How to Set Up SPF Records
Step 1: Collect the IP address and email server used to send emails
The Sender Policy Framework (SPF) gives the ability to authenticate your email and to specify which IP address or email server is allowed to send email on behalf of the specific domain. The IP Address is optional, so to keep things simple you can just reference the email server. The email server is the one you send marketing emails from (Klaviyo, Mailchimp etc). At the bottom of this an additional step you can do to authenticate your Gmail server for any emails you send outside of marketing emails.
Step 2: Create your SPF record
The SPF record should be registered on the DNS zone of your domain name.
- Create a new record and choose TXT Record as the type of record.
- The host can be filled in with “@”
- The value should look like this:
(assuming you use Google to send emails and Klaviyo to send markting emails)
v=spf1 ip4:22.214.171.124 include:_spf.google.com include:_spf.klaviyo.com ~all
OR without the IP address
v=spf1 include:_spf.google.com include:_spf.klaviyo.com ~all
Both of these are valid, so feel free to use the version without the IP address.
If you only want to validate Klaviyo, this is the record you would use
v=spf1 include:_spf.klaviyo.com ~all
or if you use Hubspot to send
v=spf1 ip4:126.96.36.199 include:_spf.google.com include:_spf.hubspot.com ~all
or if you use Mailchimp to send
v=spf1 ip4:188.8.131.52 include:_spf.google.com include:_spf.mailchimp.com ~all
a. Start with the SPF version. This part defines the record as SPF
An SPF record should always start with the version number v=spf1 (version 1). This tag defines the record as SPF.
NOTE: There used to be a second version of SPF (called SenderID), but this was discontinued.
b. Follow with IP addresses
After including the v=spf1 SPF version tag, follow with any IP addresses that are authorized to send emails on your behalf.
Example: v=spf1 ip4:184.108.40.206 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e
c. Add include tags
Next, you can add an include tag for every third-party organization that’s used to send emails on your behalf.
Example: include:_spf.klaviyo.com .
You can include more than one tag on your value.
Example: include:_spf.lemlist.com include:_spf.google.com
d. End your record with an ~all or -all tag
Once you’ve implemented all IP addresses and include tags, end your record with an ~all or -all tag.
The all tag is an important part of the SPF record as it indicates what policy should be applied when ISPs detect a server that’s not listed in your SPF record.
If an unauthorized server does send an email on behalf of your domain, action is taken according to the policy that has been published (e.g. reject the email or mark it as spam).
- -all Fail – servers not listed in the SPF record are not authorized to send emails (noncompliant emails will be rejected).
- ~all Softfail – If the email is received from a server that isn’t listed, the email will be marked as a soft fail (emails will be accepted but marked).
- +all We strongly recommend not using this option, as this tag allows any server to send emails from your domain.
Step 3: Publish Your SPF Record
After defining your SPF record, it’s time to save your modification. By doing this, you publish your record into your DNS. It will take at least 24 hours to take effect.
How to Set Up DMARC Records
DMARC is short for Domain-based Message Authentication, Reporting, and Conformance. It aligns with SPF and DKIM and links the sender’s email address and domain name using records published on the DNS.
A legitimate email sometimes fails the SPF or DKIM test. Despite this, mailbox providers allow it to enter if it appears to come from a credible source. This is because DMARC clarifies the action required in such situations.
DMARC is a DNS TXT record that directs a recipient’s server on how to deal with emails coming from your domain. The server can ‘Quarantine, ‘Reject’, or ‘Allow’ a message as per your DMARC policy.
Make it a TXT Record, and @ under Name.
Creating a DMARC record is the same process as creating an SPF record. The value can look like this:
v=DMARC1; p=quarantine; pct=50; rua=mailto:firstname.lastname@example.org
DMARC tags specify aspects of DMARC implementations, and not all are as important or as used as the others.
They’re divided into the following three categories:
- Required: These tags are mandatory and you can’t miss them. Every DMARC TXT record begins with the mandatory ‘v’ or version tag and the corresponding value of ‘DMARC1.’
- Optional but recommended: It isn’t necessary to add these tags, but they help generate reports.
- Optional: You can skip these tags.
A total of 11 tags can be applied to a DMARC policy.
Of those 11, the “v” and “p” tags are mandatory, and the DMARC rua tag is optional but recommended for receiving the reports.
- DMARC tags ‘v’ and ‘p’ are mandatory.
- ‘adkim’, ‘aspf’, ‘sp’, ‘fo’, ‘rf’, ‘pct’, and ‘ri’ are optional.
- DMARC ‘ruf’ tag and DMARC ‘rua’ tag are optional but recommended.
Using the correct tags and knowing their functionalities will help you get the most out of your DMARC journey.
After defining your DMARC record, it’s time to save your modification. By doing this, you publish your record into your DNS. This will take at least 24 hours to take effect.
How to Set Up DKIM Records
You only need to set a DKIM record up if your domain name and email address are hosted by different providers.
Example: Your domain name, “test.com,” is bought and hosted on Namecheap and you decided to create an email address “email@example.com” on Microsoft 365 or Gmail to get Google functionalities.
In this case, refer to this link. This guide will walk you through the DKIM setup process for Gmail and Microsoft Office with Namecheap.
NOTE: Remember that the process is the same regardless of DNS provider you’re using. Updating any records on a DNS always takes at least 24 hours to take effect.