SPF DKIM DMARC Setup: Complete Guide (2026)
SPF DKIM DMARC setup in 30 minutes. Copy-paste DNS records, GoDaddy & Namecheap steps, DMARC policy explained. Stop spoofing, fix deliverability.
SPF DKIM DMARC Setup: Complete Guide (2026)
TL;DR: SPF DKIM DMARC setup means publishing three DNS TXT records that prove your emails are real. SPF lists who can send for your domain. DKIM signs each message. DMARC tells receivers what to do when checks fail. Set all three, start DMARC at
p=none, then tighten top=rejectin 30 days.
If you send business email without SPF, DKIM, and DMARC configured, Gmail and Outlook will quietly drop your messages into spam — and anyone can spoof your domain. This guide walks through the exact DNS records, registrar-specific steps for GoDaddy and Namecheap, and the safe rollout path from monitoring to enforcement.
SPF vs DKIM vs DMARC: What Each Record Does
| Record | What it proves | Where it lives in DNS | Common failure mode | Fix |
|---|---|---|---|---|
| SPF | The sending IP is authorized | TXT at root (@) | Forwarded mail breaks SPF | Add DKIM as backup |
| DKIM | Message body wasn't altered and was signed by your domain | TXT at selector._domainkey | Signing not enabled in mail server | Toggle DKIM on in provider settings |
| DMARC | Policy + reporting layer on top of SPF/DKIM | TXT at _dmarc | p=reject rolled out too fast | Start at p=none, monitor 2-4 weeks |
These are the three email authentication records every domain needs. Get all three right and you cover both deliverability (your mail reaches the inbox) and anti-spoofing (nobody else can send as you).
Why Email Authentication Matters
Email was designed in the 1980s with no identity verification. Without authentication, anyone can send mail claiming to be from your domain — and receiving servers have no way to tell the difference between you and a scammer.
Three things break when authentication is missing:
- Spoofing. Attackers send phishing mail from
billing@yourdomain.comto your customers — one of the most common email security threats facing small businesses. According to the Validity 2026 Email Deliverability Benchmark Report, unauthenticated emails are 32x more likely to reach spam folders. - Deliverability. Gmail's 2024 bulk-sender rules require SPF, DKIM, and DMARC for anyone sending 5,000+ messages/day. Unauthenticated mail from smaller senders increasingly lands in spam too.
- Compliance. HIPAA, PCI-DSS, SOC 2, and most cyber-insurance underwriters now expect DMARC enforcement.
For the broader picture on inbox placement beyond these three records, see our email deliverability guide.
How to Set Up an SPF Record
An SPF record is one TXT record at the root of your domain that lists every service allowed to send mail for you.
Step 1: Inventory your senders
List every system that sends mail on your behalf — your email host, marketing platform (Mailchimp, SendGrid), CRM (HubSpot, Salesforce), help desk (Zendesk), and any transactional service.
Step 2: Build the record
The format is v=spf1 + mechanisms + a final all qualifier:
v=spf1 include:_spf.mailafiniti.com include:servers.mcsv.net ~all
include:pulls in another service's authorized IPsip4:/ip6:adds a specific server IP~all(soft fail) is the recommended default — mark unmatched mail as suspicious-all(hard fail) once you're confident the record is complete
Step 3: Publish at the root
| Field | Value |
|---|---|
| Type | TXT |
| Host | @ |
| Value | v=spf1 include:_spf.mailafiniti.com ~all |
| TTL | 3600 |
How to add an SPF record to GoDaddy
- Sign in to GoDaddy, go to My Products → Domains → DNS for your domain.
- Click Add New Record.
- Type = TXT, Name =
@, Value = your full SPF string, TTL = 1 hour. - Save. DNS usually propagates within 30 minutes.
How to add an SPF record to Namecheap
- Sign in, Domain List → Manage → Advanced DNS.
- Add New Record → TXT Record.
- Host =
@, Value = your SPF string, TTL = Automatic. - Save changes (green checkmark confirms).
Two SPF gotchas that break most setups
- Only one SPF record per domain. Two TXT records starting with
v=spf1fail entirely. - 10-lookup limit. Each
include:counts. Big stacks hit the ceiling fast — use SPF flattening if you do.
Verify with dig yourdomain.com TXT or MXToolbox's SPF checker.
How to Set Up a DKIM Record
DKIM adds a cryptographic signature to every outgoing message. Your mail server holds the private key; the public key sits in DNS.
Step 1: Generate keys in your mail provider
Every provider has a generator:
- MailAfiniti: Control panel → Email Authentication → Generate DKIM. We display the exact DNS record to paste.
- Google Workspace: Admin → Apps → Gmail → Authenticate email → Generate new record.
- Microsoft 365: Admin center → Setup → Domains → DKIM → Enable.
Step 2: Publish the public key
DKIM records live at a selector subdomain (selector._domainkey.yourdomain.com). The selector is whatever your provider gives you — common ones are default, mail, google, or k1.
Type: TXT
Host: default._domainkey
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
TTL: 3600
Some providers issue CNAMEs instead (Microsoft 365 uses two CNAMEs at selector1._domainkey and selector2._domainkey).
How to add a DKIM record on Namecheap
- Advanced DNS → Add New Record → TXT Record.
- Host =
default._domainkey(Namecheap auto-strips your domain — don't include it). - Value = the entire
v=DKIM1; k=rsa; p=...string. Copy carefully; one stray character invalidates the key. - Save.
Step 3: Turn on signing
Publishing the DNS record alone doesn't sign mail. After DNS propagates (15-60 minutes), go back to your provider's panel and enable DKIM signing. Send a test to a Gmail address, open Show original, and confirm dkim=pass.
