Table of contents
Example H2
Example H3
Example H4
Experience
Agent Frank

Get a uniquely crafted email delivered in your inbox in seconds

It's being carefully crafted by AI
Please check your mailbox
Something went wrong. Please try again
Learn more
Get insights delivered straight into your inbox every week!
Blog
DNS Setup

How to Align SPF, DKIM, and DMARC

By
Manav Singh
October 16, 2025
5 min read
Share on

Email authentication ensures your messages reach inboxes instead of spam folders. To achieve this, you need to align SPF, DKIM, and DMARC - three protocols that verify email legitimacy and protect against spoofing. Misalignment can cause even valid emails to fail authentication, hurting your deliverability and reputation.

Here’s what you need to know:

  • SPF: Authorizes which servers can send emails for your domain.
  • DKIM: Verifies email integrity with a digital signature.
  • DMARC: Enforces alignment between "From" domains and SPF/DKIM, and sets policies for failed emails.

Quick Steps:

  1. SPF: List all email-sending services in your DNS SPF record. Avoid exceeding the 10 DNS lookup limit.
  2. DKIM: Generate keys, publish the public key in DNS, and ensure it matches your "From" domain.
  3. DMARC: Start with a monitoring policy (p=none) and analyze reports to fix issues before enforcing stricter rules like quarantine or reject.

Key Tip: Use relaxed alignment initially to account for subdomains and forwarded emails. Gradually tighten policies as you resolve failures.

Properly aligned email authentication boosts deliverability and safeguards your domain. Missteps like exceeding SPF limits or ignoring DMARC reports can cause problems, so monitor regularly and adjust as needed.

What Are SPF, DKIM, and DMARC

Think of email authentication as a three-part security system for your domain. Each protocol checks a different aspect of your email's legitimacy, working together to guard against spoofing and ensure your legitimate emails make it to the inbox.

  • SPF checks if the server sending your email is authorized to do so.
  • DKIM adds a cryptographic signature to confirm the message hasn't been altered.
  • DMARC acts as the overseer, ensuring SPF and DKIM align with the "From" domain and letting you decide what happens when emails fail these checks.

The challenge isn't just setting up these protocols individually - it’s making sure they all work together seamlessly and point to the same domain. Let’s break down how each one works and their roles in protecting your emails.

SPF Basics and How It Works

SPF (Sender Policy Framework) allows you to specify which servers or IP addresses are authorized to send emails from your domain. When an email is received, the server checks your SPF record in the DNS to confirm the sender's authenticity.

Here’s an example of an SPF record:

v=spf1 ip4:192.168.1.100 include:_spf.google.com ~all

  • The ip4:192.168.1.100 authorizes a specific IP address.
  • The include:_spf.google.com allows emails sent via Google Workspace.
  • The ~all tells servers to flag emails from unauthorized sources as suspicious but not reject them outright.

It's worth noting that SPF has a few limitations. First, you can only have one SPF record per domain. Second, each record is limited to 10 DNS lookups. This can become tricky if you use several email services or platforms that require their own SPF entries.

SPF works by comparing the sending server’s IP address to your SPF record. If the IP matches, the email passes SPF. Otherwise, it fails. However, SPF only checks the "envelope from" address (the Return-Path), not the visible "From" address that recipients see in their inbox.

DKIM Explained and Why You Need It

DKIM (DomainKeys Identified Mail) adds an extra layer of security by attaching a digital signature to your emails. This signature verifies that the email came from your domain and wasn’t altered during transit.

Here’s how it works: your server signs outgoing emails with a private key, and the corresponding public key is published in your DNS records. When the email is received, the server uses the public key to confirm the signature matches, ensuring the message's integrity.

A typical DKIM DNS record looks like this:

k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

  • k=rsa specifies the encryption algorithm.
  • The string after p= contains the public key.

Unlike SPF, DKIM allows for multiple signatures in a single email, each with its own selector (e.g., selector1._domainkey.yourdomain.com). This is especially helpful for businesses using multiple email platforms.

One major advantage of DKIM is its resilience to email forwarding. Since the signature travels with the email, it remains intact even if the message is forwarded through various servers.

