How to Protect Your Business Email Reputation

A Step-by-Step Guide to Ensure Email Deliverability

Are your business emails landing in spam or getting rejected? Proper email configuration settings are crucial for ensuring email deliverability, protecting your domain from spoofing, and maintaining your business’s reputation. This guide provides specific instructions to configure your email settings, helping you optimize your email performance with ease.

Table Of Contents
  1. A Step-by-Step Guide to Ensure Email Deliverability
  2. The Importance of Securing Your Email System
  3. What are SPF, DKIM, and DMARC?
  4. Check Your Email Deliverability Score
  5. How to Configure SPF, DKIM, and DMARC
  6. 🙋 Need Help?
  7. Troubleshooting Tips
  8. 💬SPF, DKIM, and DMARC: Frequently Asked Questions (FAQs)
  9. Boost Your Email Success Now

The Importance of Securing Your Email System

In today’s digital world, email security is crucial for protecting your business from phishing, spam, and other malicious attacks. SPF, DKIM, and DMARC are three essential tools that work together to help verify the legitimacy of your emails and ensure that your domain isn’t misused. Each has a unique role, but when combined, they provide a powerful defense against email fraud and help protect your business from spam, spoofing, and phishing attacks.

However, they are only part of a comprehensive email security strategy — additional layers like advanced threat protection, user training, and monitoring are also essential to fully safeguard your communications.

The info on this page will address how to protect your email reputation through the use of proper SPF, DKIM, and DMARC settings.

What are SPF, DKIM, and DMARC?

SPF (Sender Policy Framework): Tells the World Who’s Allowed to Send Email From Your Domain

SPF is a security measure that allows you to specify which mail servers (like Google Workspace or Microsoft 365) are authorized to send emails on behalf of your domain. It helps prevent spammers from impersonating your domain by verifying the sending server’s IP address. Think of it like a guest list for your email domain. If someone tries to spoof your email accounts, SPF can help block those fake messages.

🚨 Risks of a Misconfigured SPF Record

⚠️Legitimate Emails May Be Rejected or Marked as Spam

If your SPF record doesn’t include all the services you use to send email (like Google Workspace, Mailchimp, or your CRM), receiving mail servers might reject or flag your messages as suspicious. This can cause:

  • Emails going straight to recipients’ spam folders
  • Bounced emails, especially when emailing clients or partners
  • Reduced email deliverability and professional credibility
⚠️Your Domain Becomes Vulnerable to Spoofing

If your SPF record is too loose (e.g., uses +all or doesn’t restrict unauthorized senders), spammers can forge emails to appear as if they’re coming from your domain. This can lead to:

  • Phishing attacks using your domain name
  • Brand damage and loss of trust
  • Potential blacklisting of your domain
⚠️Failed SPF Lookups

SPF has a limit of 10 DNS lookups. If your SPF record includes too many “include:” mechanisms or nested lookups, it can exceed the limit and fail validation. This leads to:

  • Emails failing SPF checks even if they’re legitimate
  • Confusing errors that are hard to troubleshoot
⚠️Broken Email Forwarding

Improper SPF setup can cause forwarded emails to fail SPF checks, especially if you’re not also using DKIM or DMARC. This can result in:

  • Important messages not being delivered to forwarded addresses
  • Inconsistent email behavior for recipients using forwarding services

DKIM (DomainKeys Identified Mail): Adds a Digital Signature to Your Emails

DKIM works by adding a digital signature to every outgoing message. This signature proves the email came from your domain and hasn’t been tampered with in transit. It helps improve your email deliverability and builds trust with email providers like Gmail and Outlook.

🚨 Risks of a Misconfigured DKIM Record

⚠️Email Integrity Can’t Be Verified

DKIM adds a digital signature to your emails. If the DKIM record is missing or incorrect, receiving servers can’t verify that the email was:

  • Sent by you
  • Untampered with during delivery
⚠️DKIM Failures Undermine DMARC Enforcement

If you’re using DMARC (see more info below), and your DKIM fails:

  • Your email might not pass DMARC alignment, even if SPF passes
  • This can lead to quarantined or rejected emails, depending on your DMARC policy
⚠️Signed Emails Get Flagged as Suspicious

When DKIM is enabled but misconfigured (for example, with a bad private/public key pair or DNS error):

  • Email recipients may see warnings like “message failed authentication” or “message signed but verification failed”
  • This makes your emails look phishy, even if they’re legitimate
⚠️Decreased Deliverability for HTML/Marketing Emails

Marketing platforms and bulk email services often rely on DKIM to build a good sender reputation. If your DKIM is misconfigured:

