arrobaMail
Tutorial · Intermediate

Configuring SPF, DKIM, and DMARC step by step

A practical guide to authenticating your sending domain in arrobaMail: what each record does, how to publish them in your DNS, how to verify them, and how to harden DMARC.

By Equipo editorial de arrobaMailPublished June 14, 202620 min8 steps

Authenticating your domain is what tells Gmail, Outlook, and Yahoo that emails going out "in your name" are actually yours. Since 2024, the major mailbox providers require it from anyone sending at volume: without SPF, DKIM, and DMARC, your reach gets cut down. It doesn't guarantee the inbox — nothing does — but it's the baseline without which nothing else even gets evaluated in your favor.

It sounds technical, but it's really three text records you publish once. And if you don't manage your domain's DNS yourself, don't worry — we'll show you what it is and what values to hand your hosting provider so they can do it for you. This guide walks you through all three records, verification, and hardening afterward.

Just getting started? Verify your sender first — it takes 5 minutes and you're already able to send: Verify your sender in 5 minutes. This guide is the next step: authenticating the domain to push your deliverability to its ceiling. It's the most technical part, but you only do it once (or you hand it off to your provider).

Before you start

  • Your own domain (e.g. yourdomain.com), not a free mailbox.
  • Access to your domain's DNS panel (wherever you registered it, or your hosting provider).
  • The SPF and DKIM values arrobaMail gives you for your account.

The 8 steps

  1. 1

    Understand what each record does

    SPF authorizes servers; DKIM signs the message; DMARC sets the rule and reports.

  2. 2

    Verify your sender mailbox

    Certify the email address you'll send from inside arrobaMail.

  3. 3

    Open your domain's DNS panel

    This is where you'll publish the records; usually with your registrar or hosting provider.

  4. 4

    Publish the SPF record

    A TXT record declaring which servers are allowed to send on your behalf.

  5. 5

    Publish the DKIM record

    A TXT (or CNAME) record with the public key that signs your sends.

  6. 6

    Publish the DMARC record in monitoring mode

    Start with p=none to observe without blocking anything.

  7. 7

    Verify propagation

    Confirm all three records are correctly published and resolving.

  8. 8

    Read the reports and harden the policy

    With real data in hand, move DMARC up to quarantine and then reject.

1. Understand what each record does

Before touching anything, it helps to know each one's job — that way, if something breaks, you know where to look:

  • SPF (Sender Policy Framework). A public list of "who's authorized to send emails using my domain." If a message arrives from a server that's not on the list, it's suspicious.
  • DKIM (DomainKeys Identified Mail). A digital signature on every email. It guarantees two things: that the message came from an authorized sender, and that nobody tampered with it along the way.
  • DMARC. The rule that ties the two together: it tells the mailbox what to do if an email fails SPF or DKIM (let it through, send it to spam, or reject it), and it also sends you reports on who's sending in your name.

The easy way to remember it: SPF authorizes, DKIM signs, DMARC sets the rule and lets you know.

2. Verify your sender mailbox

Inside arrobaMail, certify the email address you'll be sending from first (the "sender verification"). It's a quick step — a confirmation code or link sent to that mailbox — and it's independent of DNS, but it's your starting point: arrobaMail will show you, right next to that mailbox, the exact SPF and DKIM values you need to publish for your account. Write them down or keep that screen open — you'll need them in the next steps.

3. Open your domain's DNS panel

Records get published in your domain's DNS, not inside arrobaMail. DNS is usually managed wherever you bought the domain (your registrar) or through your hosting provider/Cloudflare. Look for a section called "DNS," "DNS Zone," or "DNS Records."

Tip · What's DNS?

Think of DNS as your domain's directory

DNS is where records get set that tell the internet how to handle your domain and your email. You manage it wherever you bought the domain, or with your hosting provider — not inside arrobaMail.

Not the one who manages it, or not sure how to log in? You don't have to do it yourself: copy the values arrobaMail gives you and ask your hosting provider or whoever manages your domain to make the change. For them, it's a two-minute job.

