TXT Records: SPF, DKIM, and DMARC Explained

## TXT Records: SPF, DKIM, and DMARC Explained TXT records are free-form DNS records that store text values. While they have many uses — domain ownership verification, site authentication — their most critical role today is **email authentication**. Three standards work together to prevent email spoofing and improve deliverability: SPF, DKIM, and DMARC. Without all three, your domain's outgoing email is vulnerable to impersonation, and legitimate messages may be flagged as spam by Gmail, Outlook, and other providers. ## What Is SPF? **SPF (Sender Policy Framework)** is a TXT record that lists which mail servers are authorized to send email on behalf of your domain. When a receiving mail server gets a message claiming to be from `example.com`, it checks the SPF record to see if the sending server is on the approved list. ### SPF Record Format ``` v=spf1 include:_spf.google.com ~all ``` Breaking this down: - `v=spf1` — declares this is an SPF record - `include:_spf.google.com` — authorizes all servers in Google's SPF record - `~all` — softfail for everything else (mark as suspicious, but deliver) Common endings: | Suffix | Meaning | Use Case | |--------|---------|---------| | `+all` | Pass all (dangerous) | Never use | | `~all` | Softfail | Default for new setups | | `-all` | Hard fail | Strict — reject unlisted servers | | `?all` | Neutral | Testing only | ### Common SPF Mechanisms ``` v=spf1 ip4:203.0.113.10 include:sendgrid.net include:_spf.google.com -all ``` - `ip4:203.0.113.10` — authorize a specific IPv4 address - `ip6:2001:db8::1` — authorize an IPv6 address - `include:domain.com` — include another domain's SPF record - `a:mail.example.com` — authorize the A record of a hostname - `mx` — authorize the servers listed in your MX records **SPF 10-lookup limit:** Each `include:` triggers a DNS lookup. SPF enforces a maximum of 10 lookups. Exceeding this causes a `permerror` and authentication failure. Flatten multiple includes using tools like dmarcian or MxToolbox if you hit the limit. ### Where to Add the SPF Record | Name | Type | Value | |------|------|-------| | `@` | TXT | `v=spf1 include:_spf.google.com ~all` | Only one SPF record per domain is allowed. If you have multiple sending services, combine them into one record. ## What Is DKIM? **DKIM (DomainKeys Identified Mail)** adds a cryptographic signature to every outgoing message. The receiving server verifies the signature using a public key published in your DNS. This proves the email was not tampered with in transit and genuinely originated from an authorized source. ### How DKIM Works 1. Your mail server signs each outgoing message with a private key 2. The signature is added to the email header as `DKIM-Signature: ...` 3. The receiving server looks up your public key in DNS 4. It verifies the signature matches the message content The DNS record that publishes the public key is a TXT record at a special subdomain: `selector._domainkey.yourdomain.com`. ### DKIM Record Format ``` mail._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA..." ``` - `mail` is the **selector** — a label chosen by your email provider - `_domainkey` is a fixed suffix required by the DKIM standard - `v=DKIM1` declares the record version - `k=rsa` specifies the key algorithm - `p=...` is the base64-encoded public key (your provider gives you this value) ### Getting Your DKIM Record You do not generate DKIM keys manually. Your email provider generates the key pair and gives you the TXT record value to add to DNS. In Google Workspace, find it under Apps > Google Workspace > Gmail > Authenticate email. In Microsoft 365, look in Settings > Domains or the Defender portal. Copy the exact value they provide. DKIM public keys are long — over 200 characters is normal. Some DNS providers have a 255-character limit per string; keys longer than this must be split into multiple quoted strings: ``` "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSI..." "b3DQEBAQUADgYDAN..." ``` ## What Is DMARC? **DMARC (Domain-based Message Authentication, Reporting, and Conformance)** ties SPF and DKIM together. It tells receiving mail servers what to do when a message fails both checks, and gives you visibility into who is sending email using your domain. ### DMARC Record Format ``` v=DMARC1; p=none; rua=mailto:[email protected] ``` | Tag | Meaning | Values | |-----|---------|--------| | `v=DMARC1` | Version | Required, always this value | | `p=` | Policy | `none`, `quarantine`, `reject` | | `rua=` | Aggregate report address | Email for daily reports | | `ruf=` | Forensic report address | Email for per-failure reports | | `pct=` | Percentage to apply policy to | `100` (default) | | `sp=` | Subdomain policy | `none`, `quarantine`, `reject` | ### DMARC Policy Progression Start with `p=none` (monitoring only) and move to stricter policies as you confirm all legitimate senders are authenticated: 1. **`p=none`** — collect reports, take no action. Deploy first, review reports for 2–4 weeks. 2. **`p=quarantine`** — move failing messages to spam. Catch most abuse. 3. **`p=reject`** — block failing messages entirely. Maximum protection. ### Where to Add DMARC | Name | Type | Value | |------|------|-------| | `_dmarc` | TXT | `v=DMARC1; p=none; rua=mailto:[email protected]` | The `_dmarc` prefix is required by the standard. Note that this is a subdomain — it goes at `_dmarc.example.com`, not at the root. ## Putting It All Together A complete email authentication DNS setup looks like this: ``` ; SPF example.com. TXT "v=spf1 include:_spf.google.com ~all" ; DKIM mail._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=MIIBI..." ; DMARC _dmarc.example.com. TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]" ``` ## Testing Your Setup Verify all three records: ```bash # SPF dig example.com TXT | grep spf # DKIM dig mail._domainkey.example.com TXT # DMARC dig _dmarc.example.com TXT ``` Send a test email to [mail-tester.com](https://www.mail-tester.com) or use Google's Admin Toolbox to confirm SPF, DKIM, and DMARC all pass. A perfect score on mail-tester.com indicates your email authentication is correctly configured. ## Next Steps - MX Records: Setting Up Email for Your Domain — set up MX records for email delivery - DNS Troubleshooting Guide — diagnose common DNS and authentication failures - Setting Up DNS for Your Domain — full DNS setup walkthrough for new domains