tinysendtinysend

Technical Guide

DKIM, SPF, and DMARC: Complete Email Authentication Setup Guide

The definitive guide to authenticating your email domain — with exact DNS records, troubleshooting tips, and what to do when your emails still land in spam.

12 min read·Updated March 2026

TL;DR — the minimum you need

Add an SPF TXT record to your root domain, add a DKIM TXT record at selector._domainkey.yourdomain.com, and add a DMARC TXT record at _dmarc.yourdomain.com. Without all three, you'll have deliverability problems — especially on Gmail and Outlook.

In 2024, Google and Yahoo started enforcing email authentication requirements for bulk senders. In 2025 and 2026, the bar got even higher. If your domain isn't properly authenticated, your emails will be rejected or routed to spam — no matter how reputable your email provider is.

This guide walks through SPF, DKIM, and DMARC from first principles: what each record does, how to configure it, how to verify it's working, and how to debug when it isn't.

Table of contents

  1. 1. Why email authentication matters
  2. 2. SPF: Sender Policy Framework
  3. 3. DKIM: DomainKeys Identified Mail
  4. 4. DMARC: Domain-based Message Authentication
  5. 5. BIMI: Brand Indicators for Message Identification
  6. 6. Verifying your setup
  7. 7. Troubleshooting common issues
  8. 8. Sending from subdomains

1. Why email authentication matters

Without authentication, anyone can send email claiming to be from yourcompany.com. That's the core problem email authentication solves — and why inbox providers care so much about it.

SPF, DKIM, and DMARC work together as a chain:

  • SPF — declares which servers can send email from your domain
  • DKIM — cryptographically signs each email so receivers can verify it wasn't tampered with
  • DMARC — ties SPF and DKIM together and tells receivers what to do with failures

Gmail's February 2024 requirements made SPF + DKIM + DMARC mandatory for anyone sending more than 5,000 emails/day to Gmail addresses. Yahoo followed suit. Today, even low-volume senders who skip authentication see reduced inbox placement.

2. SPF: Sender Policy Framework

SPF is a DNS TXT record that lists which IP addresses and services are allowed to send email on behalf of your domain. When a receiving server gets an email from [email protected], it looks up your SPF record and checks if the sending IP is on the authorized list.

Basic SPF record structure

DNS — TXT record on yourdomain.com
v=spf1 include:tinysend.co include:amazonses.com ip4:203.0.113.5 ~all

Breaking down each part:

v=spf1Version tag — always spf1, required.
include:Include another domain's SPF record. Your email provider will give you their include domain (e.g. include:tinysend.co).
ip4:Authorize a specific IPv4 address. Use if you send from a server directly.
~allSoft fail — mark unauthorized senders as suspicious but don't reject. Use -all (hard fail) once you're confident you've listed everything.

SPF lookup limit

SPF records can trigger at most 10 DNS lookups. Each include: counts as one lookup. If you chain multiple providers, you can hit this limit. Use a service like dmarcly.com to check your SPF lookup count.

3. DKIM: DomainKeys Identified Mail

DKIM uses public-key cryptography. Your email provider generates an RSA keypair. The private key signs outgoing emails; the public key is published in DNS. Receivers download the public key and verify the signature on every incoming message.

If the signature is valid, the email hasn't been tampered with since it left your server. If invalid or missing, the email is flagged or rejected depending on your DMARC policy.

DKIM record format

Your DKIM record goes at a subdomain, not the root. The format is selector._domainkey.yourdomain.com where "selector" is a name chosen by your email provider:

DNS — TXT record on ts1._domainkey.yourdomain.com
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5N3lnvvrYgPCRSoqn+awTpE+iGYcKBPpo8HHbcFfCi5bYcgFhHoz3nW7XI/KOoZpd4IHNRn/IYvPUwEW54/Y87iu6V7jXOcYFGwA==
v=DKIM1DKIM version. Always DKIM1.
k=rsaKey type. RSA is standard; ed25519 is newer but has less support.
p=...The base64-encoded public key. Your email provider generates this — don't create it yourself.

Key rotation

Rotate DKIM keys every 6-12 months. Good email platforms handle this automatically. The selector prefix lets you have multiple active keys simultaneously during rotation.

4. DMARC: Domain-based Message Authentication

DMARC answers the question: "What should receiving servers do with email that fails SPF or DKIM?" It also requires that the domain in the From header aligns with the domain that passed SPF or DKIM — closing a spoofing gap that SPF/DKIM alone leave open.

