  1. Go to your ESP or mail provider and look for the “DKIM setup” or “Domain Authentication” area.
    • Most will auto-generate the DKIM records for you.
  2. Publish the DKIM record in DNS.
    • Name/Host: Often something like s1._domainkey.yourdomain.com
    • Type: TXT
    • Value: Long string beginning with v=DKIM1; k=rsa; p=...
  3. Wait for DNS propagation, then validate it in your ESP’s settings.

🔁 Some providers (like Mailgun or Postmark) use rotating selectors — e.g. 202406._domainkey.domain.com. Keep them up to date.

🔍 Check It:

Use:

  • DKIMCore validator
  • Your ESP’s internal validator

🛡️ Step 3: Publish a DMARC Record

✅ What It Does:

DMARC builds on SPF and DKIM. It tells mailbox providers:

  • How to handle emails that fail SPF/DKIM checks
  • Where to send reports on email activity from your domain

🛠️ How to Set It Up:

  1. Create a DMARC policy in your DNS as a TXT record.Basic setup (monitoring only):
    • Name: _dmarc.yoursendingdomain.com
    • Type: TXT
    • Value:
    • ini
      CopyEdit
      v=DMARC1; p=none; rua=mailto:info@mailyser.com

    Explanation:
    • v=DMARC1: Version
    • p=none: No enforcement yet (just monitor)
    • rua=: Aggregate report email address
  2. Optional fields to consider:
    • ruf=mailto: → Forensic reports (detailed failures)
    • pct=50 → Only apply to 50% of mail (during testing)
    • aspf=s → Strict SPF alignment
    • adkim=s → Strict DKIM alignment
    • fo=1 → Get failure reports even if just SPF or DKIM fails
  3. Example advanced policy:
  4. ini
    CopyEdit
    v=DMARC1; p=quarantine; pct=100; rua=mailto:info@mailyser.com; ruf=mailto:forensic@yourdomain.com; adkim=s; aspf=s; fo=1

NOTE: we are using info@mailyser.com in the example as that is the email address we use when using Mailyser DMARC. If you are not using Mailyser, you use an email address that you monitor.

📬 Step 4: Monitor Your Reports

Once your DMARC policy is live, mailbox providers will send XML-format aggregate reports daily. These show:

  • Sending IPs
  • SPF/DKIM pass/fail data
  • Alignment outcomes
  • Volume of mail sent from each source

📊 Use DMARC Analysis Tools:

Mailyser does this for you. We take the message sent back and analyse this in our Vitals sections:

https://www.mailyser.com/vitals

🚀 Step 5: Enforce Your DMARC Policy

After 2–4 weeks of monitoring:

✅ Ramp up enforcement in stages:

  1. Start with:
  2. ini
    CopyEdit
    v=DMARC1; p=none; rua=mailto:info@mailyser.com

  3. Move to:
  4. ini
    CopyEdit
    v=DMARC1; p=quarantine; pct=50; rua=mailto:info@mailyser.com

  5. Then escalate:
  6. ini
    CopyEdit
    v=DMARC1; p=quarantine; pct=100

  7. Finally:
  8. ini
    CopyEdit
    v=DMARC1; p=reject

This tells inbox providers to block unauthenticated mail completely.

🧠 Best Practices

  • 🔁 Review quarterly — especially if your sending tools or providers change
  • 📥 Keep SPF records under 10 DNS lookups — or they’ll break
  • 🔐 Rotate DKIM keys periodically (every 6–12 months)
  • 📊 Track enforcement progress with your DMARC report dashboard

✅ Final Checklist

StepComplete?SPF configured and tested✅ / ☐DKIM configured and tested✅ / ☐DMARC policy (p=none) live✅ / ☐Reports received and reviewed✅ / ☐Escalated to p=quarantine✅ / ☐Final policy set to p=reject✅ / ☐

🛑 What Happens If You Skip This?

  • Anyone can spoof your domain and send phishing emails
  • Your legitimate emails might land in spam
  • You’ll have zero visibility into who’s sending mail using your name

Subscribe to our newsletter

Receive the latest email insights and tricks, direct to your inbox.

By subscribing you agree to with our privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Mailyser provides you with continuous, actionable insights into your email deliverability, reputation, and content.

hi@mailyser.com

Book a DemoPricingPartnersGuides & DocsAPI Docs
About UsContact UsTerms & ConditionsPrivacy Policy
© 2024 Mailyser LTD