How to set up SPF, DKIM, and DMARC for your domain
Are you finding that your emails to clients are landing in spam? Setting up your SPF, DKIM, and DMARC records properly is essential to making sure your emails get delivered and read.
Side note: This is fairly complex and technical, and no one ever really explains or walks you through it, but every business owner is expected to set it up. Isn't that crazy?
β
If you're getting hung up on anything below, please feel free to write into our chat and we'll get you un-stuck π
What are SPF, DKIM, and DMARC?
At a high level, SPF, DKIM, and DMARC are records you set up in your email and domain name servers to ensure that only you can send emails from your domain.
Together, they prevent Email spoofing (malicious actors sending fake emails that look like they come from your email),Β which is essential for keeping your email secure.
In February of 2024, Gmail and Yahoo imposed new requirements to make setting up these records even more important.
Given the sensitive nature of the content of your emails with your clients, we strongly recommend all firms set up these records.
SPF, DKIM, and DMARC for Google Workspace
SPF
Steps:
Add a TXT record to your DNS with the following values. If you already have an existing TXT record, update that record β do not add a second TXT record.
Host: @
Value: v=spf1 include:_spf.google.com ~allNote: the β@β sign is the DNS symbol for βallβ - for a record to apply to your entire domain. Some DNS providers, such as Wix, may have you leave that value blank.
DKIM
Steps:
Get your DKIM key from your Google Admin Console (Menu β Apps β Workspace β Gmail) β Click Authenticate Email.
Select the domain where you want to set up DKIM β click Generate New Record.
Copy the values from here into a new TXT record in your DNS. If you already have an existing TXT record, update that record β do not add a second TXT record.
Go back to your Email settings in your Google Admin Console and click Start authentication.
DMARC
Steps:
Make sure you have already set up SPF and DKIM.
Add a new TXT record (or update your existing TXT record) with the following values:
Host: _dmarc Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomainhere.com
Make sure to replace yourdomainhere.com with your applicable domain.
SPF, DKIM, and DMARC for Microsoft 365
SPF
Steps:
Add a TXT record to your DNS with the following values. If you already have an existing TXT record, update that record β do not add a second TXT record.
The basic syntax of the SPF TX record for a custom domain in Microsoft 365 is:
Host: @
Value: v=spf1 include:spf.protection.outlook.com ~allNote: the β@β sign is the DNS symbol for βallβ - for a record to apply to your entire domain. Some DNS providers, such as Wix, may have you leave that value blank.
DKIM
Steps:
Use the Microsoft 365 Defender portal using the link below https://security.microsoft.com/authentication?viewid=DKIM
Create your DKIM keys for the domain youβre setting up, note the CNAMEs
Add the CNAME(s) in your DNS as CNAME records
Enable Sign messages for this domain with DKIM signatures
If you receive an error message, we recommend attempting this step again a few minutes later. We find that waiting 10 mins is typically all you need, but this can take up to 4 days to fully process
DMARC
Steps:
Make sure you have already set up SPF and DKIM.
Add a new TXT record (or update your existing TXT record) with the following values:
Host: _dmarc
Value: v=DMARC1; p=none; pct=100; rua=mailto:rua@marketing.yourdomainhere.com; ruf=mailto:ruf@marketing.yourdomainhere.comMake sure to replace yourdomainhere.com with your applicable domain.
Testing Email Deliverability
Once you have finished setting up your SPF, DKIM, and DMARC records, the last thing to do is test your email deliverability to make sure everything is working.
We recommend MX Toolbox for this.
To test whether your SPF/DKIM/DMARC records are set up properly:
Send an email from your connected practice email to ping@tools.mxtoolbox.com
Go to the results page.
If your results page looks shows you are DMARC compliant, SPF aligned/authenticated, and DKIM aligned/authenticated, your email is set up properly:
If any of the boxes are not checked and your results look like this instead, that means there's an issue with your setup:
These settings usually update quickly, but they can take up to 48 hours to fully sync. If you feel confident you completed the SPF/DKIM/DMARC set up correctly, wait a few hours and try the mail test again.