Our Email Deliverability Guide explains what SPF, DKIM, and DMARC are and why they matter. This post is the hands-on companion: the exact DNS records you need to add, where to find them, and how to verify everything works. No theory, just steps.
Before you start, open two browser tabs: one for your email provider's admin console (Google Admin, Microsoft 365, etc.) and one for your domain registrar's DNS settings (GoDaddy, Cloudflare, Namecheap, etc.). You will be copying values from the first into the second.
Before You Begin: Run a Baseline Scan
Enter your domain into the MailScore scanner first. It takes 10 seconds and shows you exactly which records are missing or misconfigured. That way you know which sections below to focus on. If you already have a passing SPF record, skip to DKIM.
Step 1: Set Up SPF (2 Minutes)
SPF tells inbox providers which servers are allowed to send email from your domain. It is a single TXT record on your root domain.
Google Workspace
Log into your domain registrar's DNS settings and add this record:
- Type: TXT
- Host/Name:
@(or leave blank — both mean the root domain) - Value:
v=spf1 include:_spf.google.com ~all
Microsoft 365
- Type: TXT
- Host/Name:
@ - Value:
v=spf1 include:spf.protection.outlook.com ~all
Multiple Sending Services
If you use additional services that send email (Mailchimp, SendGrid, HubSpot, etc.), add their include: to the same record. You must have exactly one SPF record per domain. For example:
v=spf1 include:_spf.google.com include:servers.mcsv.net include:sendgrid.net ~all
Common SPF Includes by Provider
| Service | Include Value |
|---|---|
| Google Workspace | include:_spf.google.com |
| Microsoft 365 | include:spf.protection.outlook.com |
| Mailchimp | include:servers.mcsv.net |
| SendGrid | include:sendgrid.net |
| Amazon SES | include:amazonses.com |
| HubSpot | include:spf.hubspot.com |
| Salesforce | include:_spf.salesforce.com |
| Shopify | include:shops.shopify.com |
| Zendesk | include:mail.zendesk.com |
SPF Mistakes to Avoid
- Multiple SPF records. Your domain must have exactly one. If you already have an SPF record, edit it instead of adding a second one.
- More than 10 DNS lookups. Each
include:counts as a lookup. If you exceed 10, SPF fails entirely. Use an SPF flattening service if you hit this limit. - Using
+all. This authorizes the entire internet to send as you. Always use~all(softfail) or-all(hardfail).
Step 2: Set Up DKIM (5 Minutes)
DKIM adds a cryptographic signature to your outgoing emails. Setup differs by provider because each one generates its own signing keys.
Google Workspace
- Go to Google Admin Console > Apps > Google Workspace > Gmail > Authenticate email
- Select your domain and click Generate New Record
- Choose 2048-bit key length (recommended — only use 1024 if your DNS provider truncates long TXT records)
- Leave the prefix selector as
google - Copy the generated TXT record value
- At your DNS provider, add a TXT record:
- Host/Name:
google._domainkey - Value: the
v=DKIM1; k=rsa; p=...string you copied
- Host/Name:
- Wait for DNS propagation (usually 15 minutes to a few hours, up to 48)
- Return to Google Admin and click Start Authentication
Important: If you just enabled Google Workspace, wait 24-72 hours before generating DKIM keys — you may get an error otherwise.
Microsoft 365
Microsoft uses CNAME records for DKIM, not TXT records. You need two of them.
- Go to Microsoft Defender > Email & collaboration > Policies & rules > Threat policies > Email authentication settings > DKIM
- Select your custom domain
- Microsoft will display two CNAME records you need to create. They look like:
- Host:
selector1._domainkey→ Points to:selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com - Host:
selector2._domainkey→ Points to:selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
- Host:
- Add both CNAME records at your DNS provider
- Return to the Defender portal and enable the DKIM toggle
Other Email Services
Every email service that sends on your behalf (Mailchimp, SendGrid, Postmark, etc.) has its own DKIM setup. The process is always the same: find the DKIM settings in the service's admin panel, copy the DNS record they give you, and add it at your registrar. Each service uses its own selector, so multiple DKIM records can coexist on one domain.
DKIM Mistakes to Avoid
- Forgetting to click "Start Authentication" (Google) or enable the toggle (Microsoft). Adding the DNS record is only half the job.
- Confusing TXT and CNAME. Google uses TXT records, Microsoft uses CNAME records. Using the wrong type will silently fail.
- Using 1024-bit keys. 2048-bit is the standard in 2026. Use it unless your DNS provider physically cannot store records that long.
Step 3: Set Up DMARC (2 Minutes)
DMARC tells inbox providers what to do when SPF or DKIM fails. It also lets you receive reports about who is sending email as your domain. DMARC is the same regardless of your email provider — it is purely a DNS record.
Start With Monitoring Mode
Add this TXT record at your DNS provider:
- Type: TXT
- Host/Name:
_dmarc - Value:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
Replace dmarc-reports@yourdomain.com with an email address where you want to receive reports. Use a dedicated address — do not use your personal inbox, because DMARC reports are XML files and you may get dozens per day.
The Three DMARC Policies
p=none— Monitor only. No emails are blocked. Start here.p=quarantine— Failing emails go to spam. Move here after 2-4 weeks of clean reports.p=reject— Failing emails are rejected entirely. The gold standard. Move here when you are confident all legitimate senders pass.
Recommended Timeline
- Weeks 1-4:
p=none— collect reports, identify any senders you missed in SPF/DKIM - Weeks 5-8:
p=quarantine; pct=25— start quarantining 25% of failing mail, then increase to 50%, 75%, 100% - Week 9+:
p=reject— full protection
The pct= tag lets you roll out gradually. pct=25 means only 25% of failing emails get quarantined while you monitor for false positives.
Parked or Unused Domains
If you own domains that do not send email, add v=DMARC1; p=reject immediately. There is no reason to monitor first — you know no legitimate email should come from them.
Step 4: Verify Everything Works
After adding all three records, wait 15-30 minutes for DNS propagation, then:
- Run a MailScore scan on your domain. You should see green checks for SPF, DKIM, and DMARC.
- Send a test email to a Gmail address. Open the email, click the three dots, and select "Show original." Look for
spf=pass,dkim=pass, anddmarc=passin the headers. - Check for multiple SPF records. Run
dig TXT yourdomain.comor use an online DNS lookup. You should see exactly one record starting withv=spf1.
Quick-Reference: All Three Records
Google Workspace
| Protocol | Type | Host | Value |
|---|---|---|---|
| SPF | TXT | @ | v=spf1 include:_spf.google.com ~all |
| DKIM | TXT | google._domainkey | v=DKIM1; k=rsa; p=<from Admin Console> |
| DMARC | TXT | _dmarc | v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com |
Microsoft 365
| Protocol | Type | Host | Value |
|---|---|---|---|
| SPF | TXT | @ | v=spf1 include:spf.protection.outlook.com ~all |
| DKIM | CNAME | selector1._domainkey | selector1-<domain>._domainkey.<tenant>.onmicrosoft.com |
| DKIM | CNAME | selector2._domainkey | selector2-<domain>._domainkey.<tenant>.onmicrosoft.com |
| DMARC | TXT | _dmarc | v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com |
What Comes After Setup
Setting up SPF, DKIM, and DMARC is not a one-time task. Your email authentication can break silently when you add a new sending service, change email providers, or let a DKIM key expire. The businesses that avoid deliverability problems are the ones that monitor their records continuously.
MailScore's paid plans ($9/month and up) scan your domain daily or weekly and send you an alert the moment your score drops or a record breaks. That way you find out before your customers do.