TL;DR:
SPF: Authorize every service that sends on your domain with one SPF TXT like v=spf1 include:... ~all. Keep the total DNS lookups at or below 10, per Cloudflare’s SPF overview and RFC 7208.DKIM: In your email platform, generate a key pair and publish the public key as TXT at selector._domainkey.yourdomain.com, then enable signing. Use 2048‑bit keys when supported. See Cloudflare’s DKIM guide and Google’s guidance on 2048‑bit DKIM keys.DMARC: Publish a TXT at _dmarc.yourdomain.com, start with p=none plus a reporting address, then move to quarantine or reject after you confirm all sources pass alignment.
If your SDRs see spam placement, it is usually a technical alignment problem you can fix in under an hour with the steps below. Gmail has required bulk senders to use SPF, DKIM, and DMARC since February 1, 2024. Outlook.com now enforces SPF, DKIM, and DMARC for high‑volume senders as of May 5, 2025 - Outlook’s new requirements for high‑volume senders. Fixing these records removes a common cause of spam placement and protects your domain health.
For a video walkthrough see part 3: SPF, DKIM, DMARC from our Deliverability Masterclass
Why SPF, DKIM, and DMARC are non‑negotiable for SDRs
- Inbox providers judge your sender reputation on technical authentication, spam complaint rate, and consistency. Gmail’s bulk sender rules (since Feb 1, 2024) require SPF and DKIM and a DMARC policy (
p=noneis acceptable ). For direct email, the From domain must align with either the SPF or DKIM domain, and Gmail requires keeping spam rate under 0.3%. - Outlook.com routes or rejects non‑compliant high‑volume mail that fails these checks. If you send at scale to Outlook users without SPF, DKIM, and DMARC, your mail can hit Junk or be rejected.
- Together, SPF, DKIM, and DMARC authenticate the sender and tell receivers how to handle failures. They are published as DNS TXT records and are the baseline for stopping spoofing and improving inbox placement.
Key takeaway:Publish a DMARC policy and ensure at least one of SPF or DKIM passes and aligns with the visible From domain. Publish DMARC to monitor first, then enforce. Keep Gmail spam rate under 0.3% in Postmaster Tools - Google’s DMARC guide.
Prerequisites: what you need before you start
- DNS access for your sending domain. Ask IT, Marketing Ops, or your registrar admin for DNS write access. SPF, DKIM, and DMARC live in DNS as TXT records.
- Your sender values:
- Google Workspace: you will use include:_spf.google.com for SPF and generate DKIM in Admin Console, see Google’s SPF setup guide.
- Microsoft 365: use Microsoft’s SPF guidance and Microsoft’s DKIM selectors via Defender portal, see Microsoft 365 SPF configuration and Microsoft 365 DKIM configuration.
- Timing: After turning on SPF and DKIM, allow up to 48 hours before enabling DMARC so authentication can propagate.
Tip:Keep a simple change log. Note the exact TXT value, who published it, and the timestamp. If deliverability dips, you can roll back fast.
How to set up your SPF record
What SPF does
- SPF lists every server or service allowed to send for your domain. Receivers compare the connecting server against your list.
Default pattern
- Exactly one SPF record per hostname (domain or subdomain). Start with your primary sender include and add other services. End with ~all during rollout or -all once you are confident nothing is missing. Examples:
- Google Workspace only: v=spf1 include:_spf.google.com ~all, see Google’s SPF setup guide.
- Microsoft 365 only: v=spf1 include:spf.protection.outlook.com ~all, see Microsoft 365 SPF configuration.
- GoDaddy Professional Email:
v=spf1 include:secureserver.net -all. Microsoft 365 from GoDaddy may also usesecureserver.net(check your Email & Office dashboard). Standard Microsoft 365 tenants (not via GoDaddy):v=spf1 include:spf.protection.outlook.com -all, see GoDaddy’s SPF record help.
