Email Authentication Checklist
📥 Download PDF
Print or save as PDF for offline use
Email Authentication Checklist
SPF, DKIM & DMARC Implementation Guide
Phase 1: Audit Your Current State
List all services that send email for your domain
- Marketing platforms (Mailchimp, HubSpot, Klaviyo)
- Transactional email (SendGrid, Postmark, Amazon SES)
- CRM systems (Salesforce, HubSpot)
- Support desk (Zendesk, Freshdesk)
- Your own mail servers
Check existing DNS records for SPF, DKIM, DMARC
Test current email authentication with online tools
Document all sending IP addresses
Phase 2: Implement SPF
Create SPF record with all legitimate sending sources
- Format:
v=spf1 include:... include:... -all - Use the SPF Generator
Verify you are under 10 DNS lookups
Start with
~all (softfail) for testingAdd SPF record to DNS as TXT record
Wait for DNS propagation (24-48 hours)
Test with SPF checker tool
Move to
-all (hardfail) after verificationPhase 3: Implement DKIM
Enable DKIM in each email service
- Google Workspace: Admin Console → Gmail → Authenticate email
- Microsoft 365: Defender portal → Email authentication
- Marketing platforms: Check domain authentication settings
Use 2048-bit keys (not 1024-bit)
Add DKIM DNS records for each service
Wait for DNS propagation
Test with DKIM checker tool
Verify signatures are passing
Phase 4: Implement DMARC (Monitor)
Create DMARC record with p=none
- Format:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Add DMARC record to DNS at
_dmarc.yourdomain.com
Set up reporting address or DMARC monitoring service
Monitor for 2-4 weeks
Review aggregate reports for failures
Fix any SPF/DKIM issues revealed by reports
Phase 5: Enforce DMARC
Verify all legitimate sources pass authentication
Move to p=quarantine
- Consider gradual rollout: pct=10, then 25, 50, 100
Monitor reports for 2-4 weeks
Address any remaining issues
Progress to
p=reject for maximum protectionContinue monitoring reports
Ongoing Maintenance
Monitor DMARC reports regularly
Update SPF when adding new email services
Rotate DKIM keys periodically (every 6-12 months)
Monitor spam complaint rates (keep under 0.1%)
Review Google Postmaster Tools (if bulk sender)
Quick Reference: DNS Record Locations
SPF: @ or yourdomain.com (TXT record)
DKIM: selector._domainkey.yourdomain.com (TXT or CNAME)
DMARC: _dmarc.yourdomain.com (TXT record)