What Is SPF, DKIM & DMARC? (And How To Set Them Up)

If you are sending cold emails, then you need to add SPF, DKIM and DMARC records to your sender domains.

If you don’t, then your emails will land in spam.

Google recently announced that they will send emails to spam if they don’t have these records added.

In this article, I will explain what these records are, and how to set them up for cold email:

- What is SPF, DKIM and DMARC?
- How to set up SPF for Google Workspace
- How to set up DKIM for Google Workspace
- How to set up DMARC for Google Workspace
- How to verify that your records were added correctly

What is SPF, DKIM and DMARC?

SPF, DKIM and DMARC are methods of email authentication. They allow email service providers to know if the email being sent was actually sent from the domain that they claim to be coming from.

These three authentication methods are crucial for preventing phishing attacks, spam and other common email security risks.

SPF stands for “Sender Policy Framework”. SPF is a way for a domain to publicly list all of the servers that they send emails from. An SPF record lists all of the IP addresses of all of the email servers that are allowed to send emails for that particular domain. Mail servers (like Gmail) that receive an email message can check the SPF record to make sure that the IP address matches before passing that email to the recipient’s inbox.

DKIM stands for “DomainKeys Identified Mail”. DKIM is an email authentication method used to detect whether an email message has been changed between sender and recipient mail servers. DKIM authentication employs public-key cryptography, whereby an email is signed using the private key of the accountable party when it departs from a sending server. Subsequently, the recipient servers utilize a public key, which is available on the DKIM’s domain, to confirm the message's origin and to ensure that the segments of the message covered by the DKIM signature remain unaltered since the signing. After the recipient server successfully verifies the signature with the public key, the message is deemed authentic and passes the DKIM verification.

DMARC stands for “Domain-based Message Authentication, Reporting & Conformance”. DMARC leverages existing standard authentication protocols, such as Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), to assist administrators in identifying emails sent by cyberattackers who mimic a legitimate organization. This act, known as spoofing, is feasible because the "from" address of the attacker's email looks exactly like a legitimate domain. In essence, DMARC is crucial for the security of any organization and its clients. DMARC safeguards your brand by blocking unauthorized entities from sending emails using your domain.

How to set up SPF for Google Workspace

If you are using Google Workspace, then you can follow this guide to set up the SPF record on your domain.

In the past, if you bought your domain through Google Domains while setting up your Google Workspace account, then the SPF record would be automatically added to your domain’s DNS.

However, since Squarespace acquired Google Domains in 2023, this might not be the case anymore.

I recommend that you make sure that your domain has the SPF record added correctly (don't add it twice if it is already added).

Below is a video showing how to add the SPF record to your domain:

How to set up DKIM for Google Workspace

You can follow this guide to set up your DKIM with Google Workspace.

As explained above, the DKIM record used to be added automatically if you bought your domain through Google Domains while setting up your Google Workspace account.

However, since Squarespace acquired Google Domains in 2023, this may not be the case anymore.

You need to make sure that your domain has the DKIM record added correctly (and make sure you don't accidentally add it twice).

This article from Google shows you how to verify if you have set up your DKIM correctly. You can verify if your messages (emails) pass DKIM authentication following the steps in this article. This is my preferred method for verifying my DKIM authentication.

Below is a video showing how to add the DKIM record to your domain:

How to set up DMARC for Google Workspace

Important: You need to set up SPF and DKIM before you set up DMARC. After you set up SPF & DKIM, you should wait 48-hours before you set up DMARC. SPF & DKIM need to authenticate messages for 48-hours before you turn-on DMARC.

You should follow this guide to set up DMARC with Google Workspace.

When you are adding the DMARC record to your domain, I recommend that you set the following variables as described below:

p=quarantine
v=DMARC1

3 minutes and 10 seconds into this video discusses why setting up your DMARC record this way is important. Additionally, at 18 minutes and 45 seconds into the same video, they discuss further why you should set your DMARC to p=quarantine.

Google also discusses how setting your DMARC to p=quarantine can be beneficial for deliverability in this article.

You can then use this website to verify that your DMARC is set up correctly.

Below is a video showing how to add the DMARC record to your domain:

How to verify that your records were added correctly

Before you move further ahead with this guide, let’s make sure that you have correctly added your SPF, DKIM and DMARC records to your domain.

I recommend that you verify these records by following the method in the below Tweet:

Gold standard Gmail inboxing?

Open the email & click the three dots top right.

Click Show Original

You should see PASS for SPF/DKIM/DMARC pic.twitter.com/939zEFPzjQ

— Chris (@chris_byrne) November 24, 2023

The above method requires you to send an email from your email account to another email account (do not send yourself an email). Then, click "Show original". You will see "PASS" next to SPF, DKIM and DMARC if you have added the records correctly.

If it doesn't say "PASS" next to SPF, DKIM and DMARC, then you can fix them by going back to this guide and making sure that everything is set up as I explained above.

Below is a video showing how to check that your records were added correctly:

Frequently asked questions

Final thoughts

It is extremely important to add SPF, DKIM and DMARC records to your domain.

If you don’t, then your cold emails will go to spam.

To learn more about how you can land in the primary inbox, check out my article 13 Ways To Prevent Your Cold Emails From Going To Spam.

You should also check out my article 10 Cold Email Best Practices.