Over 10 years we have helped companies reach their potential. Pala IT is a values-driven technology agency.

Gallery

Contacts

Langley, British Columbia, Canada

info@palaitsolutions.com

+1-236-317-5474

Linkedin Facebook-f

SPF DMARC DKIM Security

SPF DMARC DKIM Security: Essential Email Authentication Guide

SPF, DKIM & DMARC: Now Mandatory at Google, Yahoo, Microsoft & More

Protect your brand and improve deliverability with proper email authentication.

Let Pala IT help you protect your brand and improve deliverability with proper email authentication.

Why Email Authentication Matters

Email remains one of the most critical communication channels for businesses. However, with rising phishing attacks and spam campaigns, mailbox providers such as Google and Yahoo are tightening the rules for what messages they accept and deliver. Today, having proper email authentication in place isn’t optional. If you want your emails reliably delivered (and avoid being flagged as spam or outright rejected), you need to implement three key standards:

SPF DMARC DKIM Security ensures that your emails are authenticated correctly, protecting your brand from spoofing and phishing while improving deliverability. With major providers like Google Workspace, Microsoft 365, and Yahoo Mail enforcing strict email authentication rules, it’s no longer optional to have SPF, DKIM, and DMARC configured on your domain.

In this guide, you’ll learn how to:

  • Publish and validate an SPF record for your domain
  • Generate and rotate DKIM keys across Office 365, Google Workspace, Amazon SES, and other providers
  • Set up a DMARC policy (monitor → quarantine → reject) to protect your brand
  • Use our live checker tool below to fetch and verify your own TXT records in real time

  • SPF (Sender Policy Framework)
  • DKIM (DomainKeys Identified Mail)
  • DMARC (Domain-based Message Authentication, Reporting & Conformance)

1. Sender Policy Framework (SPF)

What is SPF? SPF is a DNS TXT record that specifies which servers (IP addresses or domains) are authorized to send email on behalf of your domain.

Why it's required by major providers:

  • Gmail (Google): Checks incoming mail against the SPF record. If the sending IP isn’t authorized, Gmail may mark it as spam or reject it.
  • Yahoo/AOL: Requires SPF alignment (the “Return-Path”/“Envelope From” domain must match the “From” domain). Failing SPF can lead to quarantined or rejected mail.
  • Microsoft (Office 365/Outlook.com): Uses SPF to help validate senders. If an email fails both SPF and DKIM, it’s likely to land in the Junk folder.
  • Apple (iCloud): Recommends SPF to reduce spoofing attempts. While iCloud’s enforcement isn’t as strict as Gmail’s, a missing or incorrect SPF can still trigger a “Likely Junk” verdict.
  • Amazon SES: Publishes its sending behavior and expects you to include “_amazonses” in your SPF if you send via SES.
  • Other Big Players (ProtonMail, Zoho Mail, FastMail): All look for valid SPF records before determining delivery or spam placement.

Sample SPF TXT Record (Office 365 + Mailchimp + Amazon SES):

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net include:amazonses:yourdomain.com -all

Replace yourdomain.com with your actual domain for Amazon SES. Adjust includes according to your sending services. Use an SPF checker (e.g., MXToolbox) to validate syntax and lookup count.

2. DomainKeys Identified Mail (DKIM)

What is DKIM? DKIM uses cryptographic signatures to ensure a message was sent by an authorized server and hasn’t been tampered with.

Why it's required by major providers:

  • Gmail (Google): Gmail strongly prefers a valid DKIM signature. Passing DKIM (aligned to the “From” domain) is as important as SPF for deliverability.
  • Yahoo/AOL: Requires DKIM (aligned to the “From” domain) to pass or quasi-pass DMARC. Without valid DKIM, mail is likely to be quarantined.
  • Microsoft (Office 365/Outlook.com): Enables DKIM by default for custom domains. If DKIM isn’t set up, you lose a major piece of the authentication puzzle and may see more spam-folder placements.
  • Apple (iCloud): Verifies DKIM signatures to reduce phishing attempts. Unauthenticated mail risks “Junk” filtering.
  • Amazon SES: Generates DKIM keys automatically for you (if you enable Easy DKIM). You simply publish the CNAMEs they provide and SES signs your outgoing mail.
  • Other Providers: Most reputable ESPs (SendGrid, Mailgun, Brevo, Postmark) use DKIM under the hood and require you to publish their provided public-key DNS records.

Sample DKIM CNAME Records for Microsoft 365:


selector1._domainkey.yourdomain.com CNAME selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com
selector2._domainkey.yourdomain.com CNAME selector2-yourdomain-com._domainkey.yourdomain.onmicrosoft.com

If using Google Workspace, publish a TXT record like:
google._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=..." filled in with your public key. Always verify via your provider’s validator or send a test to check-auth@verifier.port25.com.

3. DMARC (Domain-based Message Authentication, Reporting & Conformance)

What is DMARC? DMARC sits on top of SPF and DKIM. It tells receiving mail servers what to do if SPF and/or DKIM fail, and where to send forensic or aggregate reports.

Why it's required by major providers:

  • Gmail (Google): Requires a published DMARC record. If you don’t have DMARC or your policy is too lax, Gmail will still deliver unauthenticated mail to spam. With a “reject” or “quarantine” policy, Gmail enforces strict alignment.
  • Yahoo/AOL: Won’t accept mail from domains without DMARC. They require both SPF and DKIM to align (or at least one to align with the “From” address) under a valid DMARC policy.
  • Microsoft (Office 365/Outlook.com): Uses DMARC to determine whether to place unverified mail in Junk or reject it altogether—especially from bulk senders.
  • Apple (iCloud): While not as public about enforcement, iCloud’s spam filters heavily favor domains with valid DMARC (aligned SPF or DKIM). Failing checks likely trigger “Junk” placement.
  • Amazon SES: Recommends DMARC to protect your sending domain. SES-sent mail that fails DMARC can damage your sending reputation.
  • Other Major ESPs: Virtually all top-tier providers (ProtonMail, FastMail, Zoho, Rackspace) check for DMARC. An absent or misconfigured DMARC record greatly increases spam-folder placements.

