SPF, DKIM & DMARC Setup Guide 🔥 (Easy Steps)

✅ What Are SPF, DKIM & DMARC?

Before setting them up, let’s quickly understand what SPF, DKIM, and DMARC do:

🔹 SPF (Sender Policy Framework)

SPF tells email servers which IP addresses or mail servers are allowed to send emails on behalf of your domain.

📌 Example: If you send emails using Amazon WorkMail, your SPF record should include Amazon’s mail servers.

🔹 DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to your emails, proving that the email is legitimate and wasn’t modified in transit.

📌 Example: Amazon WorkMail provides a DKIM key that needs to be added to your domain’s DNS.

🔹 DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC tells receiving email servers how to handle emails that fail SPF and DKIM checks. It also provides reports about email authentication activity.

📌 Example: If an email fails SPF/DKIM, DMARC can either reject, quarantine, or allow the email.

🔧 How to Set Up SPF, DKIM & DMARC (Step-by-Step)

🛠️ Step 1: Add SPF Record

SPF records are added as a TXT record in your domain’s DNS settings.

🔹 SPF Record Format:

v=spf1 include:amazonses.com -all

👉 This allows Amazon SES/WorkMail to send emails on behalf of your domain.

📌 How to Add SPF in DNS:

Log in to your Domain DNS Manager (e.g., GoDaddy, Cloudflare, Namecheap).
Go to DNS Settings → Select Add Record → Choose TXT Record.
Name/Host: @ (or your domain name).
Value: v=spf1 include:amazonses.com -all
Save and wait for DNS propagation (can take up to 24 hours).

✅ Test SPF Record: Use MXToolbox SPF Checker to verify your SPF setup.

🛠️ Step 2: Add DKIM Record

DKIM records are provided by your email service (Amazon WorkMail, Google Workspace, etc.).

📌 How to Get Amazon WorkMail DKIM Keys:

Go to AWS Console → Open Amazon WorkMail.
Navigate to Domains → Click on your domain.
Find the DKIM Settings and copy the three CNAME records provided.

📌 How to Add DKIM in DNS:

Open your DNS Manager.
Add three CNAME records as provided by Amazon WorkMail.
Save changes and wait for DNS propagation.

✅ Test DKIM Record: Use DKIM Validator to check if DKIM is working.

🛠️ Step 3: Add DMARC Record

DMARC tells mail servers what to do when SPF or DKIM fails.

🔹 Basic DMARC Record (Recommended):

v=DMARC1; p=none; rua=mailto:[email protected]

👉 This record monitors email authentication but doesn’t block failed emails yet.

🔹 Stronger DMARC Record (For Higher Security):

v=DMARC1; p=quarantine; rua=mailto:[email protected]

👉 This quarantines suspicious emails, reducing spoofing risks.

📌 How to Add DMARC in DNS:

Go to DNS Manager.
Add a TXT record:
- Name/Host: _dmarc.yourdomain.com
- Value: v=DMARC1; p=none; rua=mailto:[email protected]
Save changes and wait for DNS propagation.

✅ Test DMARC Record: Use DMARC Analyzer to verify your setup.

🚀 Best Practices for Email Authentication

🔹 Use a Custom Tracking Domain – Avoid sending links with generic URLs.
🔹 Rotate SMTP Accounts – Avoid blacklisting by using multiple SMTP servers.
🔹 Monitor Email Reports – Regularly check SPF, DKIM, and DMARC logs for issues.
🔹 Gradually Increase Sending Limits – Warm up SMTP to prevent being flagged as spam.

🔚 Final Thoughts

Setting up SPF, DKIM, and DMARC is crucial for improving email deliverability and preventing spam. By following these simple steps, you ensure that your emails land in inboxes instead of the spam folder.

🚀 Key Takeaways:
✅ SPF prevents unauthorized email sending.
✅ DKIM adds a digital signature for authenticity.
✅ DMARC provides email authentication policies.

🔹 Need help? Drop your questions in the comments below! 🚀

🛡️ How to Set Up SPF, DKIM & DMARC for Secure Email Sending

Improve Email Deliverability by Setting Up SPF, DKIM, and DMARC Easily