An email is an essential tool for businesses, and most of us rely on it daily for communication. However, as the number of email users has grown, so has the problem of spam, phishing, and email fraud. These types of attacks can cause significant harm, including loss of reputation, financial loss, and data breaches. To prevent such attacks, businesses must take proactive steps to secure their email system, and one of the ways to do that is by setting up an SPF record.

What is SPF?

SPF stands for Sender Policy Framework. It is an email authentication protocol that allows you to specify which servers are authorized to send emails on behalf of your domain. SPF works by adding a DNS record to your domain’s DNS configuration, which lists the IP addresses of your email servers. This record tells other email servers that any emails sent from your domain that do not come from authorized IP addresses should be rejected.

Setting up an SPF record is an essential step to prevent unauthorized users from sending emails using your domain name. For example, spammers or attackers may use your domain name to send spam or phishing emails, which can cause harm to your reputation, lead to blacklisting, and compromise the security of your customers and employees.

How to set up an SPF record?

Setting up an SPF record is a straightforward process, and it involves the following steps:

Step 1: Determine your email servers

The first step is to determine which servers are authorized to send emails on behalf of your domain. These servers can include your mail server, any third-party email service provider you use, or any other server that sends emails using your domain name.

Step 2: Create an SPF record

Once you have identified your authorized email servers, you can create an SPF record. An SPF record is a TXT record in your domain’s DNS configuration. You can use a simple syntax to create your SPF record, such as:

v=spf1 ip4:<IP address> -all

In this example, the “v=spf1” indicates that this is an SPF record, and “ip4:<IP address>” indicates the IP address of the authorized email server. The “-all” at the end indicates that any emails that do not come from authorized IP addresses should be rejected.

Step 3: Publish your SPF record

After creating your SPF record, you need to publish it in your domain’s DNS configuration. You can do this by logging in to your DNS provider’s website and adding a new TXT record with your SPF record. Alternatively, you can ask your IT team or hosting provider to do this for you.

Step 4: Test your SPF record

Once you have published your SPF record, it is essential to test it to ensure that it is working correctly. You can use online SPF record checkers, such as the one provided by MXToolbox, to test your SPF record. These tools will tell you whether your SPF record is valid and whether it is configured correctly.

Tips for creating an accurate SPF record

Here are some tips for creating a strong SPF record:

  • Include all authorized email servers: Make sure to include all authorized email servers to send emails on behalf of your domain in your SPF record. This can include your mail server, third-party email service providers, or any other server that sends emails using your domain name.
  • Use the “-all” mechanism: The “-all” mechanism at the end of your SPF record tells other email servers to reject any emails that do not come from authorized IP addresses. This is a critical step to prevent unauthorized users from sending emails using your domain name.
  • Use the “include” mechanism: The “include” mechanism allows you to include SPF records from other domains. This can be useful if you use a third-party email service provider to send emails on behalf of your domain. You can include their SPF record in your SPF record to ensure that emails sent from their servers are also authenticated.
  • Use the “~all” mechanism for testing: The “~all” mechanism tells other email servers to mark any emails that do not come from the authorized IP addresses as “soft failures.” This means that these emails will still be delivered, but they will be marked as potentially suspicious. You can use this mechanism during testing to ensure that your SPF record is working correctly without immediately rejecting emails.
  • Keep your SPF record up to date: As your email infrastructure changes, make sure to update your SPF record to reflect these changes. This can include adding new email servers or removing old ones.

SPF Flattening and its advantages 

The DNS lookup limit is a restriction imposed by email servers that limit the number of DNS lookups that can be performed when verifying an email’s SPF record. This limit is typically set at 10 DNS lookups, and if the email server exceeds this limit, it may reject the email as potentially fraudulent.

SPF flattening is a technique used to reduce the number of DNS lookups required to verify an email’s SPF record. It works by combining multiple SPF records into a single record, which can reduce the number of DNS lookups required to authenticate an email.

Here’s an example of how SPF flattening can help:

Let’s say your company uses several third-party services to send emails, such as marketing automation software, a helpdesk system, and a CRM tool. Each of these services will add to the IP address list in your DNS SPF record or individual SPF records for each of these services, and if you were to include all of them in your domain’s SPF record, it would exceed the 10 DNS lookup limit.

By using SPF flattening, you can combine all of these redundant IPs into a single include. This means that when an email server performs a DNS lookup to verify your SPF record, it only needs to perform a single lookup or a few lookups, rather than multiple lookups for each of the individual SPF records and IP addresses.


Setting up an SPF record is a crucial step in securing your email system and preventing email fraud. By creating an SPF record and publishing it in your domain’s DNS configuration, you can ensure that emails sent from your domain are authenticated and prevent unauthorized users from sending emails using your domain name. Following the tips outlined above, you can create a strong SPF record and keep your email system secure.

