If your email keeps landing in spam — or someone is spoofing your domain to scam your customers — these three DNS records are the fix. Together, they prove to receiving mail servers that a message is really from you. Here is what each does and the order to set them up.
SPF — who is allowed to send as you
SPF is a TXT record that lists the servers and services allowed to send email for your domain — for Microsoft 365, that includes include:spf.protection.outlook.com. When a message arrives, the receiver checks whether the sending server is on your list. One SPF record per domain, and be sure it includes every service that sends on your behalf (your email host, marketing tools, invoicing apps).
DKIM — a tamper-proof signature
DKIM adds a cryptographic signature to every message you send. Your email provider signs with a private key, and a public key published in your DNS lets receivers confirm the message wasn't altered and genuinely came from your domain. You turn it on in your email provider, then publish the keys it gives you.
DMARC — the policy that ties it together
DMARC is a TXT record at _dmarc.yourdomain.com that tells receivers what to do when a message fails SPF and DKIM — do nothing (p=none), send it to spam (quarantine), or reject it outright (reject) — and where to email you reports. Start at p=none to watch what's happening before you tighten.
The order to roll them out
- Publish your SPF record.
- Enable DKIM in your email provider and publish its keys.
- Add DMARC at
p=noneand read the reports for a week or two. - Once you're confident legitimate mail passes, move DMARC to
quarantine, thenreject.
This is the highest-value hour you can spend on email. Done right, all three together stop your mail from getting spam-foldered and stop criminals from spoofing your domain to your own customers. New to DNS records? Start with DNS records explained, or have us set it up.