zapia
Back to blog
Email6 June 20267 min read

How to set up SPF and DKIM records for your domain

If your emails land in spam or get rejected, you're probably missing SPF and DKIM — the two DNS records that prove your mail is really yours. Gmail and Outlook now effectively require them. Here's what they do and how to add them.

If your emails land in spam — or get rejected outright — there's a good chance you're missing two DNS records: SPF and DKIM. They're the two pieces of proof that an email claiming to come from your domain is actually authorised by you. Gmail, Outlook and Yahoo now effectively require them. Here's what they do and how to add them.

Why SPF and DKIM matter

Email was designed in an era of trust, so by default anyone can send a message claiming to be you@yourbusiness.com. SPF and DKIM close that hole. Without them:

  • Your legitimate emails are far more likely to be filtered as spam.
  • Scammers can spoof your domain to phish your customers.
  • Major providers may reject your mail entirely — bulk senders to Gmail and Yahoo are now required to authenticate.

What is SPF?

SPF (Sender Policy Framework) is a single DNS TXT record that lists which servers are allowed to send email for your domain. When a receiving server gets your message, it checks the sending server against that list.

An SPF record looks like this:

v=spf1 include:_spf.google.com ~all
  • v=spf1 — declares this is an SPF record.
  • include:_spf.google.com — authorises Google Workspace to send for you (replace with your provider's value).
  • ~all — soft-fail anything not listed (mark as suspicious). -all is stricter (hard reject).
You can only have one SPF record per domain. If you use several senders (e.g. Google + a newsletter tool), combine them into a single record with multiple include:entries — don't create two.

What is DKIM?

DKIM (DomainKeys Identified Mail) adds a cryptographic signatureto every message you send. Your mail provider holds a private key and signs outgoing mail; you publish the matching public key in DNS. The receiving server uses it to confirm the message really came from you and wasn't altered in transit.

DKIM is published as a TXT record on a special selector subdomain. Your provider gives you both the name and the value — for example:

Name:  google._domainkey
Type:  TXT
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSq...   (long public key)

You don't generate this yourself — you copy it from your email provider's admin console.

DMARC ties it together

DMARCis the third record, and it tells receiving servers what to do when SPF or DKIM fails — and where to send reports. It's how you go from "authenticated" to actually protected against spoofing. A starter record:

Name:  _dmarc
Type:  TXT
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourbusiness.com
  • p=none — monitor only; don't act yet. Start here to gather reports safely.
  • p=quarantine — send failures to spam. Move here once you're confident.
  • p=reject — reject failures outright. The strongest protection.
Set up SPF and DKIM first, then add DMARC with p=none, watch the reports for a couple of weeks, and only then tighten the policy.

How to set them up

All three are DNS TXTrecords added in your domain's DNS zone — at your registrar (OVH, Gandi, Cloudflare, GoDaddy, etc.), the same place you manage your A records.

  • Get the values from your email provider. Google Workspace, Microsoft 365, and most providers have a one-click setup or a help page with the exact records.
  • Open your DNS zone editor at your registrar.
  • Add the SPF record — a TXT record on @ with your v=spf1 … value.
  • Add the DKIM record — a TXT record on the selector name your provider gave you (e.g. google._domainkey).
  • Add the DMARC record — a TXT record on _dmarc.
  • Save and wait for DNS propagation (minutes to a few hours).

Verify it works

  • Send an email to a Gmail account, open it, and use "Show original" — you should see SPF: PASS and DKIM: PASS.
  • Use a free checker (MXToolbox, dmarcian, or your provider's built-in tool) to confirm all three records resolve.
  • Watch your DMARC rua reports for a couple of weeks before tightening the policy.

Troubleshooting

  • SPF fails — you likely have two SPF records, or forgot to include a sender. Merge into one record with all your include: entries.
  • DKIM fails — the public key was pasted with a line break or got truncated. Copy the whole value as one string.
  • Still in spam after passing — authentication is necessary but not sufficient; sending reputation, content, and list quality matter too.
  • Nothing resolves — give DNS time to propagate, and double-check the record names (@, the selector, _dmarc).
Not sure which records your provider needs? Send us your domain and email provider at contact@zapia.fr and we'll give you the exact values to paste.