Setting Up SPF, DKIM, and DMARC to Stop Spoofing

Email spoofing and phishing attacks are growing threats to businesses and individuals. Cybercriminals often forge email headers to make messages appear as if they come from a trusted source, tricking recipients into providing sensitive information or clicking malicious links.

To combat this, three critical email authentication protocols—SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance)—work together to secure your email and prevent spoofing.

This guide will walk you through setting up these records correctly and explain why ongoing monitoring is essential to maintain a secure email domain.

What Are SPF, DKIM, and DMARC?

SPF (Sender Policy Framework)

SPF is a DNS record that specifies which mail servers are allowed to send emails on behalf of your domain. If an email is sent from an unauthorized server, it can be flagged as suspicious or rejected.

Example SPF Record:

v=spf1 include:_spf.google.com -all  

• v=spf1 specifies the SPF version.
• include:_spf.google.com allows Google’s mail servers to send emails for your domain.
• -all means emails from unauthorized servers are marked as “soft fail” (accepted but flagged). You can change it to -all to strictly reject unauthorized emails.

Common SPF Records for Popular Email Providers :

if your domain sends emails via multiple services, you can combine SPF records like this:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to your emails, allowing receiving mail servers to verify that messages haven’t been altered in transit.

Example DKIM Record (DNS TXT entry):

v=DKIM1; k=rsa; p=MIIBIjANBgkqh...  

• v=DKIM1 specifies the DKIM version.
• k=rsa indicates the encryption algorithm.
• p=MIIBIjANBgkqh… is the public key used for verification.

Your email provider (Google, Microsoft, etc.) will generate this DKIM record, which you must add to your domain’s DNS settings.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC tells receiving servers how to handle emails that fail SPF or DKIM checks. It also provides reporting so you can monitor potential spoofing attempts.

Example DMARC Record:

v=DMARC1; p=reject; rua=mailto:reports@yourdomain.com; 

• p=reject means emails that fail authentication should be completely blocked.
• rua specifies where to send aggregate reports on authentication failures.

Step-by-Step Guide to Setting Up SPF, DKIM, and DMARC

Step 1: Configure SPF

1. Log in to your domain registrar (GoDaddy, Cloudflare, Namecheap, etc.).
2. Locate the DNS Settings for your domain.
3. Add a new TXT Record and enter your SPF record (e.g., v=spf1 include:_spf.google.com -all).
4. Save the record and wait for propagation (this may take a few hours).

Step 2: Enable DKIM

1. Go to your email provider’s admin settings (Google Workspace, Microsoft 365, etc.).
2. Find the DKIM settings and generate a DKIM key pair.
3. Copy the provided public key and add it as a new TXT Record in your DNS settings.
4. Enable DKIM in your email provider’s dashboard.

Step 3: Set Up DMARC

1. In your DNS settings, add a new TXT Record with your DMARC policy.
2. Use a simple policy at first, such as: v=DMARC1; p=none; rua=mailto:reports@yourdomain.com; (This only monitors emails without rejecting them.)
3. Once you’re confident in your setup, change p=none to p=quarantine or p=reject to enforce stricter policies.

Troubleshooting

Troubleshooting SPF Errors: Common Issues and Fixes

1. Too Many DNS Lookups (SPF PermError: Too Many DNS Lookups)

🔍 Error Message: “SPF PermError: Too many DNS lookups”

🔴 Cause: SPF allows a maximum of 10 DNS lookups per record. If you exceed this, SPF validation fails.

✅ Fix:

• Remove unnecessary include: mechanisms.
• Use subnet IPs (ip4: or ip6:) instead of includes when possible.
• Flatten SPF records using online tools (e.g., spfrecord.io) to reduce lookups.

2. SPF Record Not Found (No SPF Record Published)

🔍 Error Message: “No SPF record found”

🔴 Cause: Your domain has no SPF record in the DNS settings.

✅ Fix:

• Log in to your DNS provider (GoDaddy, Cloudflare, Namecheap, etc.).
• Add a TXT record with the SPF value.
• Example for Google Workspace users: v=spf1 include:_spf.google.com ~all
• Save changes and wait for DNS propagation (can take a few hours).

3. SPF SoftFail (~all) vs. HardFail (-all)

🔍 Issue: Some unauthorized emails still reach recipients despite SPF being configured.

🔴 Cause: Using ~all (soft fail) doesn’t strictly block unauthorized emails.

✅ Fix:

• Change ~all (soft fail) to -all (hard fail) if you want to strictly reject unauthorized senders.
• Example: v=spf1 include:_spf.google.com -all
• Be cautious: If legitimate email servers aren’t included, they may be blocked!