  • Your marketing campaigns may land in spam folders
  • Open rates can drop and your domain reputation suffers
⚠️Lost Protection Against Header Injection Attacks

DKIM helps ensure that key email headers (like From, Subject, etc.) haven’t been altered in transit. Without working DKIM:

  • Attackers could modify these headers
  • You lose that non-repudiation protection DKIM offers

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC builds on SPF and DKIM by telling receiving mail servers what to do when emails fail authentication checks (either SPF or DKIM). It helps ensure that only legitimate emails are delivered, while fraudulent messages are blocked or flagged. Here’s how it works:

  • Monitor and Report: DMARC can send you reports about failed email authentication attempts, so you can track who’s sending emails on behalf of your domain.
  • Enforce Policies: You can set DMARC to either quarantine suspicious emails (send them to spam) or reject them entirely (block them from being delivered).

🚨 Risks of Not Including a DMARC Policy

⚠️Domain Spoofing

Without a DMARC policy, anyone can send email pretending to be from your domain. For example, a scammer sends fake invoices or phishing emails using yourdomain.com. Recipients think it’s legit — because your domain has no protections in place. These spoofed emails can:

  • Trick customers, partners, or vendors into sharing sensitive information.
  • Damage your brand’s credibility and trust.
⚠️Email Deliverability Problems

Even legitimate emails from your domain may end up in recipients’ spam folders if you don’t publish a DMARC record.

  • Many email providers now check DMARC to decide whether to trust a message.
  • Without DMARC, you’re more likely to get flagged as suspicious.
⚠️Reduced Security from SPF and DKIM Alone

SPF and DKIM help authenticate your email, but:

  • They don’t tell receiving servers what to do with failed messages.
  • DMARC adds enforcement — it tells recipients to reject, quarantine, or monitor suspicious emails.

No DMARC = No enforcement = No real protection.

🕵️ Risks of Not Monitoring DMARC Reports

Even if you have a DMARC policy in place, not reviewing the reports is like setting up a security camera but never watching the footage.

⚠️Missing Signs of Abuse
  • You won’t see if someone is spoofing your domain.
  • You can’t tell if third-party services (like marketing platforms) are failing SPF/DKIM checks.
⚠️Accidentally Blocking Legit Email
  • Without monitoring, you might reject legitimate messages from services you use (e.g., payroll systems, CRMs).
  • Reports help you fine-tune your SPF and DKIM records before enforcing stricter DMARC policies.
⚠️Slow Response to Threats
  • DMARC reports are often the first signal that something is wrong.
  • If you’re not watching them, you won’t react in time to prevent damage.

Bottom Line:

While SPF says who is allowed to send mail for your domain, DKIM proves that the message wasn’t forged or altered. A broken DKIM record means your emails lose authenticity — and without that, trust (and delivery) goes out the window. DMARC ties both SPF and DKIM together, defining actions for emails that fail authentication and providing reporting.

Without SPF, DKIM and DMARC, your legitimate business emails are more likely to end up in spam folders. Or worse, someone could impersonate your company in a phishing scam. Setting these up is a simple way to improve your security and your professional image.

Scan your email domain with our tool below. If we find any issues, you can choose to fix it yourself following our guide below or schedule a consultation where we can walk you through it.

Check Your Email Deliverability Score

Follow these detailed steps to fix your settings and get your business email system back on track.

How to Configure SPF, DKIM, and DMARC

🔧 Prerequisites

Before you start:

  • You must have admin access to Microsoft 365 or Google Workspace.
  • Your domain must already be added and verified in Microsoft 365 or Google Workspace.
  • You must have access to your DNS account (GoDaddy, CloudFlare, Namecheap, etc)
  • You should be familiar with updating DNS records

Step 1: Configure or Fix SPF

Setting up an SPF (Sender Policy Framework) record helps mail servers verify that Microsoft 365 is authorized to send emails on behalf of your domain. This improves deliverability and helps prevent spoofing.

Configure SPF for Microsoft 365

➡️Log In to Your DNS Hosting Provider

Go to the website where your domain’s DNS settings are managed (e.g., GoDaddy, Namecheap, Cloudflare, etc.) and log in to your account.

➡️Find Your Domain’s DNS Settings

Navigate to the DNS Management or DNS Zone File area for your domain.

➡️Check for an Existing SPF Record

Look for an existing TXT record that starts with v=spf1.

  • If one already exists, you’ll need to edit it to include Microsoft 365.
  • If no SPF record is present, you’ll create a new TXT record.