There you'll be able to add records of type TXT and CNAME. If you've never touched this before, don't panic — adding a record is like adding a row to a table. Just don't delete existing records you don't recognize.

Tip: DNS changes aren't instant. They usually propagate within minutes, but can take up to several hours. Be patient: if you just published, wait before assuming something's broken.

4. Publish the SPF record

SPF is a TXT record at your domain's root. arrobaMail gives you the exact value; it looks something like this:

v=spf1 include:_spf.arrobamail.com ~all

Key points:

  • Only one SPF record per domain. If you already have one (say, from Google Workspace), don't create a second one — add arrobaMail's include inside the one that already exists. Having two SPF records invalidates both.
  • The ending matters. ~all (softfail) is standard while you're confirming everything works. Never use +all — it authorizes anyone to send in your name.
  • Want to understand each part? We break it down in SPF in detail.

5. Publish the DKIM record

DKIM is the public key that lets receivers verify your sends' signature. arrobaMail gives you the value and the selector (the record's "label"; on arrobaMail it's usually fm). Depending on your case, you'll publish it as a TXT at fm._domainkey.yourdomain.com or as a CNAME, exactly as the platform indicates.

Copy the value exactly as given, without adding or removing spaces or line breaks — it's a long key and a single extra character breaks it. If your DNS panel splits long values across several lines, don't worry — that's just visual; what matters is pasting the exact content.

More detail and troubleshooting in DKIM in detail.

6. Publish the DMARC record in monitoring mode

DMARC is a TXT record at _dmarc.yourdomain.com. To start, publish it in monitoring mode (p=none): it observes and reports without blocking anything, so you don't risk cutting off legitimate sends while you confirm SPF and DKIM are working. A typical starting value:

v=DMARC1; p=none; rua=mailto:[email protected]
  • p=none → doesn't block; only reports.
  • rua=mailto: → the mailbox where you'll receive aggregate reports (create it if it doesn't exist).

Leave it at p=none for at least a week or two to gather data before hardening. We go deeper in DMARC in detail.

7. Verify propagation

With all three published, confirm they landed correctly. The fastest way is to run the domain reputation diagnostic: it shows you the status of SPF, DKIM, and DMARC in seconds, without asking for any data, and flags in yellow or red whatever still needs adjusting.

If something isn't showing up yet, give propagation more time and check again. Common issues at this stage: two SPF records coexisting, an extra space in the DKIM value, or DMARC published at the wrong host (it has to be _dmarc).

8. Read the reports and harden the policy

After a few days at p=none, you'll start receiving DMARC reports. They'll show you which servers are sending in your name and whether they pass authentication or not. Once you see your own legitimate sends (arrobaMail and any other tool you use) passing correctly, you can harden the policy in two steps:

  1. Move to p=quarantine: emails that fail authentication go to spam instead of the inbox.
  2. Once you're confident, move up to p=reject: they get rejected outright. It's the level that protects your domain most against impersonation.

Don't jump straight to reject without going through the monitoring stage — if a legitimate service of yours wasn't set up correctly, you'd cut it off without ever finding out.

Common mistakes to avoid

  • Two SPF records. It's the most common and silent mistake: it invalidates authentication entirely. Unify everything into one.
  • Using +all in SPF. It's equivalent to having no SPF at all — it authorizes anyone.
  • Pasting the DKIM value with an extra space or split in two. It's a long string: copy and paste it exactly as arrobaMail gives it to you, without adding spaces or breaking it across lines. A single changed character invalidates it.
  • Jumping straight to p=reject. Without prior monitoring, you can cut off your own sends.
  • Panicking about propagation. Wait a few hours before declaring something broken.

Next steps

With your domain authenticated, your campaigns start off on the best possible footing. Now:

  1. Create and send your first campaign knowing you're standing on solid ground.
  2. To see the full deliverability picture (reputation, warmup, Health Score), check out the deliverability section.

Got a question about a specific record? Run the free diagnostic and see what it flags.

Get started with arrobaMail
in under 5 minutes.

Free plan, AI generations included, no credit card required — and real support from a real team.

Try it free now
WhatsAppOur team replies