2024 SPF, DMARC & DKIM Record Updates

5 minute read


How to Set Up SPF Records

Step 1: Collect the IP address and email server used to send emails

The Sender Policy Framework (SPF) gives the ability to authenticate your email and to specify which IP address or email server is allowed to send email on behalf of the specific domain. The IP Address is optional, so to keep things simple you can just reference the email server. The email server is the one you send marketing emails from (Klaviyo, Mailchimp etc). At the bottom of this an additional step you can do to authenticate your Gmail server for any emails you send outside of marketing emails.

Step 2: Create your SPF record

The SPF record should be registered on the DNS zone of your domain name.

  • Create a new record and choose TXT Record as the type of record.
  • The host can be filled in with “@”
  • The value should look like this:

(assuming you use Google to send emails and Klaviyo to send markting emails)
v=spf1 ip4: include:_spf.google.com include:_spf.klaviyo.com ~all

OR without the IP address

v=spf1 include:_spf.google.com include:_spf.klaviyo.com ~all
Both of these are valid, so feel free to use the version without the IP address.

If you only want to validate Klaviyo, this is the record you would use

v=spf1 include:_spf.klaviyo.com ~all

or if you use Hubspot to send

v=spf1 ip4: include:_spf.google.com include:_spf.hubspot.com ~all

or if you use Mailchimp to send

v=spf1 ip4: include:_spf.google.com include:_spf.mailchimp.com ~all

a. Start with the SPF version. This part defines the record as SPF

An SPF record should always start with the version number  v=spf1 (version 1). This tag defines the record as SPF. 

NOTE: There used to be a second version of SPF (called SenderID), but this was discontinued.

b. Follow with IP addresses

After including the v=spf1 SPF version tag, follow with any IP addresses that are authorized to send emails on your behalf. 

Example:  v=spf1 ip4: ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e

c. Add include tags

Next, you can add an include tag for every third-party organization that’s used to send emails on your behalf.

Example:  include:_spf.klaviyo.com . 

You can include more than one tag on your value. 

Example: include:_spf.lemlist.com include:_spf.google.com

d. End your record with an ~all or -all tag

Once you’ve implemented all IP addresses and include tags, end your record with an ~all or -all tag. 

The all tag is an important part of the SPF record as it indicates what policy should be applied when ISPs detect a server that’s not listed in your SPF record. 

If an unauthorized server does send an email on behalf of your domain, action is taken according to the policy that has been published (e.g. reject the email or mark it as spam). 

  • -all  Fail – servers not listed in the SPF record are not authorized to send emails (noncompliant emails will be rejected).
  • ~all  Softfail – If the email is received from a server that isn’t listed, the email will be marked as a soft fail (emails will be accepted but marked).
  • +all  We strongly recommend not using this option, as this tag allows any server to send emails from your domain.

Step 3: Publish Your SPF Record

After defining your SPF record, it’s time to save your modification. By doing this, you publish your record into your DNS. It will take at least 24 hours to take effect.

How to Set Up DMARC Records

DMARC is short for Domain-based Message Authentication, Reporting, and Conformance. It aligns with SPF and DKIM and links the sender’s email address and domain name using records published on the DNS.

A legitimate email sometimes fails the SPF or DKIM test. Despite this, mailbox providers allow it to enter if it appears to come from a credible source. This is because DMARC clarifies the action required in such situations.

DMARC is a DNS TXT record that directs a recipient’s server on how to deal with emails coming from your domain. The server can ‘Quarantine, ‘Reject’, or ‘Allow’ a message as per your DMARC policy.

Make it a TXT Record, and @ under Name.

Creating a DMARC record is the same process as creating an SPF record. The value can look like this:

v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc-rua@example.com

DMARC tags specify aspects of DMARC implementations, and not all are as important or as used as the others. 

They’re divided into the following three categories:

  1. Required: These tags are mandatory and you can’t miss them. Every DMARC TXT record begins with the mandatory ‘v’ or version tag and the corresponding value of ‘DMARC1.’
  2. Optional but recommended: It isn’t necessary to add these tags, but they help generate reports.
  3. Optional: You can skip these tags. 

A total of 11 tags can be applied to a DMARC policy. 

Of those 11, the “v” and “p” tags are mandatory, and the DMARC rua tag is optional but recommended for receiving the reports.

  • DMARC tags ‘v’ and ‘p’ are mandatory.
  • ‘adkim’, ‘aspf’, ‘sp’, ‘fo’, ‘rf’, ‘pct’, and ‘ri’ are optional
  • DMARC ‘ruf’ tag and DMARC ‘rua’ tag are optional but recommended.

Using the correct tags and knowing their functionalities will help you get the most out of your DMARC journey.

After defining your DMARC record, it’s time to save your modification. By doing this, you publish your record into your DNS. This will take at least 24 hours to take effect.

How to Set Up DKIM Records

You only need to set a DKIM record up if your domain name and email address are hosted by different providers. 

Example: Your domain name, “test.com,” is bought and hosted on Namecheap and you decided to create an email address “name@test.com” on Microsoft 365 or Gmail to get Google functionalities.

In this case, refer to this link. This guide will walk you through the DKIM setup process for Gmail and Microsoft Office with Namecheap.

NOTE: Remember that the process is the same regardless of DNS provider you’re using. Updating any records on a DNS always takes at least 24 hours to take effect.


Keep Reading

X Introduces AI-Powered Ad Audiences

Google’s AI Overviews Crash in Visibility

Instagram Prioritizes Original Content

All the news straight to your inbox. Sign up for weekly newsletter.

Ready to work together?

Related Articles