➡️Add or Update the SPF Record

✅ If You’re Adding a New SPF Record

Create a TXT record with the following settings:

  • Type: TXT
  • Name/Host: @ (or leave blank if required)
  • Value: v=spf1 include:spf.protection.outlook.com -all
  • TTL: 3600 (or leave the default)
🔁 If You’re Updating an Existing SPF Record

Make sure to add Microsoft 365’s include statement without duplicating the v=spf1 part. For example, to include 365 email and Zendesk as approved senders, the SPF record would look like this:

v=spf1 include:mail.zendesk.com include:spf.protection.outlook.com -all
🔍 The Difference Between ~all and -all
SPF SyntaxWhat It MeansBehavior
~allSoft Fail“Not authorized, but don’t be too harsh.” Most receiving servers accept the email but may mark it as spam.
-allHard Fail“Not authorized. Reject this message.” The receiving server is instructed to reject the email outright if the sending email server is not listed in the SPF record.

⚠️ Important: Only one SPF record should exist per domain. If you use multiple services to send email (like CRMs or helpdesk tools), combine all includes into a single SPF record.

➡️Save Changes

Click Save, Apply, or Update (depending on your DNS host) to apply the changes.

🎉 Done!

Your domain is now protected with SPF for Microsoft 365. This helps ensure that your business emails are trusted, authenticated, and less likely to land in spam.

Configure SPF for Google Workspace

➡️Log In to Your DNS Hosting Provider

Go to the website where your domain’s DNS settings are managed (e.g., GoDaddy, Namecheap, Cloudflare, etc.) and log in to your account.

➡️Find Your Domain’s DNS Settings

Navigate to the DNS Management or DNS Zone File area for your domain.

➡️Check for an Existing SPF Record

Look for an existing TXT record that starts with v=spf1.

  • If one already exists, you’ll need to edit it to include Google Workspace.
  • If no SPF record is present, you’ll create a new TXT record.

➡️Add or Update the SPF Record

✅ If You’re Adding a New SPF Record:

Create a TXT record with the following settings:

  • Type: TXT
  • Name/Host: @ (or leave blank if required)
  • Value: v=spf1 include:_spf.google.com -all
  • TTL: 3600 (or leave the default)
🔁 If You’re Updating an Existing SPF Record:

Make sure to add the Google Workspace include statement without duplicating the v=spf1 part. For example, to include Google email and Zendesk as approved senders, the SPF record would look like this:

v=spf1 include:mail.zendesk.com include:_spf.google.com -all
🔍 The Difference Between ~all and -all
SPF SyntaxWhat It MeansBehavior
~allSoft Fail“Not authorized, but don’t be too harsh.” Most receiving servers accept the email but may mark it as spam.
-allHard Fail“Not authorized. Reject this message.” The receiving server is instructed to reject the email outright if the sending email server is not listed in the SPF record.

⚠️ Important: Only one SPF record should exist per domain. Combine all services into a single SPF record to avoid configuration errors.

➡️Save Changes

Click Save, Apply, or Update (depending on your DNS host) to apply the changes.

🎉 Done!

Your domain is now protected with SPF for Google Workspace. This helps ensure that your business emails are trusted, authenticated, and less likely to land in spam.

Verify Your SPF Settings

Step 2: Configure or Fix DKIM

Configure DKIM for Microsoft 365

➡️ Sign in to Microsoft 365 Admin Center

  1. Go to admin.microsoft.com
  2. Sign in using your Global Administrator credentials.

➡️ Open the DKIM Settings

  1. In the left menu, click Security. You may have to click the “Show all” option to see the link for the security admin center.
  2. Then choose Email & collaboration > Policies & rules > Threat policies > Rules > Email Authentication Settings.
  3. Under Email Authentication Settings, click on DKIM.

💡 Tip: If you don’t see the DKIM option, you can also access it directly at https://security.microsoft.com/authentication?viewid=DKIM

➡️ Select Your Domain

  1. On the DKIM page, you’ll see a list of your custom domains.
  2. Click on the domain you want to configure.

➡️ Add CNAME Records to Your DNS (If Required)

If this is your first time setting up DKIM, Microsoft will provide two CNAME records to add to your DNS.

Format:

  • Example records:
    • Host name: selector1._domainkey
      Points to: selector1-<yourdomain>._domainkey.<yourtenant>.onmicrosoft.com
    • Host name: selector2._domainkey
      Points to: selector2-<yourdomain>._domainkey.<yourtenant>.onmicrosoft.com

Replace <yourdomain> and <yourtenant> with the values provided by Microsoft.

