← ALL POSTS
IT SUPPORT & MANAGED SERVICES STEP-BY-STEP GUIDE

Set up SPF, DKIM, and DMARC records that actually pass

If your invoices land in spam, or someone spoofed your domain to phish a customer, this is the fix. SPF, DKIM, and DMARC are three DNS records that prove your email is really from you. Mail providers check them on every message, and domains without them get treated as suspects.

Plain-English versions of the three:

Prerequisites

That second list matters. Every legitimate sender you forget will start failing checks once DMARC tightens up.

Step 1: Publish your SPF record

SPF is a single TXT record on your bare domain. For Microsoft 365:

Type: TXT
Host: @
Value: v=spf1 include:spf.protection.outlook.com -all

For Google Workspace:

Type: TXT
Host: @
Value: v=spf1 include:_spf.google.com ~all

Extra senders get added as more include: entries before the all. Two rules: you get exactly one SPF record per domain (multiple records break validation), and you're limited to 10 DNS lookups total, so don't stack includes you don't need.

Step 2: Turn on DKIM signing

DKIM keys live with your mail provider, and you enable signing there:

  1. Microsoft 365: in the Defender portal, go to Email authentication settings, select your domain, and enable DKIM. It gives you two CNAME records (selector1._domainkey and selector2._domainkey) to add in DNS first.
  2. Google Workspace: in the Admin console under Apps → Google Workspace → Gmail → Authenticate email, generate the key, add the TXT record it gives you at google._domainkey, then click Start authentication.

Each third-party sender (Mailchimp, HubSpot, QuickBooks, and the like) has its own DKIM setup page with its own records. Do those too.

Step 3: Start DMARC in monitor mode

Don't jump straight to blocking. Publish DMARC in monitor-only mode first:

Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

p=none means "check everything, block nothing, send me reports." The reports land at the rua address as XML summaries showing every server sending mail as your domain, and whether it passes.

Step 4: Read the reports for two weeks

Raw DMARC reports are unreadable XML; run them through a free parser (Postmark's DMARC digest or dmarcian's free tier both work). You're looking for one thing: legitimate senders that are failing. Usually it's a forgotten tool someone in the office signed up for. Add its SPF include or DKIM record and watch it flip to passing.

Step 5: Tighten the policy

Once two weeks of reports show only your real senders passing, turn the lock:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

Run p=quarantine (failures go to spam) for a few more weeks, then finish at p=reject, where spoofed mail is refused outright. That's the end state: nobody can send as your domain except you.

Verify it

Send a message to a Gmail address, open it, and choose Show original. You want three lines: SPF: PASS, DKIM: PASS, DMARC: PASS. Free checkers like MXToolbox will also read your records and flag mistakes.

Stuck on this, or want it done for you? That's the job.

Email us →
RELATED READING
License management: stop paying for seats nobody uses Explainer
Google Workspace or Microsoft 365? How to pick Explainer
Asset tracking: know what you own and where it is Explainer
IT documentation: the cheapest insurance you can buy Explainer
Ransomware defense: the five layers that matter Explainer
NO FORMS. JUST EMAIL.
mason@hurbs.io
or (832) 457-4317, LA and Houston