DMARC and Email Security

Once SPF and DKIM are in place, DMARC steps in to enforce alignment and policies. DMARC ensures that at least one of these protocols matches the "From" domain - the address visible to recipients - and provides you with control over what happens to emails that fail these checks.

A basic DMARC record might look like this:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

  • p=quarantine tells servers to send suspicious emails to the spam folder.
  • rua=mailto:dmarc@yourdomain.com specifies where reports should be sent.
  • pct=100 applies the policy to all your email traffic.

DMARC offers three policy options:

  • none: Monitor authentication results without taking action.
  • quarantine: Flag failed emails as spam.
  • reject: Block emails that don’t pass authentication.

Most organizations start with a "none" policy to monitor email activity without affecting deliverability. The reporting feature is particularly useful, providing detailed insights into which emails pass or fail authentication. This helps you identify legitimate senders to authorize and spot potential spoofing attempts.

DMARC alignment is where many organizations face challenges. For the protocol to work, SPF or DKIM must match the "From" domain. There are two alignment modes:

  • Relaxed: Allows subdomains to align.
  • Strict: Requires an exact domain match.

Understanding these alignment rules is key to securing your domain while ensuring your emails continue to reach their intended recipients.

How to Set Up and Align SPF, DKIM, and DMARC

To authenticate your emails and maintain your sender reputation, it's crucial to align SPF, DKIM, and DMARC. This process ensures that the visible 'From' domain matches authenticated sources. Here's how to do it step by step.

Setting Up SPF Records

Start by identifying all the services that send emails on behalf of your domain. Then, create an SPF record listing each authorized source. For example, if you're using Google Workspace and Mailchimp, your SPF record might look like this:

v=spf1 include:_spf.google.com include:servers.mcsv.net ip4:203.0.113.10 ~all

Keep in mind that SPF records are limited to 10 DNS lookups. If you're nearing this limit, try consolidating services or replacing include statements with specific IP addresses. Tools like MXToolbox can help you count DNS lookups and ensure you're within the limit. If you exceed the limit, SPF flattening services can simplify your record.

To verify your SPF record, use the command dig TXT yourdomain.com. Typos or formatting issues are common culprits behind non-functional SPF records, so double-check everything.

Once your SPF is set up, you're ready to move on to DKIM for added security.

Configuring DKIM Email Signing

DKIM works by signing outgoing emails with a digital signature. Start by generating a 2048-bit DKIM key pair. Most email providers, like Google Workspace, make this process straightforward. For instance, in Google Workspace, go to Apps > Google Workspace > Gmail > Authenticate Email to create your DKIM key.

You'll need to publish the public key in your DNS records. A typical DKIM record might look like this:

google._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."

For DMARC alignment, ensure the DKIM signature domain matches your 'From' domain. For example, if your emails are sent from "noreply@yourdomain.com", the DKIM signature must align with "yourdomain.com" or a related subdomain.

To confirm DKIM is working, send a test email to a Gmail account. Open the message source and look for the "DKIM-Signature" header. This verifies that your emails are being signed correctly.

With DKIM enabled, you can move on to setting up DMARC to enforce policies and monitor authentication.

Creating and Monitoring DMARC Policies

Start with a monitoring-only DMARC policy. Your initial DMARC record might look like this:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100; adkim=r; aspf=r

The adkim=r and aspf=r settings allow relaxed alignment, meaning subdomains are included. This is a good starting point. Once you've resolved any authentication issues, you can switch to strict alignment (adkim=s; aspf=s).

Set up a dedicated email address to receive DMARC reports, as these daily XML files can be quite large. Tools like Postmark's DMARC Digests or dmarcian can help you interpret these reports in a readable format.

Monitor your DMARC reports for at least two weeks. Use this time to identify any legitimate email sources that fail authentication and adjust your SPF record or DKIM configuration as needed. Pay close attention to forwarded emails, which may fail SPF but should pass DKIM.

Once you're confident in your setup, gradually enforce stricter policies. Start with p=quarantine and apply it to 25% of your email traffic (pct=25). Monitor delivery issues, then increase the percentage over time. Eventually, move to p=reject for full protection.