Hackers have adopted sophisticated ways to spoof emails and attempt cybercrime using your companies’ names. SPF DKIM DMARC helps avert their efforts from succeeding by evaluating the authenticity of email senders. Financial, SaaS, and e-commerce are among the top 3 industries targeted by phishers with compromised percentages of 23.6%, 20.5%, and 14.6% respectively.

Here, we are focusing on explaining SPF DKIM DMARC- the foundational elements of email authentication

What are SPF, DKIM, and DMARC?

Together SPF DMARC DKIM prevents unauthorized entities from using your domain to send fraudulent emails to your prospects, clients, employees, third-party vendors, stakeholders, etc. SPF and DKIM help demonstrate the legitimacy while DMARC instructs the receiver’s email server on what to do with emails failing authenticity checks. Let’s discuss what is SPF DKIM and DMARC in detail.


Sender Policy Framework or SPF is a way where domain owners enlist all the servers allowed to send emails using their domain. This is done by creating a TXT SPF record that is published to DNS. If a sending IP is not on the list, authentication fails, and the email is either completely rejected by the recipient’s mailbox or marked as spam. If you already have an SPF record, use our SPF record checker to ensure it’s error-free. 

However, SPF has a few limitations; it breaks when a message is forwarded which means threat actors can spoof the display name or the From address. 


DomainKeys Identified Mail or DKIM lets domain owners automatically sign emails sent from their domain. This works like how you sign bank checks to validate their authenticity. DKIM signature is a digital signature working on the cryptography model. 

It proceeds by storing a public key in a DKIM record. The receiving mail server can access this record to get the public key. On the other hand, there’s a private key secretly stored by the sender who signs the email header with it. Receiving mail servers verify the sender’s private key by comparing it with the easily accessible public key.


Domain Message Authentication Reporting and Conformance instruct the receiver’s server that what to do with emails failing SPF, DKIM, or both. This is done by selecting one of the policies- none, quarantine, and reject. As per the ‘none’ policy, no action is taken against messages failing validation checks. ‘Quarantine’ means unauthentic emails will land in the spam folder and the ‘reject’ policy completely bars the entry of such emails from the receiver’s mailbox. 

DMARC policies are set in a DMARC record which also stores instructions to send reports to domain administrators about all the emails passing or failing validation checks. If you have already implemented a DMARC policy, use our free DMARC record lookup tool to fish for possible errors.

Where are SPF, DKIM, and DMARC Records Stored?

SPF DKIM DMARC records are stored in a publicly available and accessible Domain Name System or DNS. It is like a phonebook enlisting IP addresses and their corresponding domain names. So, whenever you enter a domain name in your browser’s search box, DNS takes you to the corresponding IP address. It’s not practically possible for humans to memorize alphanumerical IP addresses of all the websites, and that’s where DNS comes in handy.

SPF DKIM DMARC checks are dependent on this concept as their records are stored as DNS TXT records. This record is accessed for various reasons as it can contain any arbitrary text.

The Importance of SPF, DKIM, and DMARC

Email authentication is important for protecting your brand against cyberattacks attempted using phishing and impersonation techniques. Email authentication relies on SPF DKIM DMARC standards. Here’s why you need to implement them:

  • They ensure your domain name can’t be forged and misused.
  • They help you prevent phishing, spamming, ransomware attacks, etc. planned and attempted in your business’s name.
  • They improve your domain’s email deliverability rate. A poor email deliverability rate impacts internal communication, marketing and PR campaigns, customer retention rate, etc.

How to Set Up SPF, DKIM and DMARC?

Follow these instructions to set up SPF DKIM DMARC to protect your domain and email conversations.

  1. Set up SPF for your domain.
  2. Set up DKIM for your domain.
  3. Set up a mailbox to receive reports for monitoring and evaluation.
  4. Use the main hosting sign-in details and check if there’s an existing DMARC record.
  5. Reset DMARC policy.

General SPF Set Up

  1. Login to the Sender Console.
  2. Select Settings.
  3. Select Domains.
  4. The following screen will appear.
    General SPF Set Up
  5. Click on Check SPF/DKIM records.

Wait for 72 hours, the settings changed would be implemented. Once done, you can use our SPF record lookup tool to ensure an error-free record.

General DKIM Set Up

You can easily set up DKIM by generating a DKIM record using PowerDMARC’s free DKIM record generator. You just have to enter your domain name in the box and click on the Generate DKIM record button. You will get a pair of private and public DKIM keys. Publish the public key on your domain’s DNS and you are done.

General DMARC Set Up

Use our free DMARC generator and create a new DMARC record.

  1. Choose your DMARC policy.
  2. Click on Generate
  3. Copy the TXT record to the clipboard and paste it on your DNS to activate the protocol

DMARC record generator

Wrapping Up

Once you have set up DKIM SPF DMARC, start monitoring the reports to notice suspicious activities. Remember, together these authentication protocols reduce the risk of spamming and phishing, but they don’t shield against all email-based cybercrimes. Thus, it’s important to invest in employee education and awareness as well.