SPF, DKIM & DMARC — Email DNS Authentication
spf dkim dmarc dns · email authentication records · spf record check · dmarc txt record
How SPF, DKIM, and DMARC TXT records work together, example strings, alignment basics, and verifying mail authentication with DNS Checker.
By DN01 Network Team
Modern deliverability depends on three TXT-based standards: SPF lists who may send mail for your domain, DKIM signs messages cryptographically, and DMARC tells receivers how to handle failures and where to send aggregate reports.
Publish all three after onboarding Google Workspace, Microsoft 365, or any SMTP relay. Verify live values with the DNS Checker, then monitor reputation with the Blacklist Checker if bulk mail suddenly deferrals.
SPF (Sender Policy Framework)
SPF TXT at the apex commonly looks like `v=spf1 include:_spf.google.com ~all`. Mechanisms include ip4, include, a, mx, and all qualifier. Hard fail (-all) is stricter than soft fail (~all).
Only one SPF TXT per name. Merge includes instead of adding a second record. RFC 7208 documents syntax and limits (10 DNS lookups during SPF evaluation).
DKIM (DomainKeys Identified Mail)
DKIM publishes a public key in TXT at `selector._domainkey.example.com`. The selector comes from your mail provider. Keys rotate — update DNS when the panel generates a new selector.
Alignment means the signing domain matches the From header domain (strict) or organizational domain (relaxed). Misaligned DKIM still verifies cryptographically but may not satisfy DMARC.
DMARC (Domain-based Message Authentication)
DMARC lives at `_dmarc.example.com` as `v=DMARC1; p=none|quarantine|reject; rua=mailto:[email protected]`. Start with p=none to collect reports, then tighten policy.
DMARC passes only when SPF or DKIM aligns with the From domain and at least one passes. Fixing DMARC without SPF/DKIM is impossible — configure auth first.
Verification checklist
Query apex TXT for SPF, selector TXT for DKIM, `_dmarc` for policy. Send a test message to a mailbox that shows Authentication-Results headers. Re-check after TTL when rotating keys.
Use DIG with type TXT if you need raw multi-string answers for ticket attachments.
| Standard | Location | Example snippet |
|---|---|---|
| SPF | example.com TXT | v=spf1 include:send.example.net -all |
| DKIM | s1._domainkey.example.com TXT | v=DKIM1; k=rsa; p=MIGfMA0G... |
| DMARC | _dmarc.example.com TXT | v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected] |
Frequently asked questions
- Can SPF and DKIM both fail but mail still delivers?
Yes — receivers may accept with spam scoring. DMARC policy determines if failures cause quarantine or reject.
- How many SPF includes are too many?
More than ten DNS lookups during SPF evaluation breaks SPF per spec. Flatten includes or use SPF macros carefully.
- Do I need DMARC on day one?
Publish p=none with reporting first. Move to quarantine/reject once SPF and DKIM align reliably.
- Where does BIMI fit?
BIMI is optional branding atop DMARC with p=quarantine or reject and a verified mark certificate — out of scope for basic setup.