If your invoices land in spam, or someone spoofed your domain to phish a customer, this is the fix. SPF, DKIM, and DMARC are three DNS records that prove your email is really from you. Mail providers check them on every message, and domains without them get treated as suspects.
Plain-English versions of the three:
- SPF lists which servers are allowed to send mail for your domain.
- DKIM puts a cryptographic signature on each message so receivers can verify it wasn't altered.
- DMARC tells receivers what to do when a message fails those checks: nothing, quarantine it, or reject it. It also sends you reports.
Prerequisites
- Access to your domain's DNS (wherever your domain is hosted: Cloudflare, GoDaddy, Namecheap, etc.)
- Knowing who sends mail as your domain: your mail provider (Microsoft 365 or Google Workspace), plus anything else like a newsletter tool, CRM, or invoicing app
That second list matters. Every legitimate sender you forget will start failing checks once DMARC tightens up.
Step 1: Publish your SPF record
SPF is a single TXT record on your bare domain. For Microsoft 365:
Type: TXT
Host: @
Value: v=spf1 include:spf.protection.outlook.com -all
For Google Workspace:
Type: TXT
Host: @
Value: v=spf1 include:_spf.google.com ~all
Extra senders get added as more include: entries before the all. Two rules: you get exactly one SPF record per domain (multiple records break validation), and you're limited to 10 DNS lookups total, so don't stack includes you don't need.
Step 2: Turn on DKIM signing
DKIM keys live with your mail provider, and you enable signing there:
- Microsoft 365: in the Defender portal, go to Email authentication settings, select your domain, and enable DKIM. It gives you two CNAME records (
selector1._domainkeyandselector2._domainkey) to add in DNS first. - Google Workspace: in the Admin console under Apps → Google Workspace → Gmail → Authenticate email, generate the key, add the TXT record it gives you at
google._domainkey, then click Start authentication.
Each third-party sender (Mailchimp, HubSpot, QuickBooks, and the like) has its own DKIM setup page with its own records. Do those too.
Step 3: Start DMARC in monitor mode
Don't jump straight to blocking. Publish DMARC in monitor-only mode first:
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
p=none means "check everything, block nothing, send me reports." The reports land at the rua address as XML summaries showing every server sending mail as your domain, and whether it passes.
Step 4: Read the reports for two weeks
Raw DMARC reports are unreadable XML; run them through a free parser (Postmark's DMARC digest or dmarcian's free tier both work). You're looking for one thing: legitimate senders that are failing. Usually it's a forgotten tool someone in the office signed up for. Add its SPF include or DKIM record and watch it flip to passing.
Step 5: Tighten the policy
Once two weeks of reports show only your real senders passing, turn the lock:
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100
Run p=quarantine (failures go to spam) for a few more weeks, then finish at p=reject, where spoofed mail is refused outright. That's the end state: nobody can send as your domain except you.
Verify it
Send a message to a Gmail address, open it, and choose Show original. You want three lines: SPF: PASS, DKIM: PASS, DMARC: PASS. Free checkers like MXToolbox will also read your records and flag mistakes.
Stuck on this, or want it done for you? That's the job.
Email us →