The Three Records You Need
Every sending domain needs three DNS records configured:
| Record | Purpose | Without It |
|---|---|---|
| SPF | Declares who can send email for your domain | Emails flagged as potentially forged |
| DKIM | Cryptographically signs emails | Can't verify email wasn't tampered |
| DMARC | Tells receivers what to do with failed checks | No policy = uncertain handling |
SPF (Sender Policy Framework)
What it does: Lists servers authorized to send email for your domain.
Example record:
``
v=spf1 include:spf.protection.outlook.com -all
`
Key points:
- Only ONE SPF record per domain
- Use include:
to authorize third parties - End with -all
(fail unauthorized) or~all(softfail)
DKIM (DomainKeys Identified Mail)
What it does: Adds a digital signature to every email you send.
How it works:
- Your email server signs outgoing emails with a private key
- Public key published in DNS
- Receiving server verifies signature matches
Example record:
`
selector1._domainkey.yourdomain.com
v=DKIM1; k=rsa; p=MIGfMA0GCSqG...
`
Key points:
- Set up automatically by email provider
- Multiple DKIM records are fine (different selectors)
- Longer keys (2048-bit) are more secure
DMARC (Domain-based Message Authentication)
What it does: Tells receiving servers what to do when SPF or DKIM fail.
Example record:
`
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com
`
Policy options:
- p=none
- Monitor only (start here) - p=quarantine
- Send failures to spam - p=reject
- Block failures entirely
Key points:
- Start with p=none
to monitor - Review reports before increasing enforcement
- Include rua=
for aggregate reports
What We Handle
During setup, we configure all DNS records for your domains:
- SPF pointing to Microsoft 365
- DKIM with proper selectors
- DMARC in monitoring mode initially
You don't need to touch DNS settings - we handle it all.
How to Check Your Records
Use our DNS Validation tool to verify:
- All three records exist
- Records are properly formatted
- No conflicts or errors
Common Mistakes
- Multiple SPF records - Only one allowed; combine if needed
- Missing DKIM - Often requires action in email admin panel
- DMARC too strict too fast - Start with p=none`
- Wrong include statements - Must match your email provider
Key Takeaway
SPF, DKIM, and DMARC are the foundation of email authentication. Missing or misconfigured records = emails go to spam. We configure these automatically during setup.