Tutorial 10 min read Updated April 2026

DKIM, SPF and DMARC: Complete Setup Guide for Email Deliverability

Email authentication is the foundation of deliverability. Without DKIM, SPF, and DMARC, your emails will be rejected or marked as spam by major mailbox providers. This guide walks you through the complete setup.

Why authentication matters

Gmail and Yahoo now require DMARC for bulk senders (2024 requirement). Without proper authentication, your emails will be rejected or marked as spam. Authentication also protects your domain from being used in phishing attacks.

SPF: setup and examples

SPF (Sender Policy Framework) is a TXT record in your DNS that lists the IP addresses authorized to send email for your domain.

Basic SPF record

v=spf1 include:emitlo.com ~all

This record authorizes Emitlo's servers to send email for your domain. The ~all (softfail) means emails from unauthorized IPs are marked as suspicious but not rejected. Use -all (hardfail) once you're confident all legitimate senders are included.

SPF with multiple senders

v=spf1 include:emitlo.com include:_spf.google.com ~all

⚠️ SPF lookup limit

SPF records have a maximum of 10 DNS lookups. Each include: counts as one lookup. If you exceed 10, SPF will fail. Use SPF flattening tools if needed.

DKIM: setup and examples

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your emails. You publish a public key in DNS; the sending server signs emails with the corresponding private key.

DKIM DNS record format

selector._domainkey.yourdomain.com  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA..."

The selector is a label that identifies which key to use (e.g., emitlo1). The p= value is your public key (base64-encoded RSA key).

Double DKIM signing

Emitlo signs every email with two DKIM keys: your domain key and Emitlo's platform key. This means two DKIM signatures appear in the email headers, providing an additional layer of authentication. You only need to publish your domain's DKIM record — Emitlo handles the platform key automatically.

Emitlo automatically generates your DKIM keys, validates your SPF record, and checks your DMARC policy on domain setup — no manual DNS debugging. Start free →

DMARC: setup and policy progression

DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving servers what to do when an email fails SPF or DKIM authentication.

Step 1: Start with monitoring (p=none)

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=none; rua=mailto:[email protected]"

Monitor for 2–4 weeks. Review DMARC reports to identify all legitimate email sources.

Step 2: Quarantine (p=quarantine)

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]"

Start with pct=25 (apply to 25% of failing emails). Increase gradually to 100%.

Step 3: Reject (p=reject)

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=reject; rua=mailto:[email protected]"

The strongest policy. Unauthenticated emails are rejected entirely. Only move here once you're confident all legitimate senders are authenticated.

Testing your setup

M

MXToolbox

Check SPF, DKIM, and DMARC records. Identify configuration errors.

M

Mail-Tester

Send a test email and get a spam score with detailed authentication results.

D

DMARC Analyzer

Parse and visualize DMARC reports.

G

Google Postmaster Tools

Monitor your domain reputation and authentication rates with Gmail.

Common mistakes

✗ Multiple SPF records

Fix: You can only have one SPF record per domain. Combine all includes into a single record.

✗ Exceeding SPF lookup limit (10)

Fix: Use SPF flattening to reduce the number of DNS lookups.

✗ DKIM key too short

Fix: Use RSA 2048-bit keys minimum. 1024-bit keys are considered insecure.

✗ DMARC without SPF/DKIM alignment

Fix: DMARC requires that the domain in SPF/DKIM matches the From header domain. Check alignment in your DMARC reports.

✗ Jumping straight to p=reject

Fix: Always start with p=none, review reports, then progress to quarantine, then reject.

Automatic setup with Emitlo

Emitlo automates the entire authentication setup process:

  • Generates RSA 2048-bit DKIM keys for your domain
  • Publishes DKIM DNS records automatically
  • Validates your SPF record and suggests corrections
  • Checks your DMARC policy and provides recommendations
  • Signs every email with double DKIM (domain key + platform key)
  • Monitors authentication rates in real time

Setup takes under 10 minutes. No manual DNS debugging required.

Automatic DKIM, SPF, and DMARC setup in 10 minutes

12,000 emails/month free (400/day) · Double DKIM · No credit card

Frequently Asked Questions

Do I need all three: DKIM, SPF, and DMARC?
Yes. SPF and DKIM are required for basic authentication. DMARC builds on both and is increasingly required by major mailbox providers. Gmail and Yahoo now require DMARC for bulk senders. Setting up all three is the minimum for reliable deliverability.
How long do DNS changes take to propagate?
DNS propagation typically takes 5–60 minutes for most providers, but can take up to 48 hours in rare cases. Most modern DNS providers propagate changes within minutes. Emitlo automatically verifies your DNS records and notifies you when propagation is complete.
What is the difference between DKIM alignment and DKIM signing?
DKIM signing means your email has a DKIM signature. DKIM alignment (required for DMARC) means the domain in the DKIM signature matches the domain in the From header. Both are required for DMARC to pass.
What DMARC policy should I start with?
Start with p=none (monitor only). This lets you collect DMARC reports without affecting email delivery. After reviewing reports for 2–4 weeks and confirming all legitimate email sources are authenticated, move to p=quarantine, then p=reject.
What is a DMARC report?
DMARC reports are XML files sent by mailbox providers to the email address specified in your DMARC record. They show which emails passed or failed authentication, from which IPs, and what action was taken. Use a DMARC report analyzer (like dmarcian or Postmark's DMARC Digests) to parse them.
What is double DKIM signing?
Double DKIM signing means an email is signed with two DKIM keys: your own domain key and the sending platform's key. Emitlo signs every email with both. This provides an additional layer of authentication that improves inbox placement with strict receivers like Gmail and Outlook.

Related guides: