- At the domain level
- At the email inbox level
- At the email level (specifically, what you write in your emails)
- SPF
- DKIM
- DMARC
Setting up SPF
SPF stands for Sender Policy Framework. It designates which mail servers are permitted to send emails from your domain. It’s why you can’t spoof your email to send fromtim@apple.com
—you aren’t permitted to send from that email and domain.
Good news: SPF takes just a couple minutes to set up.
All of the next steps happen from your DNS settings. You’ll find these wherever you purchased your domain (for example, if you bought your domain from GoDaddy, go to their website to find the DNS settings for your domain).
1. Identify your mail servers.
List all the servers and services that send emails on behalf of your domain. This includes your own mail servers, third-party email services (like Google Workspace, Office 365), and any other services (like marketing or support ticket platforms).
2. Create your SPF record.
Add a TXT record in your DNS.
- In the Name/Host/Destination field, enter
@
or leave it blank (depending on the DNS provider). - In the Value/Answer/Destination field, enter your SPF record.
v=spf1 include:_spf.google.com ~all
What does this mean?
v=spf1
indicates the SPF versioninclude:_spf.google.com
tells mail servers to trust email sent by Google~all
means all other sources should soft-fail (flagged but not rejected)
Emails sent with Za-zu use your email provider (Gmail, Outlook, etc.) directly. So your SPF record only needs your provider. No extra IPs or domains.
v=spf1 include:_spf.google.com include:spf.mtasv.net include:mailgun.org ~all
3. Validate that the SPF record is set up correctly using Fraudmarc’s SPF lookup.
4. Monitor and adjust.
If you add a new mail service and don’t add it to your SPF, its emails will be blocked. You’ll be able to see this in your DMARC report (more on that below). If you add new email services or change IP addresses, update your SPF record accordingly.
Setting up DKIM
DKIM stands for DomainKeys Identified Mail. It’s a type of authentication that confirms your email hasn’t been altered between your desk and hitting your recipient’s inbox. Like SPF, setting up DKIM is simple. Just follow these steps: 1. Generate a DKIM key pair.- Use a DKIM generator tool (there are plenty online) to create a public/private key pair. Your email service provider may offer this tool or service.
- The private key will be used by your sending mail server to sign outgoing emails.
- The public key will be published in your DNS records for recipient servers to verify the signature.
- Add a new TXT record for DKIM.
- The Name/Host/Alias field should be something like
selector._domainkey
whereselector
is a unique name for this particular DKIM record. - The Value/Answer/Destination field will hold your public key. The format generally looks like this:
Setting up DMARC
DMARC stands for Domain-Based Message Authentication, Reporting, and Conformance. This helps email receivers understand what to do with emails based on SPF and DKIM checks. Without DMARC, email service providers are not sure how you want them to handle SPF or DKIM fails from your domain. DMARC will run a series of checks when an email is received, and will either do nothing, quarantine the email, or reject the email. 1. Add a TXT record in your DNS.- In the Name/Host/Alias field, enter
_dmarc
. Your domain will be automatically appended in most cases. - In the Value/Answer/Destination field, create your DMARC record. It typically looks like this:
v=DMARC1
specifies the DMARC versionp=none
sets the policy. Other options arequarantine
orreject
. Start withnone
for monitoring purposes and move to a stricter policy as you gain confidence in your SPF and DKIM records.rua
is where aggregate reports are sent. Replaceyouremail@yourdomain.com
with either your actual email or a Postmark DMARC monitoring email. We recommend the latter because DMARC reports are quite technical, and Postmark does a great job translating things.