SPF, DKIM, and DMARC are three DNS records that most small business owners have never heard of — until their emails start landing in spam, or a client asks why they never received a quote that was sent days ago.
They sound technical. They're not difficult. This guide explains what each one does in plain language, then shows you exactly how to add them — step by step, for any domain registrar.
The problem these records solve
When you send an email, the receiving mail server has no way to know, by default, whether that email actually came from you — or from a scammer pretending to be you. Anyone can write From: you@yourcompany.com in an email header. Without authentication, servers can't tell the difference.
This causes two problems:
- Your legitimate emails get flagged as spam. Because you look like you could be a spammer — there's no proof you're not.
- Scammers can impersonate your domain. Sending phishing emails that appear to come from your address, damaging your reputation with clients and suppliers.
SPF, DKIM, and DMARC solve both problems. Together, they tell the world's mail servers: "This email is genuinely from us, sent through our authorised system, and here's a cryptographic signature to prove it."
The silent failure: When an email fails authentication checks, it often disappears with no error. No bounce message, no notification. You assume it was delivered. The client assumes you never sent it. This is the most common cause of "I never got your email" in a professional context — and it's entirely preventable.
The three records — what each one does
SPF tells receiving mail servers which servers are authorised to send email on behalf of your domain. Think of it as a guest list: if an email comes from a server not on the list, it fails the SPF check and is treated with suspicion. You add one TXT record to your DNS that names your email provider (Google, Zoho, Microsoft, etc.) as an approved sender.
DKIM adds a cryptographic signature to every email you send. When the email arrives, the receiving server checks that signature against a public key stored in your DNS. If the signature matches, the email hasn't been tampered with in transit and genuinely came from your domain. If it doesn't match, something is wrong. This is the record most people skip — and the one that matters most for deliverability.
DMARC tells receiving servers what to do when an email fails SPF or DKIM — let it through, quarantine it (send to spam), or reject it entirely. It also sends you reports on who is sending email using your domain, so you can spot if someone is impersonating you. DMARC only works if SPF and DKIM are already in place.
How they work together
The three records form a chain. Each one does something the others can't:
"Is this email coming from a server we've approved?" If your email provider is on the SPF list, this passes.
"Has this email been modified since it left the sender's server?" The cryptographic signature either verifies or it doesn't.
"If SPF or DKIM failed — what should we do with this email?" Your DMARC record answers that question and reports back to you.
All checks passed. The receiving server is confident this email is legitimate and not spoofed. Into the inbox it goes.
You need all three. SPF alone isn't enough — a sophisticated spammer can pass SPF while still bypassing your intent. DKIM alone doesn't specify which servers are approved. DMARC without SPF and DKIM has nothing to act on. The three work as a system.
How to add SPF
SPF is a TXT record added to your domain's DNS. The value tells receiving servers which mail provider(s) are authorised to send for your domain.
For Google Workspace
For Zoho Mail
For Microsoft 365
The ~all at the end means "soft fail" — emails from unlisted servers are flagged but not rejected outright. This is the standard starting point. Once you're confident all your sending sources are listed, you can upgrade to -all (hard fail, reject).
Important: You can only have one SPF record per domain. If you try to add a second one, it breaks both. If you use multiple email services (e.g. Google Workspace for regular email and a marketing tool like Mailchimp), combine them into a single record:
v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
How to add DKIM
DKIM requires generating a key pair from inside your email provider's admin console — you can't write this one yourself. Your provider generates a private key (used to sign outgoing emails) and a public key (stored in your DNS for verification).
Google Workspace
- Go to Google Admin Console → Apps → Google Workspace → Gmail
- Click Authenticate email
- Select your domain and click Generate new record
- Copy the TXT record it gives you and add it to your DNS exactly as shown
- Return to Google Admin and click Start authentication
Zoho Mail
- Go to Zoho Mail Admin Console → Email Authentication → DKIM
- Click Add and select your domain
- Copy the DKIM TXT record provided and add it to your DNS
- Return to Zoho and click Verify
Microsoft 365
- Go to Microsoft 365 Defender → Email & Collaboration → Policies & Rules → Threat policies → DKIM
- Select your domain and click Enable
- Two CNAME records will be shown — add both to your DNS
The DKIM record looks something like this (your values will differ):
DNS propagation: After adding your DKIM record, wait 15–30 minutes before trying to verify it in your email provider's console. If verification fails immediately, wait a little longer — DNS changes take time to propagate globally.
