How to Configure SPF, DKIM, and DMARC for Your Sending Domain
Strong email authentication is essential for inbox placement. This guide shows how to set up SPF, DKIM, and DMARC for your sending domain on a VPS.
1) SPF
Add a TXT record at your root domain:
Type: TXT
Name: @
Value: v=spf1 a mx ip4:[YOUR.SERVER.IP] ~all
TTL: 3600
Replace [YOUR.SERVER.IP] with your VPS IP. Use -all once you confirm everything works to harden your policy.
2) DKIM
- Generate a 2048-bit DKIM key pair (via your MTA or OpenDKIM).
- Create a TXT record:
Type: TXT Name: selector1._domainkey Value: v=DKIM1; k=rsa; p=[YOUR_PUBLIC_KEY] TTL: 3600 - Enable DKIM signing in your MTA and test by sending to a Gmail inbox, then check “Show original”.
3) DMARC
Add a TXT record at _dmarc.yourdomain.com:
Type: TXT
Name: _dmarc
Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; fo=1; adkim=s; aspf=s; pct=100
TTL: 3600
After monitoring, consider p=reject to fully enforce alignment.
Testing & Tips
- Use DNS lookups to verify:
dig TXT yourdomain.com,dig TXT _dmarc.yourdomain.com. - Keep selector names consistent (e.g.,
selector1). - Ensure your From domain aligns with the DKIM domain and SPF envelope domain.
FAQ
- Q: Should I use ~all or -all in SPF?
A: Start with~allfor monitoring and switch to-allafter validation. - Q: What DMARC policy is best?
A: Begin withp=noneorquarantine, then move torejectonce alignment is stable.