4. SPF Fail Despite Correct Setup (Email Still Rejected)

🔍 Error Message: “SPF Fail – Not authorized by sender policy”

🔴 Cause:

• Your sending IP is missing from the SPF record.
• The recipient’s mail server is using outdated DNS cache.

✅ Fix:

• Verify that the sending mail server’s IP is listed in the SPF record using: v=spf1 ip4:192.168.1.1 include:_spf.google.com ~all
• Use third-party SPF check tools (e.g., MXToolbox, DMARC Analyzer) to confirm validity.
• Ask the recipient to flush their DNS cache if they are still rejecting emails.

5. Multiple SPF Records Detected (Invalid Setup)

🔍 Error Message: “Multiple SPF records found for this domain”

🔴 Cause: Having more than one SPF TXT record will cause SPF to fail.

✅ Fix:

• Combine multiple SPF records into one single entry.
• Example:
  • Incorrect (Two SPF Records – Will Fail) v=spf1 include:_spf.google.com ~all v=spf1 include:spf.protection.outlook.com ~all.
  • Correct (Merged into One SPF Record) v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all
• Delete duplicate SPF records from your DNS settings.

6. SPF Validation Still Failing? Debug It!

✅ Check Email Headers:

• In Gmail: Open an email → Click More (⋮) → Show Original → Look for “SPF” result.
• In Outlook: Open email → Click File → Properties → Internet Headers → Search for “SPF.”

✅ Enable DMARC for Better Monitoring:

DMARC will provide reports on SPF failures and help diagnose issues.
Example DMARC record for monitoring:

v=DMARC1; p=none; rua=mailto:reports@yourdomain.com;

Troubleshooting DKIM Errors: Common Issues and Fixes

1. No DKIM Signature Found

🔍 Error Message: “DKIM: None (No DKIM signature found)”

🔴 Cause:

• DKIM is not enabled in your email provider settings.
• Your domain’s DNS does not have a DKIM record.
• The DKIM record hasn’t propagated yet.

✅ Fix:

1. Log in to your email provider’s admin panel (Google Workspace, Outlook, Zoho, etc.).
2. Enable DKIM signing in the email settings.
3. Generate a DKIM key and add it as a TXT record in your domain’s DNS settings.
4. Wait for DNS propagation (can take up to 24 hours).

🔧 Example DKIM Record (TXT Entry in DNS):

v=DKIM1; k=rsa; p=MIIBIjANBgkqh… 

2. DKIM Fail (Signature Verification Failed)

🔍 Error Message: “DKIM: Fail (Signature verification failed)”

🔴 Cause:

• The DKIM record in DNS is incorrect or missing characters.
• The wrong DKIM selector is used.
• The sending server is not signing emails correctly.

✅ Fix:

• Double-check the DKIM record in your DNS. Ensure it matches what your email provider gave you.
• Confirm you’re using the correct selector (e.g., google for Google Workspace).
• Use a DKIM checker to verify:
  • Google Admin DKIM Check
  • MXToolbox DKIM Lookup
• If the error persists, regenerate your DKIM key and update your DNS.

3. DKIM Record Too Long (TXT Record Truncated)

🔍 Error Message: “DKIM record exceeds the 255-character DNS limit”

🔴 Cause: Some domain registrars truncate long TXT records, breaking the DKIM key.

✅ Fix:

• If your provider supports split TXT records, break the DKIM key into two parts.
• Example (Cloudflare, GoDaddy, etc.): "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQE..." "G5yxPQZ..."
• If your registrar does not support split TXT records, use a shorter 1024-bit DKIM key instead of 2048-bit.

4. Wrong DKIM Selector Used

🔍 Error Message: “No DKIM record found for selector xyz”

🔴 Cause:

• DKIM selectors are specific to email providers.
• Your email provider may use a different selector than expected.

✅ Fix:

• Check your provider’s selector:
  • Google Workspace → google._domainkey.yourdomain.com
  • Microsoft 365 → selector1._domainkey.yourdomain.com
  • Zoho Mail → zoho._domainkey.yourdomain.com
  • Mailchimp → k1._domainkey.yourdomain.com

5. DKIM Signature Expired (Invalid Key Rotation)

🔍 Error Message: “DKIM: Fail (Signature expired)”

🔴 Cause:

• Some email providers rotate DKIM keys periodically, making old ones invalid.
• Your DNS has an outdated DKIM key.

✅ Fix:

• Check your email provider for a new DKIM key.
• Update the DNS TXT record with the new key.
• If your provider supports auto-rotation, enable it to avoid future issues.

6. Emails Still Going to Spam Despite DKIM Passing

🔍 Issue: DKIM is correctly set up, but emails still land in spam.

🔴 Cause:

• SPF and DMARC misconfigurations can still cause spam issues.
• Low domain reputation (previously flagged as spam).
• The email content triggers spam filters (e.g., too many links, suspicious wording).

