1. Home
2. web
3. Domain Safety: Setting Up SPF, DKIM, and DMARC Settings

Introduction

Email authentication is essential to prevent domain spoofing, phishing, and spam folder rejection. Three DNS-based standards — SPF, DKIM, and DMARC — work together to verify that emails claiming to be from your domain are legitimate. Without these records, attackers can send forged emails on your behalf, and legitimate emails may land in recipients’ spam folders. This guide explains each standard and shows how to configure them on Cloudflare or your DNS provider.

SPF: Sender Policy Framework

SPF publishes a list of IP addresses authorized to send email for your domain. Recipient mail servers check the Return-Path domain against the SPF record.

SPF Record Format

A SPF record is a DNS TXT record:

example.com  TXT  "v=spf1 include:_spf.google.com include:spf.mailgun.org ~all"

Qualifiers

Use ~all during initial setup, then migrate to -all once verified.

DKIM: DomainKeys Identified Mail

DKIM attaches a cryptographic digital signature to each outgoing email. The receiving server retrieves the sender’s public key from DNS to verify that the email was not tampered with.

DKIM Record

A DKIM record is a DNS TXT record under a specific selector name:

default._domainkey.example.com  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."

Email services like Google Workspace, Mailgun, or SendGrid generate DKIM keys automatically. You only need to publish the public key as a DNS TXT record.

DMARC: Domain-based Message Authentication, Reporting & Conformance

DMARC defines a policy for how receivers should handle emails that fail SPF and/or DKIM checks. It also provides reporting to help you monitor authentication results.

DMARC Record Format

A DMARC record is a DNS TXT record:

_dmarc.example.com  TXT  "v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100"

DMARC Policy Levels

1. p=none — Monitor only, no action taken (use this first to validate)
2. p=quarantine — Mark failures as spam
3. p=reject — Reject failures outright (strictest)

How They Work Together

Sender sends email      →   Receiver checks SPF (is IP authorized?)
                         →   Receiver checks DKIM (is signature valid?)
                         →   Receiver checks DMARC policy
                              →   p=none:       no action
                              →   p=quarantine: move to spam
                              →   p=reject:     reject delivery

For an email to pass DMARC, it must pass either SPF (with alignment) or DKIM (with alignment). Alignment means the domain in the From header matches the domain used for SPF or DKIM.

Configuration on Cloudflare

1. Add SPF record: Create a TXT record for @ with value v=spf1 include:_spf.google.com ~all
2. Add DKIM record: Create a TXT record for default._domainkey with your provider’s public key
3. Add DMARC record: Create a TXT record for _dmarc with value v=DMARC1; p=none; rua=mailto:[email protected]
4. Start with p=none, review reports for a week, then escalate to p=quarantine or p=reject

Checking Tools

• MXToolbox — Check SPF, DKIM, and DMARC records
• Google Admin Toolbox — Verify DMARC policy and reporting
• DMARC Analyzer — Parse and visualize DMARC aggregate reports
• dig command:

  dig TXT example.com
  dig TXT default._domainkey.example.com
  dig TXT _dmarc.example.com
  

Conclusion

SPF, DKIM, and DMARC form a layered email authentication strategy. SPF authorizes sending IPs, DKIM provides cryptographic integrity, and DMARC dictates the enforcement policy. Start with monitoring mode (p=none) to ensure legitimate mail authenticates correctly, review your DMARC reports, and then progressively enforce stricter policies. Properly configured, these records dramatically reduce spam classification and prevent domain spoofing.