Important limit
- SPF evaluation allows at most 10 DNS‑querying mechanisms across includes and lookups. Crossing that limit returns a PermError and can break DMARC alignment. Plan consolidation or use subdomains if you are near the limit.
Step‑by‑step in GoDaddy
- Sign in to Domains. Open DNS for your domain, see GoDaddy: add a TXT record.
- Add record. Type = TXT. Name = @. Value = your SPF string. Save. Most changes take effect within an hour, allow up to 48, see GoDaddy: add a TXT record.
Step‑by‑step in Cloudflare
Log in. Go to DNS > Records. Click Add record. Type = TXT. Name = @. Value = your SPF string. Save, see Cloudflare: create DNS records.
Step-by-step in Namecheap
Log in. Go to Domain List → Manage. Open Advanced DNS. In Host Records, click Add New Record. Type = TXT. Host = @. Value = your SPF string. TTL = Automatic. Click Save All Changes.
Acceptance check
- Use SPF lookup to verify syntax and lookup count. If you see “Too many DNS lookups,” reduce includes, consolidate senders, or segment senders to subdomains.
Warning:Never publish two SPF TXT records at the same hostname. Combine into one. Duplicate records cause failures.
How to configure your DKIM record
What DKIM does
- Your sender signs outgoing mail with a private key. Receivers fetch your public key from DNS and verify that the message was not altered.
Google Workspace
- In Admin Console, go to Apps > Google Workspace > Gmail > Authenticate email.
- Generate new record. Choose 2048‑bit if your DNS host supports it. Copy the selector and TXT value.
- In DNS, add TXT at selector._domainkey. Paste the value. Save. Return to Admin Console and Start authentication.
Microsoft 365
- In the Defender portal, open Email authentication settings > DKIM.
- Retrieve the two selector CNAMEs for your domain. Publish both CNAME records in your DNS, then enable signing. Note that Microsoft uses CNAMEs that point to Microsoft’s DKIM hostnames.
Acceptance check
- Send a test to a Gmail account. Open the message and use “Show original.” You should see DKIM: PASS.
Tip:Prefer 2048‑bit keys when your DNS supports it. It is Google’s recommended standard for stronger security.
How to implement your DMARC policy
What DMARC does
- DMARC ties SPF and DKIM to your visible From domain and tells receivers what to do when checks fail: none, quarantine, or reject. You publish it as a TXT at _dmarc.yourdomain.com.
Start in monitor mode
Publish this baseline record to begin receiving aggregate reports without affecting delivery:
v=DMARC1; p=none; rua=mailto:[email protected]
Google recommends starting with p=none, then moving to quarantine or reject as you validate all legitimate streams.
Roll toward enforcement
- Once every legitimate sender passes alignment, raise to p=quarantine, then p=reject to block spoofing.
Add alignment and sampling if needed
- adkim=s and aspf=s enforce strict alignment. pct lets you phase in enforcement, see Cloudflare’s DMARC guide.
Step‑by‑step in GoDaddy
Add TXT record. Name = _dmarc. Value = your DMARC string. Save. Allow up to 48 hours, see GoDaddy: SPF, DKIM, DMARC setup.
Step‑by‑step in Cloudflare
DNS > Records > Add TXT. Name = _dmarc. Value = your DMARC policy. Save. Or use Cloudflare’s Email Security tools, see Cloudflare: create DNS records.
Step-by-step in Namecheap
Log in. Go to Domain List → Manage. Open Advanced DNS. In Host Records, click Add New Record. Type = TXT. Host = _dmarc. Value = your DMARC string (e.g., v=DMARC1; p=none; rua=mailto:[email protected]). TTL = Automatic. Click Save All Changes.
Acceptance check
- Use a DMARC checker and inspect Gmail “Show original” on a test message to confirm DMARC: PASS.