DMARC Alignment Options

Once you've configured your DMARC policy, it's time to fine-tune alignment and use reports to uncover potential issues. DMARC alignment ensures that the visible "From" domain matches the domains authenticated by SPF and DKIM protocols. The level of alignment you choose affects both your email security and deliverability.

Strict vs. Relaxed Alignment

The alignment mode you select determines how closely DMARC checks match domains. With relaxed alignment, subdomains and organizational domains can pass authentication. In contrast, strict alignment requires an exact match between domains.

For SPF in relaxed mode, the Return-Path domain can be a subdomain of your organizational domain. For example, if your email originates from "newsletter@marketing.yourcompany.com" and your SPF record is for "yourcompany.com", it will pass under relaxed alignment. Strict alignment, however, requires the From domain and SPF domain to match exactly.

Similarly, for DKIM, relaxed alignment allows emails from "support@company.com" signed by "mail.company.com" to pass. Strict alignment, on the other hand, demands that the signing domain matches the From domain perfectly.

Aspect Relaxed Alignment Strict Alignment
Domain Matching Subdomains and organizational domains are valid Exact domain match is required
SPF Example newsletter@marketing.company.com passes with company.com SPF Must match exactly: newsletter@company.com with company.com SPF
DKIM Example support@company.com signed by mail.company.com passes support@company.com must be signed by company.com
Security Level Moderate – fits diverse setups High – strict domain verification
Deliverability Risk Lower – fewer legitimate emails fail Higher – some legitimate emails may fail
Best For Complex setups, third-party services Standardized, tightly controlled setups
DMARC Tags aspf=r; adkim=r aspf=s; adkim=s

Starting with relaxed alignment is often recommended, especially if your email setup involves multiple services or third-party providers. While strict alignment provides stronger security, it also increases the chance of legitimate emails failing DMARC checks, leading to them being flagged as spam or rejected.

Forwarded emails can complicate alignment. Forwarding services often alter the Return-Path, causing SPF failures. Additionally, DKIM signatures may break if the message content is modified. Relaxed alignment is generally more forgiving in these cases.

Reading DMARC Reports for Alignment Problems

After setting your alignment modes, monitoring DMARC reports is key to maintaining accuracy. These daily XML reports provide detailed insights into authentication results.

Each report includes "rows" that display the source IP, email volume, and most importantly, the "auth_results" section. This section reveals SPF and DKIM results, along with their alignment status.

Look for emails with "align=fail" for either SPF or DKIM. These failures often point to issues like:

  • Third-party services sending emails without proper configuration
  • Forwarded emails breaking authentication
  • Misconfigured DNS records

Pay attention to the disposition codes (none, quarantine, or reject) in your reports. If legitimate emails are being quarantined or rejected, you may need to adjust your alignment settings or address authentication problems.

Tools like Postmark's DMARC Digests or dmarcian can simplify these XML reports, converting them into a more readable format. These tools also highlight alignment issues and offer suggestions for fixes. It's a good idea to monitor your reports for at least two weeks after making changes to ensure the adjustments work as intended without causing new problems.

Focus on fixing major failure sources first. A few forwarded emails failing alignment is less concerning than your primary email service consistently failing authentication. Address the most critical issues before tightening your policy or switching to strict alignment.

Scaling Cold Email Outreach

As your email campaigns scale up to hundreds or even thousands of messages daily, managing email authentication like SPF, DKIM, and DMARC becomes a lot more challenging. At this level, you'll need dedicated infrastructure, multiple IP addresses, and automated systems to handle DNS configurations across a growing number of domains.

Traditional email providers often impose strict sending limits and lack the fine-tuned controls necessary for high-volume campaigns. This makes it clear that large-scale cold email outreach requires more advanced solutions than conventional systems can offer.

To address these challenges, Infraforge simplifies the process by automating DNS setup and configuring SPF, DKIM, and DMARC records as new domains are added. Instead of manually updating DNS records and waiting for propagation, Infraforge automatically generates and verifies the required authentication records before your domains become active.