How to add DMARC
DMARC is another TXT record, but this one goes on a specific subdomain: _dmarc.
Starting DMARC record (recommended for new setups)
The p=none policy means: monitor only — don't take any action on failing emails yet, just send me reports. This is the right place to start. It lets you see what's happening without risking legitimate emails being blocked.
Understanding the policy values
| Policy | What it does | When to use it |
|---|---|---|
| p=none | Monitor only. No action taken on failures. | Start here. Review reports for 2–4 weeks. |
| p=quarantine | Send failing emails to the spam folder. | After confirming all legitimate senders pass. |
| p=reject | Block failing emails entirely — they never arrive. | Full protection. Move here once confident. |
The rua=mailto: part tells mail servers where to send aggregate reports — summaries of who is sending email using your domain. Set this to an email address you actually check. The reports arrive as XML attachments; there are free tools like dmarcian.com that parse them into readable dashboards.
Upgrading over time: Start with p=none for a month, review the reports, then move to p=quarantine, then eventually p=reject. Jumping straight to p=reject without monitoring first can block legitimate emails you didn't know were being sent on your behalf (automated tools, CRMs, mailing list services).
How to test everything is working
Once you've added all three records and waited 30 minutes for DNS propagation, test before assuming everything is correct.
Mail Tester
Go to mail-tester.com. It gives you a temporary email address. Send a test email to it from your business address, then check the score. A properly configured domain should score 9 or 10 out of 10. The breakdown shows exactly which checks passed and which didn't.
MXToolbox
Go to mxtoolbox.com and use the SPF, DKIM, and DMARC lookup tools. Enter your domain and it will show whether each record is present and correctly formatted.
Google Admin Toolbox
Google's own Check MX tool verifies your MX records and flags any DNS configuration issues that could affect email delivery.
Why this matters especially in the UAE
Standard spam filtering exists everywhere — but the UAE has some specific factors that make email authentication more critical than in many other markets.
- Government and semi-government entities run strict filters. Ministries, free zone authorities, and government-linked corporations frequently use enterprise email security gateways (Proofpoint, Mimecast, Barracuda) that apply aggressive authentication checks. An email without valid SPF/DKIM/DMARC is often silently dropped — not bounced, just gone.
- Corporate procurement systems. Large private sector companies in the UAE — banks, retailers, hospitality groups — similarly run filtered email environments. A supplier sending unauthenticated email is often automatically deprioritised or blocked.
- Scam awareness is high. The UAE has active public awareness campaigns around email fraud. Sophisticated email clients like Outlook flag unauthenticated emails from business domains with visible warnings. These warnings, even if the email lands in the inbox, reduce the likelihood of it being opened and acted on.
- Domain spoofing is a real risk. If your domain doesn't have DMARC in place, anyone can send a convincing phishing email that appears to come from your address. For a business that handles quotes, invoices, or contracts, this is a liability — not just a technical issue.
Setup checklist
- Add SPF TXT record (Host: @) with your email provider's include value
- Generate DKIM key pair from your email provider's admin console
- Add DKIM TXT record to DNS exactly as provided
- Enable/verify DKIM authentication in your email provider
- Add DMARC TXT record (Host: _dmarc) starting with p=none
- Set rua= to an email address you check regularly
- Wait 30 minutes, then test at mail-tester.com
- Verify all three records at mxtoolbox.com
- Review DMARC reports after 2–4 weeks and upgrade to p=quarantine
Done for you · Dubai
Rather not touch DNS records?
For $25, I'll add all three records correctly, verify them, and send you a Loom walkthrough of what was done and why — delivered within 24 hours.