Sample “Monitor Only” DMARC Record:

v=DMARC1; p=none; rua=mailto:dmarc-aggregate@yourdomain.com; ruf=mailto:dmarc-forensics@yourdomain.com; pct=100; sp=none; fo=1

As you gather data, move p=none to p=quarantine, then to p=reject once you’re confident all legitimate traffic authenticates properly. Ensure dmarc-aggregate@ and dmarc-forensics@ mailboxes exist or use a reporting service for RUA/RUF.

Live SPF / DMARC / DKIM Checker

Enter your domain below (and an optional DKIM selector) to fetch and display the raw TXT records for SPF, DMARC, and DKIM.

Major Providers’ Requirements at a Glance

Provider SPF DKIM DMARC Notes
Google (Gmail) ✔️ Must pass or aligned ✔️ Must pass or aligned ✔️ Required (p=none/quarantine/reject) Enforces BIMI only if DMARC=pass
Yahoo / AOL ✔️ Must pass + align ✔️ Must pass + align ✔️ Required (reject if missing) Unauthenticated mail is outright rejected or quarantined
Microsoft (Office 365/Outlook.com) ✔️ Required (pass or aligned) ✔️ Required (pass or aligned) ✔️ Required Office 365 automatically signs with DKIM if you enable it in the admin portal
Apple (iCloud) ✔️ Strongly recommended ✔️ Strongly recommended ✔️ Highly recommended No public “reject” announcement, but mail is likely to be marked as Junk if missing
Amazon SES ✔️ Include “amazonses.com” ✔️ Easy DKIM templates via SES console ✔️ Recommended No enforcement on inbound, but recommended to protect your domain
Other ESPs (ProtonMail, FastMail, Zoho) ✔️ Required ✔️ Required ✔️ Required/Recommended Enforcement varies, but missing any hurts deliverability

Consequences of Not Complying

  • Delivery Failures: Without SPF, DKIM, and DMARC, your emails will likely be flagged as spam or bounced by Gmail, Outlook, Yahoo, iCloud, etc.
  • Brand Reputation Damage: Recipients might think your domain is spoofed or compromised and lose trust in your messages.
  • Higher Bounce Rates: More bounces mean lower sender reputation, which hurts even your authenticated streams.
  • Reduced Engagement: Emails landing in spam lowers opens, clicks, and conversions for marketing campaigns.

How to Get Started

  1. Audit Your Email Streams:

    List every system sending on your domain: Office 365, Google Workspace, Mailchimp, HubSpot, Amazon SES, CRM software, website forms, helpdesk or ticketing tools, and so on. Document IPs, hostnames, and any vendor-provided sending domains.

  2. Publish or Update SPF:

    Log into your DNS host (Cloudflare, GoDaddy, AWS Route 53, etc.) and create or update the TXT record. Use an SPF checker to confirm you’re under the 10-lookup limit.

  3. Enable & Publish DKIM:

    • Office 365: In the Exchange Admin Center → Mail Flow → DKIM, enable for each custom domain. Publish the two CNAMEs as shown in the sample above.
    • Google Workspace: Admin Console → Gmail → Authenticate Email. Generate the public key, publish the TXT record, then verify.
    • Amazon SES, SendGrid, Mailgun, etc.: Follow each service’s console instructions to publish the provided CNAME or TXT records.

  4. Implement DMARC:

    • Start with a monitoring policy (p=none). Publish:
      _dmarc.yourdomain.com. TXT "v=DMARC1; p=none; rua=mailto:reports@yourdomain.com; ruf=mailto:forensic@yourdomain.com; pct=100; sp=none; fo=1"
    • Verify that RUA (aggregate) reports arrive. Identify all legitimate senders and adjust SPF/DKIM accordingly.
    • After 2 to 4 weeks, move to p=quarantine for another 2 to 4 weeks, monitoring for false positives.
    • Finally, switch to p=reject once you’re confident all legitimate traffic authenticates properly.

  5. Monitor & Maintain:

    Rotate DKIM keys every 12 to 24 months. Update SPF whenever you onboard a new email service. Review DMARC reports monthly to catch new unauthorized senders (old servers, forgotten marketing tools, and so on).

Pala IT’s Email Authentication Services

At Pala IT, we know how critical email continuity is for your business. Misconfigured DNS records or missing authentication can lead to lost leads, frustrated customers, and brand erosion. We offer a turnkey package to get you fully compliant:

  • Discovery & Audit: Identify every email stream tied to your domain and review existing SPF, DKIM, and DMARC records.
  • Configuration Assistance: Create or update SPF, enable and publish DKIM keys, and roll out DMARC with a phased approach (monitor → quarantine → reject).
  • Ongoing Monitoring: Automated DMARC reporting, monthly summaries highlighting failures, and proactive troubleshooting for any sudden deliverability issues.
  • Training & Documentation: Step-by-step guides so your IT team knows exactly how to add new SPF or DKIM entries. Clear documentation so you can parse DMARC reports and spot unauthorized senders before they harm your reputation.
  • Bonus: BIMI Setup: Display your logo in Gmail, Yahoo, and other BIMI-enabled inboxes for greater brand recognition and higher open rates.

Contact Us for a Free 15 Minute Consultation

Last updated: