DKIM, SPF and DMARC: Complete Setup Guide for Email Deliverability
Email authentication is the foundation of deliverability. Without DKIM, SPF, and DMARC, your emails will be rejected or marked as spam by major mailbox providers. This guide walks you through the complete setup.
Why authentication matters
Gmail and Yahoo now require DMARC for bulk senders (2024 requirement). Without proper authentication, your emails will be rejected or marked as spam. Authentication also protects your domain from being used in phishing attacks.
SPF: setup and examples
SPF (Sender Policy Framework) is a TXT record in your DNS that lists the IP addresses authorized to send email for your domain.
Basic SPF record
v=spf1 include:emitlo.com ~all This record authorizes Emitlo's servers to send email for your domain. The ~all (softfail) means emails from unauthorized IPs are marked as suspicious but not rejected. Use -all (hardfail) once you're confident all legitimate senders are included.
SPF with multiple senders
v=spf1 include:emitlo.com include:_spf.google.com ~all ⚠️ SPF lookup limit
SPF records have a maximum of 10 DNS lookups. Each include: counts as one lookup. If you exceed 10, SPF will fail. Use SPF flattening tools if needed.
DKIM: setup and examples
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your emails. You publish a public key in DNS; the sending server signs emails with the corresponding private key.
DKIM DNS record format
selector._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA..." The selector is a label that identifies which key to use (e.g., emitlo1). The p= value is your public key (base64-encoded RSA key).
Double DKIM signing
Emitlo signs every email with two DKIM keys: your domain key and Emitlo's platform key. This means two DKIM signatures appear in the email headers, providing an additional layer of authentication. You only need to publish your domain's DKIM record — Emitlo handles the platform key automatically.
DMARC: setup and policy progression
DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving servers what to do when an email fails SPF or DKIM authentication.
Step 1: Start with monitoring (p=none)
_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:[email protected]" Monitor for 2–4 weeks. Review DMARC reports to identify all legitimate email sources.
Step 2: Quarantine (p=quarantine)
_dmarc.yourdomain.com TXT "v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]" Start with pct=25 (apply to 25% of failing emails). Increase gradually to 100%.
Step 3: Reject (p=reject)
_dmarc.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]" The strongest policy. Unauthenticated emails are rejected entirely. Only move here once you're confident all legitimate senders are authenticated.
Testing your setup
MXToolbox
Check SPF, DKIM, and DMARC records. Identify configuration errors.
Mail-Tester
Send a test email and get a spam score with detailed authentication results.
DMARC Analyzer
Parse and visualize DMARC reports.
Google Postmaster Tools
Monitor your domain reputation and authentication rates with Gmail.
Common mistakes
✗ Multiple SPF records
Fix: You can only have one SPF record per domain. Combine all includes into a single record.
✗ Exceeding SPF lookup limit (10)
Fix: Use SPF flattening to reduce the number of DNS lookups.
✗ DKIM key too short
Fix: Use RSA 2048-bit keys minimum. 1024-bit keys are considered insecure.
✗ DMARC without SPF/DKIM alignment
Fix: DMARC requires that the domain in SPF/DKIM matches the From header domain. Check alignment in your DMARC reports.
✗ Jumping straight to p=reject
Fix: Always start with p=none, review reports, then progress to quarantine, then reject.
Automatic setup with Emitlo
Emitlo automates the entire authentication setup process:
- ✓Generates RSA 2048-bit DKIM keys for your domain
- ✓Publishes DKIM DNS records automatically
- ✓Validates your SPF record and suggests corrections
- ✓Checks your DMARC policy and provides recommendations
- ✓Signs every email with double DKIM (domain key + platform key)
- ✓Monitors authentication rates in real time
Setup takes under 10 minutes. No manual DNS debugging required.
Automatic DKIM, SPF, and DMARC setup in 10 minutes
12,000 emails/month free (400/day) · Double DKIM · No credit card