DMARC policy table
| Policy | What it does | When to use |
|---|---|---|
| p=none | Monitor only. No delivery action. Sends reports. | Day 1 to map all senders and fix misconfigs. |
| p=quarantine | Treat failures as suspicious. Often goes to spam. | After validation, as a safe intermediate. |
| p=reject | Block messages that fail alignment. | When you are confident all legitimate mail passes. |
How to validate your setup is working correctly
- Run lookups:
- SPF, DKIM, and DMARC checks should return valid records with no errors. Try: SPF checker, DKIM checker, DMARC checker, and a general DNS TXT lookup.
- Send real tests:
- Gmail: open “Show original.” Confirm SPF: PASS, DKIM: PASS, DMARC: PASS (you can also analyze the header).
- Outlook addresses: confirm delivery and check headers for authentication results.
- Monitor at scale:
- Gmail Postmaster Tools shows spam rate, domain reputation, and authentication pass rates. Keep spam rate below 0.3% and maintain high domain reputation.
- Instantly Inbox Placement runs automated seed‑tests across providers and flags auth failures or spam placement so you can pause senders before damage spreads.
Common pitfalls and how to troubleshoot them
- SPF “Too many DNS lookups”
Why it happens: Each include, a, mx, ptr, exists, or redirect counts toward the 10‑lookup limit in RFC 7208. Crossing the limit returns a PermError. Fix by removing unused includes, consolidating senders, or delegating heavy senders to subdomains with their own SPF. - DKIM copy or key‑length errors
Why it happens: A missing character in the p= value or using a key length your DNS does not support. Fix by pasting the exact key, using 2048‑bit when supported, and re‑publishing the TXT or CNAME selectors. - DMARC blocks legitimate mail
Why it happens: You enforced p=reject before all services aligned. Fix by rolling back to none or quarantine, authenticating every sender, then enforcing gradually with pct. - Duplicate SPF TXT records
Why it happens: Multiple SPF TXT records at the same hostname create invalid evaluation. Fix by combining into a single record. - Missing alignment
Why it happens: The visible From domain does not align with SPF’s return‑path or DKIM’s d=. Fix by aligning the From domain with at least one of SPF or DKIM per DMARC rules.
Success metrics to track after configuration
- Gmail spam rate below 0.3% in Postmaster Tools. This is a hard requirement for bulk senders.
- Authentication pass rate: close to 100% for SPF and DKIM on legitimate mail. DMARC pass rate rises as alignment improves. Track in Postmaster Tools and provider logs.
- Team policy metrics: keep hard bounces at or below 1% and sustain consistent daily send volumes. Use your outreach platform analytics to watch trends.
For even more tips on deliverability check out our breakdown on avoiding the spam box.
How Instantly helps SDR teams protect deliverability
- Automated Inbox Placement testing checks authentication status and real inbox vs spam placement across major providers, with automations to pause risky senders.
- Unlimited accounts and warmup let you spread volume safely once your domain is authenticated. Warmup remains available on Growth, HyperGrowth, and Light Speed plans.
Use this runbook to get authentication right, then use Instantly to validate inbox placement weekly and catch issues before they hurt quota. Start your free trial of Instantly to help you nail deliverability.
Frequently asked questions
Q1) Do I really need all three, or is SPF enough?
Yes. Gmail requires SPF and DKIM for bulk senders, and DMARC on the domain. Outlook.com enforces all three for high‑volume senders.
Q2) How long do DNS changes take to apply?
Most providers update within an hour, but allow up to 48 hours worldwide, see GoDaddy: add a TXT record.
Q3) What is the SPF 10‑lookup rule in plain English?
When evaluating SPF, receivers can follow at most ten DNS‑querying steps. More than ten returns a permanent error and can make DMARC fail.
Q4) Should I use p=none or p=quarantine to start?
Start with p=none to monitor and map legitimate sources, then move to quarantine and reject after you confirm alignment.
Q5) How do I confirm everything is passing?
Send a message to a Gmail inbox and open “Show original.” Look for SPF: PASS, DKIM: PASS, DMARC: PASS.
Q6) Where do I watch my ongoing reputation?
Use Gmail Postmaster Tools. Keep spam rate below 0.3% and track domain reputation over time, see Google’s bulk sender guidelines.
