How to set up SPF, DKIM, and DMARC for your business?

Setting up SPF, DKIM, and DMARC is important for a number of reasons, but particularly to avoid your business’ reputation being tarnished by successful phishing attacks attempted in your name. A recent survey found that 91% of phishing and spam emails are sent via Gmail accounts. If your domain is aligned well with SPF, DKIM, DMARC, recipients’ mailboxes will filter fraudulent emails and won’t let them land in the inbox. In this blog, we dig into more detail about the process.

What are SPF, DKIM, and DMARC?

SPF, DKIM, and DMARC are email authentication protocols that require sending and receiving servers to cooperate and coordinate. They verify if the sender is actually who they are claiming to be to prevent impersonation attacks. Cybercriminals impersonate bosses, employees, third-party vendors, etc. and request that the recipient shares sensitive information such as financial details, contact details, social security numbers, medical reports, etc. This information is then exploited to make purchases, transfer money, steal or intercept business strategies, win over professional rivalry – the list goes on. 

What is SPF in Email?

SPF stands for Sender Policy Framework, and is a way for a domain to enlist all the IP addresses allowed to send emails. 

Sender Policy Framework is also referred by mail clients to determine whether to show messages with unknown senders or not. To prevent phishing attacks, an SPF record is required which defines mail servers permitted to send emails on behalf of your domain.

An SPF lookup tool diagnoses your record to highlight errors that might be hindering your email’s performance. 

What is DKIM?

DKIM stands for DomainKeys Identified Mail and is based on the concept of cryptography. DKIM signed emails are emails that have been signed with a digital signature, and this digital signature is used by receiving systems to verify the authenticity and integrity of the email. 

DKIM consists of a public and a private key pair. The private key is used by a given email service – for example Salesforce – to DKIM-sign your emails, and the public key is published in the DNS, in the form of a TXT or CNAME record. The public key is used by recipients to validate the email. If you’re wondering where you would find the required DKIM records to publish in the DNS, it would be on the actual system that will send emails on your behalf, in this case Salesforce. 

You can use an online DKIM tool to perform a lookup against your domain name and DKIM selector for an error-free and properly published DKIM record.

What is a DKIM Selector?

DKIM selector is part of a DKIM record that lets you publish more than one DKIM key for your domain. The selector is what distinguishes the email sending services that you use to send emails from your domain from one another. It is also used when doing a DKIM record lookup.  

No two DKIM records can use the same selector. For example, if you use Office 365 to send emails, your DKIM selectors will be ‘selector1’ and ‘selector2’, and if you introduce another system to send emails on your behalf, you will need to give it different selector names. 

How to Check SPF, DKIM, and DMARC?

It’s important to have visibility of what your SPF, DKIM, and DMARC setup looks like and how it can be improved. To do this, use our free investigate tool below. 

Does DMARC Require Both SPF and DKIM?

DMARC doesn’t require both SPF and DKIM, it can be configured with just either of the protocols. However, implementation of all three protocols, i.e., SPF, DKIM, DMARC, is encouraged because a multilayered security approach strongly combats phishing and spamming.

If you deploy DMARC without DKIM and have only SPF in place, then DKIM checks will always fail and DMARC verification results are up to SPF check and SPF identifier alignment. In such conditions, genuine emails sent from your domain will fail DMARC when forwarded. This happens as the intermediate server addresses aren’t listed in the SPF record, which causes SPF to fail and therefore DMARC.

On the other hand, when you implement only DKIM, the Sender Policy Framework checks will always fail and the results will be based on DKIM identifier alignment.

How to Set Up SPF, DKIM, and DMARC?

Now that you know what SPF, DKIM, and DMARC are, let’s focus on understanding how to set them up.

General SPF Setup

  1. Create your SPF record.
  2. Login to your DNS and go to the management console for your domain host.
  3. Find the option to update the DNS TXT record for your domain. Enter Type, Host, Value, and TTL values.

You’re done. The settings will be updated in 72 hours.

General DKIM Setup

Start by logging into the email sending service that you would like to use. There should typically be an Authentication section where you can go and generate the required DKIM records to publish in your DNS. 

General DMARC Setup

Create a DMARC record by choosing the appropriate policy, typically a policy of p=none to begin with. Copy the TXT record to the clipboard and paste it on your DNS.

All this becomes even easier by using OnDMARC, our award-winning cloud-based application. It lets you automate business email protection by configuring SPF, DKIM, DMARC in just a few weeks.

Configure SPF, DKIM, and DMARC with OnDMARC 

SPF, DKIM, and DMARC are essential email security protocols which protect your domain from exact domain impersonation. It’s vital to ensure these records are error-free otherwise the protocols won’t function properly. Our investigate tool helps you with this. All you need to do is send an email and we’ll reveal complete insights into your email security.

But if you want to go a step further and ensure full protection against domain spoofing, you can also easily configure your SPF, DKIM, and DMARC records with Red Sift’s OnDMARC.


Faisal Misle

26 Apr. 2023



Recent Posts


The best tools to protect yourself from SubdoMailing

Francesca Rünger-Field

In late February 2024, ‘SubdoMailing’ became a trending search term overnight. Research by Guardio Labs uncovered a massive-scale phishing campaign that had been going on since at least 2022. At the time of reporting, the campaign had sent 5 million emails a day from more than 8,000 compromised domains and 13,000 subdomains with several…

Read more
Product Release

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more

Navigating the “SubdoMailing” attack: How Red Sift proactively identified and remediated a…

Rebecca Warren

In the world of cybersecurity, a new threat has emerged. Known as “SubdoMailing,” this new attack cunningly bypasses some of the safeguards that DMARC sets up to protect email integrity.  In this blog we will focus on how the strategic investments we have made at Red Sift allowed us to discover and protect against…

Read more

Where are we now? One month of Google and Yahoo’s new requirements…

Rebecca Warren

As of March 1, 2024, we are one month into Google and Yahoo’s new requirements for bulk senders. Before these requirements went live, we used Red Sift’s BIMI Radar to understand global readiness, and the picture wasn’t pretty.  At the end of January 2024, one-third of global enterprises were bound to fail the new…

Read more