How to Set Up Email Authentication: SPF, DKIM, and DMARC Together
Why All Three Protocols Are Required
Each protocol solves a different piece of the authentication puzzle:
- SPF verifies that the sending server's IP address is authorized to send for your domain. It prevents unauthorized servers from sending as you.
- DKIM verifies that the email content was not modified in transit and that the signing domain matches your domain. It provides message integrity.
- DMARC ties SPF and DKIM together, adds alignment requirements (the domains must match the From address), and sets a policy for what to do when authentication fails.
Without all three, you have gaps: SPF alone can be bypassed with email forwarding. DKIM alone does not tell ISPs what to do about failures. And DMARC without SPF and DKIM has nothing to evaluate. Gmail, Yahoo, and Microsoft all require the complete set for bulk senders in 2026.
Before You Start: Inventory Your Email Senders
Before touching DNS, make a complete list of every service that sends email from your domain. This is the most common source of problems because forgotten services will break when you enforce authentication. Typical senders include:
- Business email: Google Workspace, Microsoft 365, or your hosting provider
- Marketing email: SendGrid, Mailgun, Amazon SES, Mailchimp, or your email broadcast platform
- Transactional email: Order confirmations, password resets, invoices (often sent through a different service than marketing)
- CRM and sales tools: HubSpot, Salesforce, Pipedrive, or similar tools that send email on behalf of sales reps
- Support tools: Zendesk, Freshdesk, Intercom, or other helpdesk platforms
- Your web server: If your website sends emails directly (contact form submissions, notifications)
Check each service's documentation for their SPF include value and DKIM setup instructions. Write them all down before proceeding.
Complete Setup Walkthrough
Go to your DNS management panel. Create (or edit) a TXT record for your root domain (@) with the value: v=spf1 include:_spf.google.com include:sendgrid.net ~all (replace with your actual providers). Keep it under 10 DNS lookups total. You can only have one SPF record per domain, so combine all includes into one record. See the full SPF guide for syntax details.
Go to each email provider's dashboard and find their DKIM or domain authentication settings. Each provider will give you one or more DNS records to add (usually CNAME records). The record names will look like selector._domainkey.yourdomain.com. Add each one to your DNS. Unlike SPF, you can have multiple DKIM records because each uses a different selector. Verify each one in the provider's dashboard after adding the DNS record. See the full DKIM guide.
Add a TXT record for _dmarc.yourdomain.com with the value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. This starts collecting reports without affecting any email. Use a real email address that you check. See the full DMARC guide.
Send an email to a Gmail account. Open the message, click the three dots, then "Show original." Look at the Authentication-Results header. You should see: spf=pass, dkim=pass, and dmarc=pass. If any fail, check the specific protocol guide for troubleshooting.
Review the daily DMARC reports that arrive at your rua address. Use a DMARC report analyzer to parse the XML. Confirm every legitimate sending source shows pass for both SPF and DKIM with proper alignment. Fix any failures before tightening your DMARC policy.
Once all legitimate senders pass, update your DMARC record to p=quarantine (sends failures to spam) and eventually p=reject (blocks failures completely). Use the pct= tag to roll out gradually: start with pct=10 and increase to pct=100 over several weeks.
Example DNS Records for a Typical Setup
Here is what the DNS records look like for a domain that uses Google Workspace for business email and SendGrid for marketing email:
SPF Record
Type: TXT | Name: @ | Value: v=spf1 include:_spf.google.com include:sendgrid.net ~all
DKIM Records
Type: CNAME | Name: google._domainkey | Value: (provided by Google Workspace)
Type: CNAME | Name: s1._domainkey | Value: s1.domainkey.u12345.wl.sendgrid.net
Type: CNAME | Name: s2._domainkey | Value: s2.domainkey.u12345.wl.sendgrid.net
DMARC Record
Type: TXT | Name: _dmarc | Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100
Troubleshooting Common Failures
SPF Passes but DMARC Fails
This usually means SPF alignment is failing. DMARC requires the domain in the SPF check (the Return-Path/envelope sender) to match the domain in the visible From address. Some email providers use their own domain in the Return-Path by default. Check your provider's settings for "custom return path" or "envelope sender" and configure it to use your domain.
DKIM Passes but DMARC Fails
Same alignment issue. The domain in the DKIM signature (the d= value) must match the From address domain. If your provider signs with their own domain instead of yours, you need to set up custom DKIM signing through their domain authentication settings.
Everything Fails for Forwarded Email
Email forwarding breaks SPF because the forwarding server's IP is not in your SPF record. DKIM usually survives forwarding unless the forwarder modifies the message content. This is normal and expected. DMARC will pass as long as DKIM passes with alignment, which is why having both SPF and DKIM matters.
Get your email authentication right. Set up your sending with proper authentication and deliverability monitoring from the start.
Get Started Free