DNS & Email Authentication

Set up SPF, DKIM, and DMARC records to maximize your email deliverability

Why Email Authentication Matters

In 2025, email providers like Google and Microsoft require proper authentication. Without SPF, DKIM, and DMARC, your emails are 2.7x more likely to land in spam.

98%

Inbox rate with auth

36%

Inbox rate without

2.7x

Better deliverability

SPF (Sender Policy Framework)

Specifies which servers can send email for your domain

Example SPF Record

v=spf1 include:_spf.google.com include:sendgrid.net ~all

How to Set Up SPF

Log into your domain registrar (GoDaddy, Namecheap, Cloudflare, etc.)
Navigate to DNS Management or DNS Records
Add a new TXT record with:
- Name/Host: @ (or leave blank)
- Type: TXT
- Value: Your SPF record
Save and wait 5-10 minutes for propagation

Common SPF Includes:

Google Workspace: include:_spf.google.com
Microsoft 365: include:spf.protection.outlook.com
SendGrid: include:sendgrid.net

DKIM (DomainKeys Identified Mail)

Adds a digital signature to verify email authenticity

DKIM is the most important authentication method for deliverability. It proves your emails haven't been tampered with in transit.

Google Workspace

GIF: Google Workspace DKIM Setup

Shows Admin Console → Apps → Gmail → Authenticate email flow

Go to admin.google.com
Navigate to Apps → Google Workspace → Gmail → Authenticate email
Select your domain and click "Generate new record"
Choose 2048-bit key (recommended)
Copy the generated TXT record value
Add a TXT record in your DNS with:
- Name: google._domainkey
- Value: The generated key
Return to Google Admin and click "Start Authentication"

Microsoft 365

GIF: Microsoft 365 DKIM Setup

Shows Defender portal → DKIM → Enable signing flow

Go to Microsoft Defender portal
Navigate to Email & collaboration → Policies → DKIM
Select your domain
Toggle "Sign messages for this domain" to enabled
Add the two CNAME records shown to your DNS:
- selector1._domainkey → selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com
- selector2._domainkey → selector2-yourdomain-com._domainkey.yourdomain.onmicrosoft.com
Wait for DNS propagation, then enable DKIM

DKIM propagation can take up to 48 hours. If our DNS check shows "DKIM not found", wait a day and refresh.

DMARC (Domain-based Message Authentication)

Tells receivers what to do when emails fail SPF/DKIM

Basic DMARC Record (Start Here)

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

DMARC Policies Explained

p=none

Monitor Only

Collect reports without affecting delivery. Start here to understand your email flow.

p=quarantine

Send to Spam

Failed emails go to spam folder. Move to this after monitoring shows clean traffic.

p=reject

Block Completely

Failed emails are rejected entirely. Maximum protection but requires careful setup.

How to Add DMARC

Go to your DNS management
Add a new TXT record:
- Name/Host: _dmarc
- Type: TXT
- Value: v=DMARC1; p=none; rua=mailto:your@email.com
Replace the email with where you want to receive reports
Save and wait for propagation

Recommended approach: Start with p=none for 2-4 weeks, then move to p=quarantine, and finally p=reject once you're confident in your setup.

DNS Provider Setup Guides

Step-by-step instructions for popular DNS providers

GoDaddy

GIF: GoDaddy DNS Setup

Shows My Products → DNS → Add TXT Record flow

Log in to your GoDaddy account
Go to My Products and find your domain
Click DNS next to the domain name
Click Add in the Records section
Select TXT as the record type
Enter the record details:
- Name: @ (for SPF/DMARC) or google._domainkey (for DKIM)
- Value: Your SPF/DKIM/DMARC record value
- TTL: 1 Hour (default)
Click Save

Cloudflare

GIF: Cloudflare DNS Setup

Shows Dashboard → DNS → Add Record flow

Log in to Cloudflare Dashboard
Select your domain from the list
Click DNS in the left sidebar
Click Add record
Select TXT as the type
Fill in the details:
- Name: @ for root, _dmarc for DMARC, or selector._domainkey for DKIM
- Content: Your record value
- TTL: Auto (recommended)
Click Save

Tip: Cloudflare's proxy (orange cloud) doesn't affect TXT records. Keep them as "DNS only" (gray cloud).

Namecheap

GIF: Namecheap DNS Setup

Shows Domain List → Advanced DNS → Add Record flow

Log in to Namecheap
Go to Domain List and click Manage on your domain
Navigate to the Advanced DNS tab
In the HOST RECORDS section, click ADD NEW RECORD
Select TXT Record
Enter the values:
- Host: @ (for SPF), _dmarc (for DMARC), or google._domainkey (for DKIM)
- Value: Your record (wrap in quotes if it contains spaces)
- TTL: Automatic
Click the green checkmark to save

AWS

AWS Route 53

GIF: AWS Route 53 DNS Setup

Shows Hosted zones → Create Record flow

Log in to AWS Console
Go to Route 53 → Hosted zones
Click on your domain name
Click Create record
Configure the record:
- Record name: Leave blank for @, or enter _dmarc, google._domainkey, etc.
- Record type: TXT
- Value: Wrap your record in double quotes
- TTL: 300 (5 minutes)
Click Create records

Verify Your Setup

Use these free tools to check your DNS records are correctly configured:

MXToolbox Email Health

Complete DNS health check

DMARC Inspector

Analyze your DMARC record

Outlook Filter Setup Best Practices