With pre-warmed domains and mailboxes, you can skip the usual warm-up period, ensuring your authentication records are already trusted by major email providers from day one. On top of that, Infraforge offers features like SSL and domain masking to maintain consistent branding while leveraging multiple domains for sending.

The Masterbox feature takes it further by providing a centralized dashboard to monitor all your domains and IP addresses. This allows you to quickly spot and resolve authentication issues - like SPF failures or DKIM signature mismatches - before they impact your deliverability. By automating these tasks, Infraforge ensures your email authentication is always aligned for optimal performance.

Using Infraforge for Automated Setup

Infraforge

When managing multiple domains and IP addresses, manually handling email authentication records quickly becomes overwhelming. Infraforge eliminates this headache by offering automated DNS setup and dedicated email infrastructure tailored for cold outreach campaigns.

The platform takes care of the technical complexities by automatically setting up SPF, DKIM, and DMARC records whenever you add a new domain. This means no more waiting for DNS propagation or manually editing records - Infraforge handles it all, verifying the setup to ensure everything is ready before your campaigns go live.

Another standout feature is pre-warmed domains and mailboxes, which allow you to bypass the usual ramp-up period for new email accounts. This ensures that major providers recognize your domains as trustworthy from the start. Plus, Infraforge’s SSL and domain masking tools help you maintain a polished, consistent brand image while using multiple sending domains.

With the Masterbox dashboard, you gain a real-time view of all your domains and IPs, making it easy to identify and fix issues like SPF misconfigurations or DKIM errors. This centralized approach ensures your campaigns stay on track without interruptions caused by deliverability problems.

Multi-IP Setup and API Integration

Infraforge also supports multi-IP provisioning, which spreads your email volume across dedicated IP addresses. Each IP is configured with reverse DNS and authentication records, ensuring smooth delivery. For teams needing flexibility, Infraforge’s API allows you to scale programmatically, automating the provisioning of new domains, IPs, and authentication settings as your campaigns grow.

This API is particularly useful for agencies or businesses managing campaigns for multiple clients. Instead of spending hours on manual setups, you can quickly add new domains and configure their authentication settings with just a few clicks. The API even integrates seamlessly with Salesforge and other Forge Stack tools, streamlining workflows from lead generation to email delivery. This ensures consistent authentication across your entire infrastructure, reducing the risk of deliverability issues caused by misaligned records.

For businesses juggling campaigns for multiple clients, Infraforge's workspace feature offers isolated environments where each client’s domains and IPs are kept separate. This separation is key to maintaining proper DMARC policies, especially when clients have different security requirements.

Lastly, Infraforge simplifies large-scale management with its bulk DNS update capabilities. Instead of manually updating SPF or DKIM records across dozens of registrars, you can push changes to all your domains through a single interface. By combining multi-IP support with API-driven scaling, Infraforge meets the demands of even the most complex outreach campaigns.

Common Setup Mistakes to Avoid

After setting up your SPF, DKIM, and DMARC records, it's easy to make mistakes that can undo all your hard work. Even experienced administrators sometimes misconfigure these protocols, leading to issues like bounce-backs, spam folder placement, or even leaving your domain vulnerable to spoofing. Here are some common pitfalls to watch out for when configuring email authentication:

SPF Record Lookup Limits

One of the most frequent SPF missteps is exceeding the 10 DNS lookup limit. Every "include:" in your SPF record adds to this count. If you go over the limit, email servers may stop processing your SPF record entirely, causing authentication to fail.

To avoid this, consider SPF flattening, which involves replacing "include:" statements with the actual IP addresses or ranges they point to. Another option is to consolidate services - centralizing your email infrastructure on platforms like Infraforge can simplify SPF management by automating and optimizing configurations across multiple domains and IPs.

DKIM Key Configuration Errors

DKIM often fails due to mismatched selectors or outdated keys. Make sure your DKIM selector matches the key published in your DNS records, and rotate your keys every 6–12 months to keep them secure. Problems can arise when switching email providers or updating configurations without syncing the changes in your DNS.

Also, ensure your DKIM signature aligns with your "From" domain. Even if your DKIM signature is valid, a misalignment can lead to DMARC failures, which can hurt your email deliverability.

