Compare Alternatives Directory Glossary Guides Blog Use Cases Pricing Home Start free

How to Set Up Email Authentication (SPF, DKIM, DMARC): A Step-by-Step Guide

Email authentication protects your newsletter from spoofing and ensures your emails reach the inbox. This guide walks through setting up SPF, DKIM, and DMARC — the three protocols that prove to email providers you're a legitimate sender.

Step-by-Step Instructions

1

Understand the three protocols

SPF (Sender Policy Framework) specifies which servers can send email from your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to prove emails haven't been tampered with. DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together with a policy for handling failures. Together, they form a complete authentication system.

2

Set up SPF

Add a TXT record to your domain's DNS with your SPF policy. The record lists which mail servers are authorised to send on your behalf. A typical SPF record for newsletter senders looks like: 'v=spf1 include:send.resend.com ~all' (for Resend) or 'v=spf1 include:_spf.google.com ~all' (for Google). Keep your SPF record under 10 DNS lookups to avoid exceeding the protocol limit.

3

Configure DKIM

Your email platform generates a DKIM key pair. Add the public key as a CNAME or TXT record in your DNS. The private key stays with your sending service to sign outgoing emails. Most platforms provide the exact records you need — you just copy and paste them into your DNS management panel. Use a 2048-bit key for stronger security.

4

Implement DMARC

Add a DMARC TXT record to your DNS at '_dmarc.yourdomain.com'. Start with a monitoring policy: 'v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com'. This lets you see authentication results without affecting delivery. Once you're confident SPF and DKIM are working, gradually move to 'p=quarantine' and eventually 'p=reject'.

5

Verify your setup

Use free tools like MXToolbox, mail-tester.com, or Google Admin Toolbox to verify all three protocols are correctly configured. Send a test email and check the headers — look for 'spf=pass', 'dkim=pass', and 'dmarc=pass'. If any fail, review the DNS records for typos or propagation delays (DNS changes can take up to 48 hours).

6

Monitor DMARC reports

Once DMARC is set up, you'll start receiving XML reports about authentication results. These reports show which servers are sending email from your domain and whether they pass authentication. Use a DMARC monitoring service (like Postmark's DMARC tool or dmarcian) to parse these reports into readable dashboards. Monitor for any unauthorised senders using your domain.

Pro Tips

  • Start DMARC with p=none and monitor for 2-4 weeks before enforcing
  • DNS changes can take up to 48 hours to propagate — be patient when verifying
  • Keep a record of your DNS changes in case you need to troubleshoot later
  • If you use multiple email services (newsletter platform + Google Workspace), ensure SPF includes all of them
  • Test authentication after every change to your sending infrastructure

Common Mistakes to Avoid

  • Starting with DMARC p=reject before verifying SPF and DKIM work correctly — this can block legitimate email
  • Exceeding the SPF 10-lookup limit when using multiple email services
  • Forgetting to update SPF when switching email platforms
  • Not monitoring DMARC reports — they reveal authentication failures you might not otherwise notice
  • Setting up authentication for the main domain but not the subdomain used for sending

How Aldus Makes This Easier

Aldus automates email authentication setup. When you add a custom sending domain, the platform generates the exact SPF and DKIM records you need and verifies they're correctly configured before sending any email. No manual DNS lookup or record composition required.

Frequently Asked Questions

Do I really need all three protocols?

Yes. Google and Yahoo require SPF, DKIM, and DMARC for bulk senders (over 5,000 emails/day) as of 2024. Even below that threshold, proper authentication significantly improves deliverability and protects your domain from spoofing.

How long does setup take?

The actual DNS changes take 10-15 minutes. DNS propagation can take up to 48 hours, though most changes are visible within 1-2 hours. Plan to verify your setup the day after making changes.

What if my emails fail authentication?

Check each protocol individually. SPF failures usually mean your sending server isn't listed in the record. DKIM failures indicate a key mismatch or missing record. DMARC failures mean SPF and DKIM don't align with the From domain. Your email platform's support can help troubleshoot specific failures.

Related Guides

How to Increase Email Deliverability
Deliverability is the foundation of everything in email. If your newsletters don't reach the inbox, nothing else matters. This guide covers the technical and strategic factors that determine whether your emails land in the inbox, the promotions tab, or the spam folder.
How to Set Up a Custom Email Domain for Your Newsletter
A custom sending domain (like newsletter@yourdomain.com) improves deliverability, builds brand recognition, and looks more professional. This guide walks through the complete setup process — from purchasing a domain to configuring DNS records and verifying everything works.
How to Clean Your Email List
A clean email list is a healthy email list. Regular list cleaning improves deliverability, reduces costs, and boosts engagement metrics. This guide walks through the complete list hygiene process — from identifying problem addresses to running re-engagement campaigns and establishing ongoing maintenance routines.
How to Start a Newsletter
Starting a newsletter is one of the most powerful ways to build a direct relationship with your audience. This guide walks you through everything — from choosing your niche and naming your newsletter to picking a platform, writing your first issue, and getting your first 100 subscribers.

Related Resources

Use Case
Creator Newsletters
Build an audience-owned business
Use Case
Newsletters for Podcasters
Turn every episode into a newsletter — automatically
Free Tool
Newsletter ROI Calculator
See exactly how much your newsletter is worth
Free Tool
Subscriber-to-Revenue Calculator
Model your paid newsletter revenue at any scale
Blog
How to Send a Newsletter With AI in 10 Minutes
Sending your first AI-written newsletter doesn't have to take hours. Here's how to go from blank page to sent email in u…
Glossary
Email Authentication
Email authentication is a set of protocols (SPF, DKIM, DMARC) that verify the sender's identity and ensure emails haven'…

Try Aldus free

AI writes your newsletter. You just approve and send.

Get started →