How to Set Up DMARC, SPF, and DKIM — Business Guide

25.03.2026 · 3 min read ·Nullbreach Team

Email SecurityDMARCSPFDKIMDNS

Table of Contents

Why Email Authentication Matters
Step 1: Set Up SPF (Sender Policy Framework)
- How to Create an SPF Record
- SPF Best Practices
Step 2: Set Up DKIM (DomainKeys Identified Mail)
Step 3: Set Up DMARC (Domain-based Message Authentication, Reporting & Conformance)
Verification: Test Your Setup
Common Mistakes to Avoid
Ongoing Monitoring

Why Email Authentication Matters

Email is the #1 attack vector for businesses. Without proper authentication, anyone can send emails that appear to come from your domain — enabling phishing, CEO fraud, and brand impersonation.

Three technologies work together to protect your email: - SPF — defines which servers may send email for your domain - DKIM — adds a cryptographic signature to prove email integrity - DMARC — tells receiving servers what to do with emails that fail SPF/DKIM checks

Without all three, your domain is vulnerable to spoofing. Our scans show that over 60% of German SMBs lack proper email authentication.

Step 1: Set Up SPF (Sender Policy Framework)

SPF is a DNS TXT record that lists the IP addresses and services authorized to send email for your domain.

How to Create an SPF Record

Identify all services that send email for your domain:
Your mail server (e.g., Microsoft 365, Google Workspace, Zoho)
Marketing tools (Mailchimp, HubSpot, etc.)
Transactional email (SendGrid, Amazon SES, etc.)
CRM systems, helpdesk tools, etc.
Create the TXT record in your DNS:

v=spf1 include:_spf.google.com include:sendgrid.net -all

Key components: - v=spf1 — SPF version identifier - include: — authorizes a service's sending IPs - ip4:203.0.113.0/24 — authorizes a specific IP range - -all — reject all other senders (strict) - ~all — soft fail for others (monitoring mode)

SPF Best Practices

Start with ~all (soft fail) to monitor before enforcing
Don't exceed 10 DNS lookups (SPF has a lookup limit)
Keep it as simple as possible
Review quarterly as you add/remove services

Step 2: Set Up DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to your outgoing emails, allowing recipients to verify the email hasn't been tampered with.

How DKIM Works

Your mail server signs outgoing emails with a private key
The corresponding public key is published as a DNS TXT record
Receiving servers verify the signature against the public key

Setting Up DKIM

Most email providers handle key generation for you:

Google Workspace: 1. Admin Console → Apps → Google Workspace → Gmail → Authenticate email 2. Generate new record → Select 2048-bit key 3. Add the provided TXT record to your DNS 4. Start authentication

Microsoft 365: 1. Microsoft 365 Defender → Email & collaboration → Policies → DKIM 2. Select your domain → Enable 3. Add the two CNAME records to your DNS

General format of a DKIM DNS record:

selector._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIIBIjANB..."

DKIM Best Practices

Use 2048-bit keys (1024-bit is deprecated)
Rotate keys annually
Use unique selectors for each sending service
Test with mail-tester.com after setup

Step 3: Set Up DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC ties SPF and DKIM together and tells receiving servers how to handle authentication failures.

The DMARC Record

Add a TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; pct=100

DMARC Policies

Policy	Meaning	When to Use
`p=none`	Monitor only, don't block	Start here — collect data
`p=quarantine`	Send failures to spam	After 2-4 weeks of clean data
`p=reject`	Block failing emails completely	Final goal — maximum protection

DMARC Rollout Strategy

Week 1-2: Monitor

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Collect reports, identify legitimate senders failing authentication.

Week 3-4: Quarantine

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com

Start quarantining 25% of failures, gradually increase to 100%.

Month 2+: Reject

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

Full protection — all unauthenticated emails are rejected.

Verification: Test Your Setup

After configuring all three:

Send a test email to mail-tester.com — aim for 10/10
Check your domain with Nullbreach's free scan → shows SPF, DKIM, DMARC status
Review DMARC reports weekly for the first month
Monitor for deliverability issues — check if legitimate emails are being rejected

Check your email security now →

Common Mistakes to Avoid

Setting DMARC to reject immediately — always start with none and monitor
Forgetting a sending service — causes legitimate emails to fail
Exceeding SPF lookup limits — maximum 10 DNS lookups
Not monitoring DMARC reports — you won't know if something breaks
Using 1024-bit DKIM keys — use 2048-bit minimum
Not updating records when changing providers — review after every migration

Ongoing Monitoring

Email authentication isn't set-and-forget. You need to: - Monitor DMARC reports for anomalies - Update SPF when adding new email services - Rotate DKIM keys annually - Watch for configuration drift

Nullbreach continuously monitors your DNS email security configuration and alerts you when SPF, DKIM, or DMARC records are missing, misconfigured, or weakened.

Start monitoring your email security →

Protect your business — try Nullbreach free

Dark web monitoring, breach detection and NIS2 compliance in one platform.

Start Free Scan