SPF/DKIM/DMARC Setup for Website Email Domain

Our company is engaged in the development, support and maintenance of sites of any complexity. From simple one-page sites to large-scale cluster systems built on micro services. Experience of developers is confirmed by certificates from vendors.
8+Years of work900+Completed projects100+In house employees19+Partners
Development and maintenance of all types of websites:
Informational websites or web applications
Business card websites, landing pages, corporate websites, online catalogs, quizzes, promo websites, blogs, news resources, informational portals, forums, aggregators
E-commerce websites or web applications
Online stores, B2B portals, marketplaces, online exchanges, cashback websites, exchanges, dropshipping platforms, product parsers
Business process management web applications
CRM systems, ERP systems, corporate portals, production management systems, information parsers
Electronic service websites or web applications
Classified ads platforms, online schools, online cinemas, website builders, portals for electronic services, video hosting platforms, thematic portals

These are just some of the technical types of websites we work with, and each of them can have its own specific features and functionality, as well as be customized to meet the specific needs and goals of the client.

Offered services
Showing 1 of 1 servicesAll 2065 services
SPF/DKIM/DMARC Setup for Website Email Domain
Simple
from 4 hours to 2 business days
FAQ
Our competencies:
Development stages
Latest works
  • image_web-applications_feedme_466_0.webp
    Development of a web application for FEEDME
    1161
  • image_ecommerce_furnoro_435_0.webp
    Development of an online store for the company FURNORO
    1041
  • image_crm_enviok_479_0.webp
    Development of a web application for Enviok
    822
  • image_crm_chasseurs_493_0.webp
    CRM development for Chasseurs
    847
  • image_website-sbh_0.png
    Website development for SBH Partners
    999
  • image_website-_0.png
    Website development for Red Pear
    451
Show more works

Setting Up SPF, DKIM and DMARC for Domain

Without SPF, DKIM and DMARC, emails end up in spam or are rejected — especially after February 2024, when Google and Yahoo made authentication checks mandatory for senders of more than 5,000 emails per day. Setup takes 1–2 hours but requires understanding the mechanism.

SPF — Sender Policy Framework

An SPF record lists the servers allowed to send emails on behalf of the domain. Checked by the IP of the sending server.

DNS TXT record for example.com:

v=spf1 include:sendgrid.net include:amazonses.com ip4:203.0.113.10 ~all

Syntax of mechanisms:

  • include:domain — include SPF policy of another domain (for ESP)
  • ip4:x.x.x.x — allow specific IP (own SMTP)
  • ~all — softfail (suspicious, but don't block)
  • -all — hardfail (block everything else)

Important: Maximum 10 DNS lookups. include: triggers a lookup for each domain — exceeding this breaks SPF.

DKIM — DomainKeys Identified Mail

DKIM adds a digital signature to each email. Recipient verifies the signature against the public key in DNS.

Generating key pair (for own SMTP/Postfix):

openssl genrsa -out dkim_private.pem 2048
openssl rsa -in dkim_private.pem -pubout -out dkim_public.pem

DNS TXT record:

default._domainkey.example.com  TXT  "v=DKIM1; k=rsa; p=<base64-public-key>"

For ESP (Resend, SendGrid, Mailgun) — they generate the pair and give you ready DNS records via dashboard.

DMARC — Domain-based Message Authentication

DMARC defines policy for emails that fail SPF/DKIM:

_dmarc.example.com  TXT  "v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100; adkim=r; aspf=r"

Parameters:

  • p=none — monitor only, don't block
  • p=quarantine — move to spam
  • p=reject — reject
  • rua — address for aggregate reports (daily, XML)
  • pct=100 — apply policy to 100% of emails

Implementation strategy:

# Step 1 — monitoring
p=none; rua=mailto:[email protected]

# Step 2 — after 2 weeks, ensuring legitimate emails pass
p=quarantine; pct=10; rua=mailto:[email protected]

# Step 3 — final policy
p=reject; pct=100; rua=mailto:[email protected]

BIMI — Brand Indicators for Message Identification

Logo in Gmail/Apple Mail inbox — additional setup after DMARC p=quarantine/reject:

default._bimi.example.com  TXT  "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/bimi.pem"

Logo must be in SVG Tiny 1.2 format. Apple Mail requires VMC certificate from DigiCert/Entrust.

Checking Settings

  • MXToolboxmxtoolbox.com/spf.aspx, /dkim.aspx, /dmarc.aspx
  • mail-tester.com — send test email, get score
  • Google Postmaster Tools — monitor domain reputation and IP in Gmail
  • DMARC analytics — Valimail, Dmarcian, Postmark DMARC

Common Issues

SPF PermError (too many DNS lookups): Use SPF Flattening — replace include: with specific IPs via third-party services (AutoSPF, EasyDMARC).

DKIM verify failed: Check that ESP is configured to sign with correct selector and CNAME records added to DNS.

DMARC not working: SPF and DKIM must pass alignment — domain in From: must match envelope-from (SPF) or d= in DKIM signature.

Timeline

SPF + DKIM + DMARC setup + verification — 1 day. With gradual transition to p=reject and monitoring — 1–2 weeks observation.