SPF, DKIM, and DMARC Configuration

SPF, DKIM, and DMARC are three email authentication mechanisms. All three are configured in your domain's DNS settings. Without them, cold email campaigns are likely to end up in spam folders in Gmail, Outlook, and most corporate providers, even if the SMTP account is warmed up perfectly.

SPF – Who is Allowed to Send

SPF (Sender Policy Framework) is a TXT record in DNS that lists the IP addresses and servers authorized to send emails on behalf of your domain. If an email comes from the domain example.com, but the sender's IP is not listed in the SPF record for example.com, it's a sign of spoofing.

Example SPF record for Gmail Workspace:

v=spf1 include:_spf.google.com ~all

For Amazon SES:

v=spf1 include:amazonses.com ~all

For multiple providers simultaneously:

v=spf1 include:_spf.google.com include:amazonses.com ~all

Important: You can only have one SPF record per domain, and list includes separated by spaces within it. Two SPF records are an error, and many providers will reject such emails.

DKIM – Cryptographic Signing of Emails

DKIM (DomainKeys Identified Mail) – each outgoing email is signed with a private key, and the public key is published in DNS. The recipient verifies the signature and ensures that the email is indeed from your domain and has not been altered in transit.

DKIM is configured on the SMTP provider's side. For Gmail Workspace, it is enabled in Admin Console → Apps → Gmail → Authenticate email. You will receive a string for DNS in the format:

google._domainkey.example.com TXT v=DKIM1; k=rsa; p=MIIBIjANB...

After adding the DNS record, the "Start authentication" button in Gmail Admin will start signing outgoing emails automatically.

DMARC – What to Do in Case of Mismatch

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a policy that tells providers what to do if an email fails SPF or DKIM checks. It also includes reports to your email about suspicious sendings.

Minimal DMARC record:

_dmarc.example.com TXT v=DMARC1; p=none; rua=mailto:[email protected]

Policy parameters:

• p=none – monitoring only, do not block anything. Use at the start to receive reports and not break legitimate emails
• p=quarantine – suspicious emails to spam
• p=reject – reject suspicious emails. Final state, switch to reject after several weeks of quarantine without problems

Verification

Postigo has built-in validators: SPF Checker, MX Checker. We also recommend mxtoolbox.com and mail-tester.com for additional verification.

In Gmail, when receiving a test email, open "Show original" – you will see the Authentication-Results block, it should have spf=pass, dkim=pass, dmarc=pass. If at least one is "fail" – the configuration is not yet complete.

How Long to Wait After Changing DNS

DNS records propagate from 5 minutes to 48 hours depending on the provider and TTL. In practice, most providers see changes in 1-4 hours. Do not start sending immediately after changing DNS – wait at least an hour and check via mxtoolbox.