Skip to main content
Relaymetry

How to set up SPF, DKIM, and DMARC (by email provider)

To authenticate mail from your domain you publish four DNS records — an SPF TXT, a DKIM key, a DMARC policy at _dmarc, and MX records for inbound mail. Your email provider gives you the exact values and generates the DKIM key; your DNS host is where you publish them. Pick your provider below for the precise records and steps.

Email authentication proves that a message really came from your domain. Without it, mailbox providers like Gmail, Yahoo, and Microsoft increasingly send your mail to spam or reject it outright. Setting it up means publishing four DNS records — and the exact values depend on who sends your mail and who hosts your DNS.

The four records you publish

SPF is a TXT record that lists the servers allowed to send mail for your domain, such as v=spf1 include:_spf.google.com ~all. A receiver checks the connecting server against it. See what a TXT record is for the format, and check yours with the SPF checker.

DKIM attaches a cryptographic signature to every message. You publish a public key in DNS — as a TXT record or, on some providers, a CNAME — and your provider signs outgoing mail with the matching private key. The record lives at selector._domainkey.yourdomain.com. Verify a published key with the DKIM checker, or build one with the DKIM record generator.

DMARC is a TXT record at _dmarc.yourdomain.com, such as v=DMARC1; p=none; rua=mailto:reports@yourdomain.com. It ties SPF and DKIM to the visible From address and tells receivers what to do when neither aligns — monitor, quarantine, or reject. Read the DMARC record you have, and start at p=none while you watch the reports.

MX records route inbound mail to your provider's servers. They are not authentication, but they are part of the same setup and your provider gives you the exact hosts. Check them with the MX lookup.

If you want the mechanics of how these three checks combine, read email authentication explained. The rest of these guides are about doing it on a specific provider.

Choose your provider

The records above are the same everywhere, but where you enable DKIM and the exact values you publish differ. Pick your mailbox provider — and, if it is different, your DNS host:

  • Google Workspace — generate the DKIM key in the Admin console and publish one google._domainkey TXT record.
  • Microsoft 365 — enable DKIM in the Defender portal and publish two selector CNAMEs.
  • Gmail — what applies for a @gmail.com address versus a custom domain on Google.
  • Namecheap — where to add the records your mailbox provider gave you in the Advanced DNS panel.
  • GoDaddy — the same, in the GoDaddy DNS manager.

Your mailbox provider (who sends your mail) and your DNS host (who answers DNS for your domain) can be two different companies. You get the record values from the first and publish them at the second.

Check before and after

Before you change anything, and again after DNS propagates, run a free check from the Relaymetry home page: enter your domain and it reads your live SPF, DKIM, DMARC, and MX records in one pass and flags what is missing or misconfigured. DNS changes can take up to a day to propagate, so if a record does not show up immediately, wait and check again rather than re-adding it.

Related guides

Frequently asked questions

Which DNS records do I need for email authentication?

Four records authenticate mail from your domain: an SPF TXT record that lists who may send for you, a DKIM record (TXT or CNAME) that carries your signing key, a DMARC TXT record at _dmarc that tells receivers what to do on failure, and MX records that route inbound mail. All four live in your domain's DNS, and their exact values depend on your email provider.

Do I set these up at my email provider or my DNS host?

Both. Your email provider — Google Workspace, Microsoft 365, and so on — tells you the exact records and generates the DKIM key, while your DNS host or registrar — Namecheap, GoDaddy, Cloudflare — is where you publish them. This guide covers both sides, one page per provider.

What is the difference between SPF, DKIM, and DMARC?

SPF authorizes which servers may send for your domain, DKIM cryptographically signs each message, and DMARC ties both to the visible From address and tells receivers what to do when neither aligns. The mechanics are the same for every provider; only the record values differ.

How do I check whether my records are set up correctly?

Run a free check from the Relaymetry home page: enter your domain and it reads your live SPF, DKIM, DMARC, and MX records and flags what is missing or misconfigured, so you can confirm each record before and after you change it.

Does email-authentication setup differ by provider?

The four records are the same, but where you enable DKIM and the exact values differ. Google Workspace generates one google._domainkey TXT record; Microsoft 365 uses two selector CNAMEs; registrars such as Namecheap and GoDaddy are only where you paste the records your mailbox provider gives you.

More in this cluster

References

Browse all guides →