Firstly, visit our Email Security Checker to identify any errors in your current setup.
Emails should be private, yet many businesses are unaware they are vulnerable to impersonation and data breaches simply because they haven't spent 15 minutes securing their systems.
Fortunately, there is a straightforward way to protect your domain and ensure your emails are trusted: SPF, DKIM and DMARC.
Think of them as your email's dedicated security team:
1. SPF: The Guest List (Sender Policy Framework)
- What it does: SPF is a public list of all servers authorised to send emails from your domain. If an email originates from a server not on this list, it is flagged as suspicious.
- Why it matters: It prevents spammers and criminals from impersonating your business.
2. DKIM: The Tamper-Proof Seal (DomainKeys Identified Mail)
- What it does: DKIM adds a hidden digital signature to every email. This confirms the email truly originated from your domain and has not been altered in transit.
- Why it matters: It proves your emails are authentic and ensures the integrity of your message.
3. DMARC: The Rulebook & Report Card (Domain-based Message Authentication, Reporting, and Conformance)
- What it does: DMARC instructs receiving servers on how to handle emails that fail SPF or DKIM (e.g. divert to spam or reject). It also provides reports on who is attempting to send emails using your domain.
- Why it matters: It blocks fraudulent emails and provides critical intelligence on imposter attempts.
Why You Need Them
- Deliverability: Ensure your emails land in inboxes rather than spam folders.
- Reputation: Stop malicious actors from using your brand name for scams.
- Security: Protect your recipients by fighting phishing attempts.
Steps to Set Them Up
This process is typically handled within your DNS settings at your domain registrar or hosting provider (e.g. Cloudflare, GoDaddy, Namecheap).
Before beginning, identify your email service provider (e.g. Google Workspace, Microsoft 365, Zoho Mail).
1. Access Your DNS Manager
- Locate the "DNS Management" or "Zone Editor" section in your provider's control panel.
2. Add Your SPF Record
- Add a new TXT record.
- Host: Usually
@. - Value Examples:
- Google Workspace:
v=spf1 include:_spf.google.com ~all - Microsoft 365:
v=spf1 include:spf.protection.outlook.com -all
- Google Workspace:
3. Add Your DMARC Record
- Create a new TXT record.
- Name/Host:
_dmarc - Value:
v=DMARC1; p=none; rua=mailto:postmaster@yourdomain.com; - Note:
p=noneis a safe starting point for monitoring. You can tighten this toquarantineorrejectonce you are confident.
4. Add Your DKIM Record(s)
Your provider will generate specific records for you. You must check which method they use:
Method A: The TXT Record (Manual)
Common with Google Workspace. You copy a long cryptographic string.
- Type: TXT
- Host: e.g.
google._domainkey - Value: Long string starting with
v=DKIM1; k=rsa; p=...
Method B: The CNAME Record (Delegated)
Common with Microsoft 365. Points to the provider's server.
| Host | Type | Value |
|---|---|---|
selector1._domainkey |
CNAME | selector1.dkim.mail.provider.com |
Allow a few hours for DNS propagation. Once complete, your email infrastructure will be significantly more secure.
Finally, return to the Security Checker to verify that everything is configured correctly.
Important Note: Always back up existing DNS records before making changes. If you use bulk mailing software (e.g. Mailchimp, SendGrid), ensure those services are also authenticated via their own SPF/DKIM settings to avoid deliverability issues.
For further reading, visit official documentation from Microsoft, Google, or Cloudflare.