MailAfiniti
Your own domain email, set up in minutes
We handle all the technical bits. You just pick your domain and go.
How to Set Up a DMARC Record
DMARC is the policy layer. It tells receivers what to do when SPF or DKIM fails and emails you daily reports about who's sending under your name.
Step 1: Start in monitoring mode
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100; fo=1
Publish at _dmarc.yourdomain.com as a TXT record. p=none means "report everything, block nothing" — safe to deploy immediately. Not sure what to put in each tag? Our free DMARC record generator builds the exact string for your sender setup and recommends a safe rollout path.
Step 2: Read the reports for 2-4 weeks
Reports arrive as XML at the rua address. Tools that parse them for free or cheap:
- dmarcian
- Postmark DMARC Digests
- URIports
You're looking for legitimate senders that fail authentication — usually a marketing tool you forgot to add to SPF.
Step 3: Tighten the policy
Once legitimate mail is passing, step up:
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100
After another 2-4 weeks of clean reports:
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100
DMARC policy explained
| Policy | What receivers do | When to use |
|---|---|---|
p=none | Deliver normally, send reports | Week 1-4 (always start here) |
p=quarantine | Send failing mail to spam | Week 5-8 once reports are clean |
p=reject | Bounce failing mail entirely | Final state — full spoofing protection |
Use pct=10 to apply a strict policy to only 10% of traffic during rollout. Increase weekly.
Common Setup Mistakes
- Two SPF records. Merge them into one. SPF is not cumulative.
- DKIM published but unsigned. The DNS record is half the job — toggle signing on in the mail provider.
- Jumping straight to
p=reject. You'll bounce legitimate mail from a forgotten sender. Always monitor first. - Wrong host field. SPF goes at
@, DKIM atselector._domainkey, DMARC at_dmarc. Don't mix them up. - Forwarded mail breaking SPF. Expected behavior — DKIM survives forwarding, which is why you need both.
Email Authentication for Small Business: The 30-Minute Path
If you run a small team and don't want to think about DNS again:
- Pick an email host that auto-generates all three records (most modern providers do).
- Paste the three TXT records into your registrar.
- Publish DMARC at
p=nonewith reports going to a real inbox you check. - Set a calendar reminder for 3 weeks out. Review the report. Move to
p=quarantine. - Three more weeks. Move to
p=reject. Done.
Total active time: ~30 minutes. The rest is DNS propagation and a monitoring window.
If you're still choosing a provider, our business email setup guide walks through host selection before you touch DNS.
Let MailAfiniti Handle the DNS
MailAfiniti generates your SPF, DKIM, and DMARC records the moment you add a domain. We display copy-paste blocks formatted for GoDaddy, Namecheap, Cloudflare, and Route 53, then verify each record automatically once propagation completes. If a record breaks later — say, you add a new marketing tool — our deliverability dashboard flags it before Gmail does.
- 14-day free trial, no credit card
- Auto-DNS verification and ongoing monitoring
- Migration help included from any provider — see our email migration guide for what we handle
FAQ
What is the difference between SPF DKIM and DMARC?
SPF authorizes sending IPs, DKIM signs the message contents with a cryptographic key, and DMARC tells receivers what to do when either check fails and emails you reports. SPF alone breaks on forwarded mail. DKIM alone has no enforcement policy. DMARC alone does nothing without SPF or DKIM underneath. You need all three.
How do I add an SPF record to GoDaddy?
In GoDaddy, go to My Products → Domains → DNS → Add New Record. Choose TXT, set Name to @, paste your SPF string (for example v=spf1 include:_spf.mailafiniti.com ~all), set TTL to 1 hour, and save. Propagation typically completes in under 30 minutes.
How do I add a DKIM record on Namecheap?
In Namecheap, open Domain List → Manage → Advanced DNS → Add New Record → TXT Record. Set Host to default._domainkey (or whatever selector your mail provider gave you), paste the full v=DKIM1; k=rsa; p=... value, and save. Then turn on DKIM signing in your mail provider's admin panel.
What is the right DMARC policy to start with?
Always start with p=none. This is monitor-only mode — nothing is blocked, but you receive daily XML reports showing who's sending mail as your domain. After 2-4 weeks of clean reports, move to p=quarantine, then to p=reject once you're confident every legitimate sender passes.
How long does SPF DKIM DMARC setup take?
Active work is 20-30 minutes: about 10 minutes to inventory senders and build the SPF record, 5 minutes for DKIM, and 5 minutes for the initial DMARC record. DNS propagation adds 15 minutes to a few hours. The full rollout to p=reject takes 4-8 weeks because you need monitoring windows.
Do small businesses really need DMARC?
Yes. Gmail and Yahoo's 2024 bulk-sender rules apply at 5,000 messages/day, but spoofing protection has no volume threshold — a five-person company is just as easy to impersonate as a Fortune 500. DMARC at p=reject is the only record that stops attackers from sending mail that looks like it came from you.
Can I have multiple SPF records?
No. A domain may only have one SPF record. If two TXT records start with v=spf1, SPF fails entirely — not cumulatively. Merge them into a single record with all your include: and ip4: mechanisms combined.
Related Reading
- Email Deliverability Guide — Inbox placement factors beyond authentication.
- How to Set Up Business Email — Pick a provider, point your MX, then come back here.
- Business Email Hosting for Small Business — What to look for in a host that handles DNS for you.
- Email Security Threats — What spoofing, BEC, and phishing actually look like.
- Email Migration Guide — Move providers without breaking your authentication setup.
MailAfiniti
Stop using Gmail for your business
From $1.50/mo. Your domain, your email, your reputation. Up and running today.
No credit card required to start.