Ignoring DMARC Reports

One of the biggest mistakes you can make is neglecting DMARC aggregate reports. These reports are a goldmine of information, showing who is sending emails on behalf of your domain, identifying authentication failures, and flagging unauthorized spoofing attempts.

DMARC reports are sent daily and provide critical insights into your email authentication setup. Whether you use specialized tools or manually review the XML reports, analyzing these reports regularly is essential to catch issues early and maintain strong email security.

Final Thoughts on Email Authentication

Email authentication forms the backbone of successful email delivery. When SPF, DKIM, and DMARC are correctly configured and working together, they create a robust defense that not only safeguards your domain reputation but also ensures your legitimate emails land in the right inboxes.

The secret to effective email authentication lies in proper alignment. Since DMARC depends on either SPF or DKIM to pass alignment checks, understanding the nuances between strict and relaxed alignment is crucial. Many organizations find it helpful to start with relaxed alignment and transition to strict alignment as their systems and processes mature. Regularly verifying this alignment through routine checks is just as important.

Monitoring plays a critical role here. DMARC reports provide valuable insights into your email authentication performance and can help uncover potential security issues. By reviewing these reports consistently, you can quickly address misalignments and resolve authentication failures before they impact your email campaigns.

For businesses scaling their email operations, tools like Infraforge can simplify the process. These platforms automate DNS configurations and record setups while offering real-time monitoring, significantly reducing the risk of manual errors. As your email infrastructure grows, adopting automation and maintaining a cycle of continuous review becomes increasingly important.

Whether you're adding new domains, switching email providers, or expanding your outreach efforts, your email authentication setup must evolve alongside these changes. Regular updates and thorough testing before implementation are essential to ensure everything runs smoothly.

When done right, email authentication boosts deliverability, enhances security, and strengthens your sender reputation. Investing the time and effort into getting it right will pay off, leading to more effective and reliable email campaigns over time.

FAQs

What mistakes should I avoid when setting up SPF, DKIM, and DMARC for email authentication?

To get email authentication right, steer clear of these common pitfalls when setting up SPF, DKIM, and DMARC:

  • Policy misalignment: Make sure your SPF and DKIM records are in sync with your DMARC policy to ensure emails are authenticated properly.
  • Multiple SPF records: Stick to just one SPF record per domain. Having more than one can lead to validation issues.
  • Too many DNS lookups: Keep SPF lookups within the 10-query limit to avoid failures during validation.
  • Incorrect DKIM key configuration: Use a key length of at least 1024 bits and double-check your DNS entries for accuracy.
  • Ignoring subdomain protection: Don’t forget to set policies for subdomains to block unauthorized use.

When implementing DMARC, resist jumping straight to a strict "reject" policy. Begin with "none" or "quarantine" to monitor reports and confirm that SPF and DKIM are properly configured. Gradually tightening your policy will boost both email security and deliverability.

How does Infraforge make it easier to manage email authentication across multiple domains and IPs?

Infraforge simplifies email authentication by automating the configuration of SPF, DKIM, and DMARC records across multiple domains. This removes the hassle of manual setup, ensuring your email authentication is both accurate and consistent.

On top of that, Infraforge includes tools like dedicated IP management and multi-IP provisioning. These features make it easier to manage large-scale email campaigns while keeping deliverability rates high. It’s a practical solution for businesses juggling multiple email systems, saving time and cutting down on complexity.

Why should you regularly monitor DMARC reports, and how do they improve email deliverability?

Regularly keeping an eye on DMARC reports plays a big role in safeguarding your domain and ensuring your emails actually land where they’re supposed to - your recipients’ inboxes. These reports shed light on how your emails are being authenticated and can help you spot any shady activity, like spoofing or phishing, that might be targeting your domain.

By digging into these reports, you can uncover authentication problems, tighten up your email policies, and keep your domain’s reputation solid. A secure domain not only helps cut down on spam and rejection rates but also ensures your genuine emails consistently get delivered. Staying proactive with DMARC reports is a smart way to protect your email communications and improve how well they perform.

Related Blog Posts