Call Us Today!
Sales: (631) 203-0381

How to Set Up SPF, DKIM, and DMARC (Without Breaking Your Email)

Setting up SPF, DKIM, and DMARC is relatively simple from a DNS perspective. The records themselves aren't complicated the real challenge is ensuring they're implemented correctly. Most deployment issues stem from incomplete sender inventories, skipping the monitoring phase, enforcing policies too quickly, or forgetting to update records when new email services are introduced. This guide […]

Setting up SPF, DKIM, and DMARC is relatively simple from a DNS perspective. The records themselves aren't complicated the real challenge is ensuring they're implemented correctly. Most deployment issues stem from incomplete sender inventories, skipping the monitoring phase, enforcing policies too quickly, or forgetting to update records when new email services are introduced. This guide focuses on the planning and rollout strategy behind successful email authentication, helping you protect your domain without disrupting legitimate email delivery.

Start With a Complete Sender Inventory

This is the most important step in the entire project. Before publishing or modifying any SPF, DKIM, or DMARC records, identify every service that sends email using your domain.

Most businesses remember their primary email platform, such as Microsoft 365 or Google Workspace. The problem is usually the forgotten senders, including:

  • CRM platforms (HubSpot, Salesforce, Zoho)

  • Email marketing tools (Mailchimp, Constant Contact, ActiveCampaign)

  • Accounting and invoicing software (QuickBooks, FreshBooks, Xero)

  • Helpdesk systems (Zendesk, Freshdesk, ConnectWise)

  • Scheduling tools (Calendly, Acuity Scheduling)

  • Website contact forms

  • E-signature platforms (DocuSign, PandaDoc)

  • Internal applications and automated notification systems

Pro Tip

Don’t rely on memory.

Start with a DMARC record in monitor mode (p=none) and let the reports reveal every IP address sending email as your domain. Over 2–4 weeks, the data will show both legitimate services and unauthorized senders.

The Correct Rollout Order

Deploy email authentication in this sequence:

1. SPF First

Fastest to implement

2. DKIM Second

Requires provider configuration

3. DMARC Third

Depends on SPF and DKIM being in place

Step 1: Configure SPF

Review any existing SPF record and:

  • Add all current sending services

  • Remove services you no longer use

  • Use the -all enforcement flag

  • Create a new SPF record if one does not exist

Step 2: Enable DKIM

DKIM requires two actions:

  • Publish the DNS records provided by your email platform

  • Enable DKIM signing in the provider’s admin console

Common mistake

Many businesses publish the DNS records but forget to turn on DKIM signing. The records exist, but outgoing email is still unsigned and fails DKIM checks.

Step 3: Publish DMARC in Monitor Mode

Start with a policy of p=none.

This allows you to collect reports without affecting email delivery. The reports show:

  • Which services pass SPF and DKIM

  • Which legitimate services are failing

  • Which unauthorized systems are spoofing your domain

The Monitoring Phase

Do not skip this step.

Run DMARC monitoring for at least two weeks. Four weeks is better because it captures monthly billing cycles, marketing campaigns, and other periodic workflows.

During this phase:

  • Fix failing legitimate senders

  • Add missing SPF includes

  • Enable DKIM where needed

  • Verify domain alignment

What DMARC reports look like

Most reports arrive as XML files from providers such as Google and Microsoft. They can be difficult to read manually, so many organizations use a DMARC reporting platform to aggregate and visualize the data.

Move to Quarantine First

Once monitoring looks clean, move to p=quarantine.

Failed messages will typically be sent to the recipient’s spam folder instead of being blocked outright. This provides a safety net if a legitimate sender was missed.

Run quarantine for 1–2 weeks and verify that no business-critical emails are being filtered.

Then Move to Full Enforcement

Finally, change the policy to p=reject.

At this stage:

  • Spoofed emails are blocked before delivery

  • Your domain gains stronger protection

  • Sender reputation typically improves

  • Receiving servers place more trust in authenticated mail

Best practice: Use strict alignment (adkim=s, aspf=s) with pct=100 for full enforcement.

What About Multiple Domains?

Every domain needs its own SPF, DKIM, and DMARC records.

That includes:

  • Primary business domains

  • Secondary brands

  • Parked domains

  • Acquired company domains

For domains that do not send email, publish:

SPF

v=spf1 -all

DMARC

p=reject

This tells receiving servers that no email should ever originate from that domain.

Ongoing Maintenance Matters

Email authentication is not a one-time project.

Review your records whenever you:

  • Add a new SaaS platform

  • Change email providers

  • Merge with another company

  • Modify DNS hosting

  • Launch new marketing systems

We recommend reviewing DMARC reports monthly and at minimum quarterly to catch new senders and unauthorized activity.

SPF, DKIM, and DMARC are some of the most effective defenses against email spoofing, phishing, and business email compromise. The DNS records are simple—the challenge is the rollout strategy.

Start with a complete sender inventory, monitor before enforcing, move through quarantine before reject, and treat email authentication as an ongoing maintenance process rather than a one-time setup.

Free Email Security Check

If you want to see where your domain stands right now, run a free check at https://www.litechadvisors.com/email-security-service/. If you are planning a rollout and want to talk through the approach for your environment, book a free five-minute call at https://www.litechadvisors.com/contact-us/.