DMARC, SPF, DKIM: quick setup guide

Step-by-step guide to deploying SPF, DKIM, and DMARC for better deliverability and spoofing protection.

Inventory your senders

List every platform that sends on your domain: marketing tools, CRMs, ticketing, and cloud relays. Missing one is the fastest way to cause bounces when you tighten policies.

• Export DNS SPF records and compare to real mail headers.
• Tag each sender with an owner so fixes are fast.
• Remove legacy servers that no longer send mail.

Configure SPF and DKIM

Create a single SPF record per domain and avoid nested includes. Enable DKIM signing in each provider with 2048-bit keys for primary domains.

• Flatten SPF if you are near the lookup limit.
• Rotate keys yearly and remove stale selectors.
• Test with a staging subdomain before production.

Roll out DMARC safely

Start with p=none and rua/ruf reporting. Once reports are clean, move to quarantine and then reject. Update your abuse@ mailbox to monitor early signals.

• Monitor forwarding services that may break alignment.
• Send reports to an analyst mailbox or DMARC dashboard.
• Document the change window and notify stakeholders.