Setting up SPF, DKIM, and DMARC is relatively simple from a DNS perspective. The records themselves aren't complicated the real challenge is ensuring they're implemented correctly. Most deployment issues stem from incomplete sender inventories, skipping the monitoring phase, enforcing policies too quickly, or forgetting to update records when new email services are introduced. This guide focuses on the planning and rollout strategy behind successful email authentication, helping you protect your domain without disrupting legitimate email delivery.
This is the most important step in the entire project. Before publishing or modifying any SPF, DKIM, or DMARC records, identify every service that sends email using your domain.
Most businesses remember their primary email platform, such as Microsoft 365 or Google Workspace. The problem is usually the forgotten senders, including:
CRM platforms (HubSpot, Salesforce, Zoho)
Email marketing tools (Mailchimp, Constant Contact, ActiveCampaign)
Accounting and invoicing software (QuickBooks, FreshBooks, Xero)
Helpdesk systems (Zendesk, Freshdesk, ConnectWise)
Scheduling tools (Calendly, Acuity Scheduling)
Website contact forms
E-signature platforms (DocuSign, PandaDoc)
Internal applications and automated notification systems
Don’t rely on memory.
Start with a DMARC record in monitor mode (p=none) and let the reports reveal every IP address sending email as your domain. Over 2–4 weeks, the data will show both legitimate services and unauthorized senders.
Deploy email authentication in this sequence:
1. SPF First
Fastest to implement
Requires provider configuration
Depends on SPF and DKIM being in place
Review any existing SPF record and:
Add all current sending services
Remove services you no longer use
Use the -all enforcement flag
Create a new SPF record if one does not exist
DKIM requires two actions:
Publish the DNS records provided by your email platform
Enable DKIM signing in the provider’s admin console
Common mistake
Many businesses publish the DNS records but forget to turn on DKIM signing. The records exist, but outgoing email is still unsigned and fails DKIM checks.
Start with a policy of p=none.
This allows you to collect reports without affecting email delivery. The reports show:
Which services pass SPF and DKIM
Which legitimate services are failing
Which unauthorized systems are spoofing your domain
Do not skip this step.
Run DMARC monitoring for at least two weeks. Four weeks is better because it captures monthly billing cycles, marketing campaigns, and other periodic workflows.
During this phase:
Fix failing legitimate senders
Add missing SPF includes
Enable DKIM where needed
Verify domain alignment
What DMARC reports look like
Most reports arrive as XML files from providers such as Google and Microsoft. They can be difficult to read manually, so many organizations use a DMARC reporting platform to aggregate and visualize the data.
Once monitoring looks clean, move to p=quarantine.
Failed messages will typically be sent to the recipient’s spam folder instead of being blocked outright. This provides a safety net if a legitimate sender was missed.
Run quarantine for 1–2 weeks and verify that no business-critical emails are being filtered.
Finally, change the policy to p=reject.
At this stage:
Spoofed emails are blocked before delivery
Your domain gains stronger protection
Sender reputation typically improves
Receiving servers place more trust in authenticated mail
Best practice: Use strict alignment (adkim=s, aspf=s) with pct=100 for full enforcement.
Every domain needs its own SPF, DKIM, and DMARC records.
That includes:
Primary business domains
Secondary brands
Parked domains
Acquired company domains
For domains that do not send email, publish:
SPF
v=spf1 -all
DMARC
p=reject
This tells receiving servers that no email should ever originate from that domain.
Email authentication is not a one-time project.
Review your records whenever you:
Add a new SaaS platform
Change email providers
Merge with another company
Modify DNS hosting
Launch new marketing systems
We recommend reviewing DMARC reports monthly and at minimum quarterly to catch new senders and unauthorized activity.
SPF, DKIM, and DMARC are some of the most effective defenses against email spoofing, phishing, and business email compromise. The DNS records are simple—the challenge is the rollout strategy.
Start with a complete sender inventory, monitor before enforcing, move through quarantine before reject, and treat email authentication as an ongoing maintenance process rather than a one-time setup.
If you want to see where your domain stands right now, run a free check at https://www.litechadvisors.com/email-security-service/. If you are planning a rollout and want to talk through the approach for your environment, book a free five-minute call at https://www.litechadvisors.com/contact-us/.