If you want to cut down on spoofing, phishing, and deliverability issues, SPF and DKIM are two of the highest-leverage email security controls you can implement. They help mailbox providers verify that mail claiming to be from your domain is actually authorized—and hasn’t been altered in transit.
Quick definitions (plain English)
- SPF (Sender Policy Framework): A DNS record that lists which servers are allowed to send email for your domain.
- DKIM (DomainKeys Identified Mail): A cryptographic signature added to outgoing mail that proves the message wasn’t modified and that it was sent by an authorized system.
Together, they’re the foundation for DMARC, which tells receiving systems what to do when authentication fails.
Before you start: what you need
- Access to your domain’s DNS (where you add TXT/CNAME records)
- Your email platform details (Microsoft 365, Google Workspace, a ticketing system, marketing tool, etc.)
- A list of every service that sends email as your domain (invoices, CRM, monitoring tools, etc.)
How to set up SPF (step-by-step)
1) Identify every sender
Make a list of all services that send mail using your domain in the “From” address.
- Primary mailbox provider (Microsoft 365 or Google Workspace)
- Marketing platform
- CRM
- Help desk
- Website forms
- Any alerting/monitoring tools
2) Create (or update) your SPF TXT record
SPF is published as a TXT record at your root domain (or sometimes a subdomain).
A typical SPF record looks like this:
-
v=spf1 include:example-sender.com -all
What the parts mean:
-
v=spf1= SPF version
-
include:= authorizes another domain’s sending infrastructure
-
-all= hard fail for anything not listed
3) Keep it to one SPF record
You should have one SPF record per domain. Multiple SPF records can cause “permerror” and break authentication.
4) Watch the DNS lookup limit
SPF has a limit of 10 DNS lookups. Too many include: statements can cause SPF to fail even if everything is “correct.”
5) Choose the right “all” mechanism
-
-all(fail): best when you’re confident you’ve listed all senders
-
~all(softfail): temporary option during cleanup/migration
How to set up DKIM (step-by-step)
1) Enable DKIM in your email platform
Most providers generate DKIM keys for you. You’ll typically be given:
- One or two CNAME records to add to DNS (common)
- Or a TXT record containing a public key (less common today)
2) Publish the DKIM records in DNS
Add the records exactly as provided by your platform. DKIM uses a “selector” (a label) so you can rotate keys without downtime.
3) Turn DKIM signing on
Once DNS is published, enable DKIM signing in the platform so outgoing messages are signed.
4) Confirm it’s working
Send a test email to a mailbox you control and check the message headers for:
-
dkim=pass
-
spf=pass
Common SPF/DKIM mistakes (and how to avoid them)
- Multiple SPF records: merge into one.
- Forgetting third-party senders: invoices/CRMs/help desks often get missed.
- Too many SPF lookups: reduce includes, remove unused services, or use SPF flattening (carefully).
- DKIM not enabled after DNS: publishing DNS isn’t enough—signing must be turned on.
- Using the wrong domain: make sure the domain in your “From” matches the domain you authenticated.
Recommended next step: add DMARC
SPF and DKIM are strongest when you add DMARC.
Start with a monitoring policy (no enforcement), then tighten over time:
-
p=none→ monitor
-
p=quarantine→ suspicious mail goes to spam
-
p=reject→ block unauthenticated mail
A simple checklist you can copy
- Inventory every system that sends email as your domain
- Publish one SPF TXT record
- Enable DKIM and publish DKIM records
- Verify headers show
spf=passanddkim=pass
- Add DMARC for visibility and enforcement