DMARC record format

DNS — TXT record on _dmarc.yourdomain.com
v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100; adkim=s; aspf=s
p=noneMonitor mode — take no action, just send reports. Start here.
p=quarantineSend failing email to spam. Move here after 2-4 weeks of monitoring with no surprises.
p=rejectBlock failing email entirely. The goal state — prevents spoofing of your domain.
rua=mailto:Aggregate reports recipient. Receivers send XML reports summarizing authentication results. Parse with dmarcian or DMARC Analyzer.
adkim=sStrict DKIM alignment — the DKIM domain must exactly match the From domain. Use r (relaxed) to allow subdomain matches.

Recommended rollout sequence

1
Week 1-2: p=none + rua
Enable reporting. Review aggregate reports to see which services are sending on your behalf. Find anything unexpected.
2
Week 3-4: p=quarantine; pct=10
Apply quarantine to 10% of failing mail. Watch for unexpected legitimate email getting caught. Expand SPF/DKIM if needed.
3
Week 5+: p=quarantine; pct=100
Full enforcement. Monitor for another week, then consider moving to p=reject for maximum protection.
4
Goal: p=reject
Full reject policy. Anyone spoofing your domain gets bounced. Your domain is now protected.

5. BIMI: Brand Indicators for Message Identification

BIMI is optional but worth knowing. It displays your brand logo next to your emails in Gmail, Apple Mail, and Yahoo. Requires DMARC at p=quarantine or p=reject first.

DNS — TXT record on default._bimi.yourdomain.com
v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/bimi-certificate.pem

6. Verifying your setup

After setting up your DNS records, verify them with these tools:

Command line

# Check SPF
dig TXT yourdomain.com +short
# Check DKIM
dig TXT selector._domainkey.yourdomain.com +short
# Check DMARC
dig TXT _dmarc.yourdomain.com +short

Online tools

  • MXToolbox — SPF, DKIM, DMARC lookup and validation
  • mail-tester.com — Send a test email and get a spam score
  • dmarcian — DMARC report parsing and monitoring
  • Google Postmaster Tools — Reputation data for Gmail delivery

The fastest way to verify everything is working: send an email to a Gmail account and look at the full message headers. In Gmail, click the three dots → "Show original". Look for: 

Authentication-Results: mx.google.com;
  dkim=pass [email protected] header.s=ts1;
  spf=pass (google.com: domain of [email protected] designates 203.0.113.5 as permitted sender) [email protected];
  dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=yourdomain.com

All three should show pass. If any show fail, check the troubleshooting section below.

7. Troubleshooting common issues

SPF fail: "mechanism exceeded"

You've hit the 10-lookup limit. Audit your includes — remove any services you no longer use. Consider using SPF flattening (replace include: with resolved ip4: blocks) to reduce lookups, but note it requires manual updates when your providers change IPs.

DKIM fail: "no key for signature"

The DKIM TXT record is missing or not propagated yet. DNS changes can take up to 48 hours to propagate. Use dig TXT selector._domainkey.yourdomain.com @8.8.8.8 to check against Google's resolver specifically.

DMARC fail: "identifier alignment"

The From: header domain doesn't match the domain that passed SPF/DKIM. Common when you send from mail.yourdomain.com but have DMARC on yourdomain.com with strict alignment. Switch to relaxed alignment (adkim=r; aspf=r) or configure DMARC on the subdomain too.

Still landing in spam despite passing auth

Authentication is necessary but not sufficient. Check your Google Postmaster Tools domain reputation. If it's "Bad" or "Low", you have a content or engagement problem. Common causes: high bounce rates, spam complaints, or sending to inactive lists. Authentication alone won't fix sender reputation issues.

8. Sending from subdomains

Best practice is to send transactional email from a subdomain, not your root domain:

mail.yourdomain.com
Transactional email (password resets, alerts, receipts)
news.yourdomain.com
Marketing / newsletters (keeps reputation separate)
yourdomain.com
Human-sent email from your team (never use for bulk)

Each subdomain needs its own SPF, DKIM, and DMARC records. DMARC on the parent domain covers subdomains by default (controlled by the sp= parameter). Set up SPF and DKIM on each sending subdomain separately.

Complete DNS setup for mail.yourdomain.com
# SPF — on mail.yourdomain.com
TXT "v=spf1 include:tinysend.co ~all"

# DKIM — on ts1._domainkey.mail.yourdomain.com
TXT "v=DKIM1; k=rsa; p=[your-public-key]"

# DMARC — on _dmarc.mail.yourdomain.com
TXT "v=DMARC1; p=reject; rua=mailto:[email protected]"

# Or let parent DMARC handle subdomains:
# Add sp=quarantine to _dmarc.yourdomain.com

Let tinysend handle domain auth for you

tinysend guides you through SPF, DKIM, and DMARC setup with step-by-step DNS instructions and automatic verification. Connect your domain in minutes.

Start for free →

Related resources

How to send emails with API →What is a transactional email service? →tinysend vs Resend →Best Resend alternatives →All guides →