✅ Fix:

• Ensure SPF and DMARC are correctly set up alongside DKIM.
• Use tools like Google Postmaster Tools or Microsoft SNDS to check domain reputation.
• Avoid spam-triggering keywords in subject lines and body.

Troubleshooting DMARC Errors: Common Issues and Fixes

1. No DMARC Record Found

🔍 Error Message: “No DMARC record found for this domain.”

🔴 Cause: A DMARC record is missing from the domain’s DNS settings.

✅ Fix:

• Add a TXT record in your domain’s DNS settings with a basic DMARC v=DMARC1; p=none; rua=mailto:reports@yourdomain.com;
• Save the changes and wait for DNS propagation (can take up to 24 hours).

2. DMARC Fail (Messages Rejected or Quarantined Unexpectedly)

🔍 Error Message: “DMARC: Fail – Email rejected or quarantined.”

🔴 Cause:

• The DMARC policy is too strict (p=reject) before SPF and DKIM are correctly configured.
• SPF and DKIM are not aligned with the “From” domain.

✅ Fix:

1. Set a relaxed policy first: v=DMARC1; p=none; rua=mailto:reports@yourdomain.com; This collects reports without rejecting emails.
2. Ensure SPF and DKIM are properly set up and aligned (the domain in the “From” header should match SPF/DKIM).
3. Once emails pass SPF/DKIM consistently, gradually enforce stricter policies (p=quarantine, then p=reject).

3. DMARC Not Enforcing (Emails Still Getting Spoofed)

🔍 Issue: DMARC is set up, but spoofed emails are still being delivered.

🔴 Cause:

• The DMARC policy is too lenient (p=none).
• SPF and DKIM authentication are failing but not being enforced.

✅ Fix:

1. Increase the policy level gradually: v=DMARC1; p=quarantine; pct=50; rua=mailto:reports@yourdomain.com;
   • p=quarantine moves some failed emails to spam.
   • pct=50 applies the policy to 50% of failing emails to test it.
2. Once everything is working, move to a full reject policy: v=DMARC1; p=reject; rua=mailto:reports@yourdomain.com;

4. Multiple DMARC Records Detected

🔍 Error Message: “Multiple DMARC records found – Policy ignored.”

🔴 Cause: Having more than one DMARC record in your DNS will cause it to be ignored.

✅ Fix:

• Check your DNS settings and remove duplicate DMARC records.
• You should have only one DMARC TXT record per domain.

5. DMARC Reports Not Being Received

🔍 Issue: You’ve added rua=mailto:reports@yourdomain.com;, but no reports arrive.

🔴 Cause:

• Some email providers require authentication before sending DMARC reports.
• The reporting email (rua address) is incorrect or not properly set up.

✅ Fix:

1. Use a third-party DMARC monitoring service (e.g., DMARCian, Postmark, Agari).
2. Ensure the rua email address can receive DMARC reports.
3. Try using a third-party reporting address like Google Postmaster Tools.

6. SPF/DKIM Alignment Errors

🔍 Error Message: “DMARC: Fail – Alignment issue with SPF/DKIM.”

🔴 Cause: SPF or DKIM does not align with the domain in the “From” address.

✅ Fix:

• For SPF alignment, make sure the “Return-Path” matches the “From” domain.
• For DKIM alignment, ensure the signing domain (d= in the DKIM signature) matches the “From” domain.
• Example of a correct DKIM signature:makefileCopyEditDKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; s=selector; (d=yourdomain.com should match the “From” domain.)

7. Emails Still Landing in Spam Despite DMARC Passing

🔍 Issue: DMARC is passing, but emails still go to spam.

🔴 Cause:

• Your domain has a bad reputation (previous spam reports).
• The email content triggers spam filters (e.g., too many links, misleading subject lines).
• Some email providers use additional spam filtering rules beyond DMARC.

✅ Fix:

• Check your domain reputation using:
  • Google Postmaster Tools
  • Microsoft SNDS
• Review email content and avoid spam-triggering words.
• If using a new domain, warm it up by sending smaller batches of emails first.

8. “DMARC Policy Not Enabled” Warning in Gmail or Other Mail Providers

🔍 Error Message: “No DMARC enforcement policy found (p=none). Consider setting to quarantine or reject.”

🔴 Cause: Gmail and some providers now require a DMARC enforcement policy (not p=none).

✅ Fix:

• Update your policy from p=none to at least p=quarantine: v=DMARC1; p=quarantine; rua=mailto:reports@yourdomain.com;
• Once everything works well, switch to p=reject for full protection.

Conclusion

SPF, DKIM, and DMARC work together to secure your domain against spoofing and phishing. Setting them up is crucial, but continuous monitoring ensures they remain effective.