DMARC, SPF, and DKIM: A Practical Setup Guide for Small Businesses (2026)

Executive Summary

• Email authentication reduces spoofing and improves deliverability. SPF authorizes sending servers, DKIM signs messages so tampering is detectable, and DMARC tells receivers how to handle failures and where to send reports.
• The safest rollout is staged: publish SPF and DKIM, start DMARC at p=none for monitoring, then move to p=quarantine and p=reject once you’ve cleaned legitimate senders and fixed alignment.

What SPF, DKIM, and DMARC Actually Do

• SPF: lists which hosts/services can send as your domain (checked against envelope‑from/Return‑Path).
• DKIM: cryptographic signature added to each email; receiving servers verify with your public key in DNS.
• DMARC: policy that requires alignment (SPF or DKIM identifiers must match your domain) and tells receivers to none/quarantine/reject failing messages; also sends XML reports (RUA/RUF) to you.

Prerequisites and Access You’ll Need

• DNS admin access for your domain (Cloudflare/GoDaddy/Namecheap/etc.).
• Admin access to your email platform (Google Workspace or Microsoft 365).
• A list of all services that send email using your domain:
  • Transactional (e.g., Shopify, Klaviyo, SendGrid)
  • Marketing (e.g., Mailchimp, Omnisend)
  • Support (e.g., Zendesk, Freshdesk)
  • CRM (e.g., HubSpot, Pipedrive)
  • App servers (e.g., your web host)

Step‑by‑Step Setup

Verify your sending domain

• In your email platform (Google/Microsoft/ESP), complete domain verification so they can publish DKIM keys and know you control DNS.
• If third‑party platforms send as your domain, add their domain/sender verification steps too.

Add/verify SPF

• Create or update a TXT record at the root (amalitabaltar.com) with: v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all
  • Replace/adjust includes for your real senders. Examples: include:mailgun.org, include:_spf.salesforce.com, include:sendgrid.net, include:spf.mandrillapp.com.
• Rules of thumb:
  • Only ONE SPF TXT record for the root; consolidate includes into a single record.
  • Keep below 10 DNS lookups (includes, a, mx, ptr, exists, redirect).
  • End with ~all (softfail) during discovery, move to -all (hard fail) once confident.

Enable DKIM

• Google Workspace: Admin console → Apps → Google Workspace → Gmail → Authenticate email → Generate new DKIM key (2048‑bit) → Add CNAME/TXT as instructed → Start authentication.
• Microsoft 365: Create two CNAME records for selector1/selector2 per tenant instructions → Enable DKIM signing in Defender/Exchange admin.
• Third‑party senders: Each will provide a selector and TXT/CNAME to publish.

Publish DMARC (monitor → quarantine → reject)

• Start with monitoring:
  • TXT at _dmarc.amelitabaltar.com: v=DMARC1; p=none; rua=mailto:dmarc@amelitabaltar.com; ruf=mailto:dmarc@amelitabaltar.com; fo=1; pct=100; sp=none
  • rua: aggregate XML reports; ruf: forensic (some providers send limited data).
  • fo=1 requests failure reports; some receivers may ignore.
• Tighten alignment:
  • Ensure either SPF or DKIM aligns with your From: domain (not just passes).
• Move to enforcement gradually:
  • After 2–4 weeks of clean reports, set p=quarantine; pct=25 → 50 → 100.
  • Finally p=reject for maximal spoofing protection; set sp=reject for subdomains if desired.

Optional: BIMI (Brand Indicators for Message Identification)

• Requirements:
  • DMARC at enforcement (p=quarantine or p=reject, pct=100).
  • SVG Tiny‑PS logo hosted over HTTPS.
  • Sometimes Verified Mark Certificate (VMC) for Gmail/Apple.
• DNS:
  • default._bimi TXT with: v=BIMI1; l=yourdomain.com a=yourvmc-url.pem
  • Without VMC, some inboxes still show BIMI (varies).

Provider‑Specific Notes

Google Workspace

• SPF include: _spf.google.com
• DKIM: use 2048‑bit keys; rotate annually; selector typically google.
• DMARC: monitor with p=none; analyze rua XML via a DMARC tool (Postmark/MxToolbox/Valimail/Others).

Microsoft 365

• SPF include: spf.protection.outlook.com
• DKIM: publish selector1‑domain‑key and selector2‑domain‑key CNAMEs; enable signing in admin.
• DMARC: same staged rollout; pay attention to forwarding scenarios (DKIM helps).

DNS Examples

Cloudflare

• Add TXT for SPF at root (name “@”).
• DKIM often CNAME to vendor; respect proxy (orange cloud OFF) for DNS‑only entries.
• DMARC TXT at name “_dmarc”.

GoDaddy

• TXT records usually at “@”; DMARC at “_dmarc”.
• Propagation can take minutes to hours.

Namecheap

• Similar process; ensure no duplicate SPF records; if multiple, merge them.

Common Pitfalls and How to Fix Them

• Multiple SPF records at root
  • Merge into one. Duplicate SPF breaks evaluation.
• Exceeding 10 DNS lookups
  • Remove unused vendors; replace “include:*” with vendor‑specific sub‑includes; consider ip4/ip6 if fixed.
• DKIM not aligning
  • Use a selector tied to your domain; ensure From: domain matches signing domain.
• Forwarding breaks SPF
  • Rely on DKIM alignment; SPF can fail after forwarding—this is normal.
• DMARC reporting inbox overload
  • Use an external RUA parser; filter by source; rotate addresses if needed.

Monitoring and Gradual Policy Tightening

• First 1–2 weeks:
  • p=none; collect reports; identify legitimate senders missing from SPF/DKIM.
• Weeks 3–4:
  • Fix gaps; ensure DKIM signs all primary traffic; alignment OK.
• Weeks 5–8:
  • Move to p=quarantine pct=25 → 100; watch complaint/spam rates and deliverability.
• Final:
  • p=reject; sp=reject; maintain quarterly reviews; rotate DKIM keys yearly.

FAQ

• Do I need both SPF and DKIM for DMARC to pass?
  • No. DMARC passes if either SPF or DKIM passes AND aligns. Best practice: have both.
• What alignment should I use, relaxed or strict?
  • Relaxed alignment is fine for most SMBs. Strict is possible if you control all sending patterns.
• Will DMARC reduce deliverability?
  • Done right, it improves trust. Misconfiguration can cause rejections; stage changes and monitor reports.
• Do I need BIMI?
  • Optional, but it can increase brand trust and open rates when available.