SPF, DKIM, and DMARC Setup: A Complete Technical Guide | DexcyJet Blog
DexcyJet
Platform Solutions Resources Pricing Contact
Sign in Contact sales Get started free
deliverability technical

SPF, DKIM, and DMARC Setup: A Complete Technical Guide

Learn how to set up SPF, DKIM, and DMARC DNS records correctly, verify them with command-line tools, and understand what each protocol actually does for your sender reputation.

AR

Aakash Rao

Founding Engineer · January 15, 2026 · 7 min read

SPF, DKIM, and DMARC Setup: A Complete Technical Guide

SPF, DKIM, and DMARC are three DNS-based email authentication standards that together tell receiving mail servers: “this email genuinely came from who it says it did.” Without them, your campaigns are far more likely to land in spam — or get rejected outright. Since February 2024, Google and Yahoo both require all bulk senders to have all three configured.

This guide walks through what each one does, how to set them up, how to verify your records, and the RFC references behind each standard. It’s written for engineers and technical marketers who want to understand the mechanisms, not just copy-paste DNS records.

SPF: Sender Policy Framework

RFC 7208 defines SPF. The mechanism is simple: you publish a DNS TXT record on your domain that lists the IP addresses (or includes) that are authorised to send email on your behalf. When a receiving server gets an email claiming to be from you@yourdomain.com, it looks up your SPF record and checks whether the sending IP is on the list.

SPF record structure

An SPF record is a TXT record on your root domain (yourdomain.com) or subdomain (mail.yourdomain.com). It looks like this:

v=spf1 include:amazonses.com include:mailgun.org ip4:203.0.113.10 ~all

Breaking this down:

  • v=spf1 — version identifier. Always this.
  • include:amazonses.com — authorise all IPs listed in Amazon SES’s own SPF record
  • include:mailgun.org — same for Mailgun
  • ip4:203.0.113.10 — explicitly authorise a single IP (your own SMTP server, for example)
  • ~all — softfail: emails from IPs not on this list will be marked suspicious but not rejected. Use -all (hardfail) once you’re confident your record is complete.

SPF lookup limit

SPF evaluates a maximum of 10 DNS lookups per check (RFC 7208 §4.6.4). Each include: directive counts as one lookup, and nested includes count too. Exceeding 10 lookups causes a permerror, which is treated as a failure. If you use multiple sending services, use an SPF flattening service or consolidate via a single gateway.

DexcyJet’s SPF configuration

When you add a sending domain in DexcyJet, the onboarding flow shows you the exact DNS records to add. For SPF, you’ll include DexcyJet’s sending infrastructure:

v=spf1 include:spf.dexcyjet.com ~all

Verifying SPF

# Check your SPF record
dig TXT yourdomain.com | grep spf

# Use Google's toolbox (no curl needed — just the dig output)
# Or check via a public validator:
curl "https://dmarcian.com/spf-survey/?domain=yourdomain.com"

DKIM: DomainKeys Identified Mail

RFC 6376 defines DKIM. Where SPF checks the sending IP, DKIM uses public-key cryptography to sign the email headers and body. The receiving server verifies the signature against a public key you’ve published in DNS.

How it works

  1. Your sending server (DexcyJet’s infrastructure, or your own SMTP relay) signs each outgoing email with your private DKIM key, adding a DKIM-Signature header.
  2. The recipient’s server looks up your public DKIM key at <selector>._domainkey.<yourdomain.com> in DNS.
  3. It verifies the signature. If valid, the email is confirmed to have been sent by someone with access to your private key, and the headers/body have not been modified in transit.

DKIM DNS record format

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ...
  • v=DKIM1 — version
  • k=rsa — key type (RSA 2048-bit minimum; prefer 2048 over 1024)
  • p= — base64-encoded public key

The DNS record name is: <selector>._domainkey.yourdomain.com

A “selector” is just a label you choose (e.g., jet2026, dexcyjet1) so you can rotate keys without downtime.

Generating a DKIM keypair

# Generate a 2048-bit RSA key pair
openssl genrsa -out dkim_private.pem 2048
openssl rsa -in dkim_private.pem -pubout -out dkim_public.pem

# Extract the public key value for DNS (remove headers and newlines)
openssl rsa -in dkim_private.pem -pubout -outform DER | base64 | tr -d '\n'

DexcyJet generates and manages DKIM keys for you — you don’t touch the private key. The dashboard shows the DNS record to publish, and will verify propagation before activating the domain for sending.

Verifying DKIM

# Replace <selector> and <yourdomain.com>
dig TXT jet2026._domainkey.yourdomain.com

# Sends a test email and checks headers:
# Look for Authentication-Results: dkim=pass in received headers

Use mail-tester.com or mxtoolbox.com for a complete header analysis.

