Trust · Email Authentication
SPF, DKIM, and DMARC Setup Guide
Email authentication records are the foundation of sender reputation. Without them, your messages are likely filtered, rejected, or sent to spam — regardless of how well your sending infrastructure is configured.
Representative product UI — illustrative data, not live customer metrics.
Why it matters
Why authentication records matter for deliverability
Mailbox providers evaluate sending domains by whether the sending infrastructure is authorized by the domain owner. SPF, DKIM, and DMARC establish that authorization.
When these records are missing or misconfigured, providers treat email as unauthenticated — even from a legitimate sending service. Deliverability monitoring cannot compensate for missing authentication.
SPF — Sender Policy Framework
SPF authorizes specific mail servers to send email on behalf of your domain. It is published as a DNS TXT record. When a receiver gets a message, it looks up the SPF record for the sending domain; if the sending server is not listed, the message fails SPF.
Record examples by sending source
Sendarix SMTP relay only
v=spf1 include:sendarix.com ~allGmail / Google Workspace
v=spf1 include:_spf.google.com ~allMicrosoft 365 / Outlook
v=spf1 include:spf.protection.outlook.com ~allCombined Sendarix + Google
v=spf1 include:sendarix.com include:_spf.google.com ~allCommon SPF mistakes
- More than 10 DNS lookups in the record — causes
PERMERRORon some receivers. - Using
~all(softfail) instead of-all(fail) — a weak policy receivers treat as permissive. - Forgetting the sending service after switching providers — the old provider keeps sending and fails SPF.
- Including domains that have their own SPF records — nested lookups add to the lookup count.
DKIM — DomainKeys Identified Mail
DKIM adds a cryptographic signature to outgoing email headers. Receivers use the public key published in DNS to verify the message was not modified in transit and was sent by the domain it claims. It uses a selector-based record (e.g. selector2._domainkey.example.com).
selector2._domainkey.yoursendingdomain.com IN TXT ("v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA...")
Your Sendarix dashboard provides the complete DKIM record for each sending domain.
SPF covers
- Which servers are authorized to send for your domain
- Forgery of the envelope MAIL FROM address
- Unauthorized subdomains used for sending
DKIM covers
- Message integrity — no header/body modification in transit
- Authenticity of the From domain in headers
- Alignment with the visible From address
Both are required for DMARC alignment. Using only SPF without DKIM leaves your domain vulnerable to certain spoofing attacks.
DMARC — Authentication, Reporting & Conformance
DMARC builds on SPF and DKIM by telling receivers what to do when authentication fails, and provides reporting so you can monitor who sends on behalf of your domain.
Policy levels
p=none — monitoring
No action on failures; you receive aggregate reports. Use to audit your setup before enforcing.
p=quarantine — partial
Failed messages go to spam/junk. A recommended intermediate step before full enforcement.
p=reject — full
Receivers reject failing messages. Only use once SPF and DKIM are correct for all legitimate sources.
Standard DMARC record
_dmarc.yoursendingdomain.com IN TXT ("v=DMARC1; p=none; rua=mailto:dmarc-reports@yoursendingdomain.com; pct=100")
Alignment requirements
For a message to pass DMARC, both SPF and DKIM must authenticate, and at least one must align with the visible From domain.
- SPF alignment: the envelope MAIL FROM domain must match or be a subdomain of the From header domain.
- DKIM alignment: the
d=domain in the signature must match or be a subdomain of the From header domain. - Note: using a different MAIL FROM domain than your From domain (common with bulk services) requires strict alignment or it fails.
Recommended setup order
Rushing to full DMARC enforcement before auditing your sending sources causes legitimate email to be rejected. Follow this sequence.
1. Audit all sending sources
List every service, server, and workflow that sends using your domain: marketing tools, CRM, helpdesks, and transactional services.
2. Publish SPF
Add all sending services via the include: mechanism. Minimize nested includes to stay under the 10-lookup limit.
3. Publish DKIM
Each service provides its own selector. Add the record per service. Sendarix DKIM records are in the dashboard under domain settings.
4. Set p=none & review
Monitor 2–4 weeks. Check the rua reports for legitimate mail failing, and fix missing SPF/DKIM sources.
5. Quarantine → reject
Once all legitimate sources authenticate, upgrade to quarantine, then after another audit period, to reject.
Provider-specific authentication guides
Each major mailbox provider has specific requirements. Configure these alongside your Sendarix sending-domain records.
Gmail SMTP settings
Requires SPF + DKIM for custom domains. Bulk-sender rules include SPF, DKIM, and a valid From address.
Outlook SMTP configuration
Microsoft uses SPF, DKIM, and increasingly DMARC for filtering. Office 365 senders have separate requirements.
Yahoo SMTP settings
Requires SPF + DKIM and is moving toward mandatory DMARC above certain volume thresholds.
Office 365 SMTP setup
Strict policies for connectors; requires DKIM signing for enhanced deliverability.
Amazon SES configuration
Provides DKIM signing by default but requires manual SPF configuration for deliverability.
SendGrid SMTP settings
Domain Authentication replaces manual DKIM setup. SPF must still be configured manually.
Ready to configure your sending domain?
Sendarix provides DKIM records for each sending domain and guides you through the full authentication setup in the dashboard.