DMARC: Domain-based Message Authentication, Reporting and Conformance

RFC 7489 defines DMARC. It builds on SPF and DKIM by letting you tell receiving servers what to do when authentication fails, and where to send reports about what’s happening to your domain’s email.

DMARC alignment

DMARC introduces the concept of alignment: the domain in the From: header (the human-readable sender) must match the authenticated domain from SPF or DKIM.

  • SPF alignment: the MAIL FROM domain (envelope sender) must match the From: header domain.
  • DKIM alignment: the d= domain in the DKIM-Signature header must match the From: header domain.

Only one of SPF or DKIM needs to align for DMARC to pass.

DMARC record format

Published as a TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-failures@yourdomain.com; sp=none; adkim=r; aspf=r; pct=100

Key tags:

Tag Meaning
p=none Monitor only — no action on failure
p=quarantine Send failing emails to spam
p=reject Reject failing emails outright
rua= Aggregate report destination (daily summaries)
ruf= Forensic report destination (per-failure reports)
pct= Percentage of messages to apply the policy to (useful when ramping up)
adkim=r Relaxed DKIM alignment (subdomain matching OK)
aspf=r Relaxed SPF alignment

Rollout strategy

Don’t start at p=reject. You will break legitimate email flows you don’t know about yet.

  1. Week 1–2: p=none; rua=mailto:your@address.com — monitor. Collect aggregate reports.
  2. Week 3–4: Analyse reports. Fix any SPF/DKIM alignment issues for your other sending services (CRM, support desk, notification services).
  3. Month 2: Move to p=quarantine; pct=10 — apply to 10% of traffic.
  4. Month 3: p=quarantine; pct=100.
  5. Month 4+: p=reject; pct=100 — full enforcement.

Reading DMARC reports

DMARC aggregate reports (RUA) are XML files. Parse them with a tool like dmarcian or Postmark’s DMARC Digests. Look for:

  • Unknown sending sources you didn’t authorise (sign of spoofing or forgotten services)
  • Alignment failures from legitimate services (fix their SPF/DKIM)
  • Volume from your main sending domain (verify it’s passing at high rates)

The Complete DNS Setup Checklist

For a domain yourdomain.com using DexcyJet as your sending platform:

Record type Hostname Value
TXT yourdomain.com v=spf1 include:spf.dexcyjet.com ~all
TXT jet2026._domainkey.yourdomain.com v=DKIM1; k=rsa; p=<public_key>
TXT _dmarc.yourdomain.com v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
CNAME tracking.yourdomain.com tracking.jet.dexcy.in (click/open tracking)
CNAME unsubscribe.yourdomain.com unsubscribe.jet.dexcy.in (one-click unsubscribe)

The tracking and unsubscribe CNAMEs are required for RFC 8058 one-click unsubscribe, which Google and Yahoo now require for bulk senders.

Verifying Everything

# Full verification sequence
dig TXT yourdomain.com                              # SPF
dig TXT jet2026._domainkey.yourdomain.com           # DKIM
dig TXT _dmarc.yourdomain.com                       # DMARC

# Send a test email to check@receiver.caiwiki.io
# Check the resulting report at https://www.mail-tester.com/

Once all three are in place and verified, DexcyJet’s domain validation will show green across the board. You can then activate the domain for sending. See our features page for how DexcyJet handles multi-domain setups with per-domain DKIM keys and automatic record validation.

For the deliverability picture beyond DNS authentication, read our post on improving email deliverability — authentication is necessary but not sufficient.

Try DexcyJet: The domain setup wizard walks you through every DNS record, verifies propagation, and won’t let you send until authentication is correctly configured. Start free — your first 2,000 emails per month are on us.

Filed under #deliverability #technical
Share Share on X Share on LinkedIn Email

Stay sharp on email deliverability.

Get new posts on email infrastructure, compliance, and engineering delivered directly. No spam — we eat our own cooking.

Try DexcyJet free →

Related posts

More on topics from this article.

deliverability growth

Email List Cleaning and Hygiene: A Systematic Protocol

A complete email list cleaning and hygiene protocol — sunset policies, re-engagement campaign design, when to remove subscribers permanently, and the deliverability math behind the decisions.

Megha Sharma Mar 13, 2026 · 6 min
technical engineering

Webhooks vs Polling for Email Events: Why Webhooks Win

Webhooks vs polling for email delivery events — the technical case for webhooks, HMAC-SHA256 signature verification, retry strategies, and the Elixir pattern DexcyJet uses internally.

Aakash Rao Mar 09, 2026 · 8 min
← Back to all posts