Once you have the 2 CNAME records that need to be added:

  1. Log into your DNS provider (e.g., GoDaddy, Cloudflare, Namecheap, etc.)
  2. Copy the first CNAME host name and record value that Microsoft provides.
  3. Add a new CNAME record:
    • Name (or Host): selector1._domainkey
    • Type: CNAME
    • Value: selector1-<yourdomain>._domainkey.<yourtenant>.onmicrosoft.com
    • TTL: Set to 3600 seconds (or default)
  4. Repeat for the second
  5. Save the records

💡 Tip: It may take some time (up to 48 hours) for DNS changes to propagate.

➡️ Enable DKIM Signing

  1. Return to the DKIM settings page in Microsoft 365.
  2. Select your domain.
  3. Click Enable under “Sign messages for this domain with DKIM signatures.”

Once the CNAME records are verified, the toggle should activate successfully.

🎉 Done!

Your domain is now protected with DKIM. Microsoft 365 will automatically sign outgoing messages from that domain, improving email deliverability and security.

Configure DKIM for Google Workspace

➡️ Log into Google Admin Console

  1. Go to admin.google.com
  2. Log in using your Google Workspace admin credentials.

➡️Open the DKIM Settings

  1. From the Admin Console dashboard, click on Apps
  2. Navigate to Google Workspace > Gmail
  3. Scroll down and select Authenticate email (DKIM)

➡️ Choose Your Domain

  1. From the DKIM settings page, click the dropdown next to “Select a domain to authenticate.”
  2. Choose the domain you want to configure DKIM for.

➡️ Generate the DKIM Record

  1. Click Generate New Record
  2. Choose a DKIM key bit length (2048 is recommended)
  3. Leave the prefix selector as google (or choose a custom one if needed)

➡️ Add the DKIM TXT Record to Your DNS

  1. Copy the TXT record name and TXT record value that Google provides.
  2. Log into your DNS provider (e.g., GoDaddy, Cloudflare, Namecheap, etc.)
  3. Add a new TXT record:
    • Name (or Host): google._domainkey.yourdomain.com
    • Type: TXT
    • Value: Paste the long DKIM string from the Google Admin Console
    • TTL: Set to 3600 seconds (or default)

💡 Tip: It may take some time (up to 48 hours) for DNS changes to propagate.

➡️ Activate DKIM Signing in Google Admin

  1. Return to the DKIM settings page in Google Admin
  2. Once DNS propagation is complete, click Start authentication

Google will begin signing outgoing messages with DKIM.

🎉Done!

You’ve now successfully set up DKIM for your Google Workspace domain. This helps improve email security and makes it less likely your emails will be flagged as spam.

Verify Your DKIM Settings

Step 3: Configure or Fix DMARC

➡️ Log In to Your DNS Hosting Provider

Go to the platform where you manage your domain’s DNS settings (like GoDaddy, Cloudflare, Namecheap, etc.), and log into your account.

➡️ Access Your Domain’s DNS Settings

Navigate to the section labeled something like:

  • DNS Management
  • DNS Zone Editor
  • Advanced DNS Settings

➡️Create a New TXT Record for DMARC

Add a new TXT record with the following details:

  • Type: TXT
  • Host/Name: _dmarc
  • Value (Basic Example): v=DMARC1; p=quarantine; rua=mailto:[email protected]; sp=quarantine; aspf=r;
  • TTL: 3600 (or leave the default)

➡️Customize the DMARC Policy (Optional but Recommended)

Here’s a breakdown of what you can customize in your DMARC record:

TagPurpose
v=DMARC1Version (must be included)
p=Policy for failed emails: none, quarantine, or reject
rua=Email address where aggregate reports are sent
ruf=(Optional) Email address for forensic/failure reports
aspf=rAlignment mode for SPF (r = relaxed, s = strict)
sp=Subdomain policy (optional, same values as p=)

➡️Choose the Right DMARC Policy

  • p=none – Monitor only (no enforcement). Great for testing.
  • p=quarantine – Send suspicious messages to spam.
  • p=reject – Block emails that fail DMARC.
💡 Best Practice
  • Start with a DMARC policy of p=none to gather data without impacting email flow.
  • Review reports regularly (weekly or monthly).
  • Gradually move to quarantine or reject once you’re confident all legitimate senders are passing SPF and DKIM.

➡️ Save Your Changes

Click Save or Apply to publish the record. It may take up to 24–48 hours for DNS changes to propagate.

➡️ Monitor Your DMARC Reports (This is Critical)

Check the mailbox you set in rua= to review email authentication reports from other mail servers. These reports reveal critical insights that help you understand who’s sending mail on your behalf and whether it’s legitimate. If you choose to monitor them manually, here’s what to watch for:

  • Unauthorized Senders: IP addresses or domains sending emails not aligned with your SPF or DKIM settings. Revealing potential spoofing attempts.
  • Authentication Failures: Emails failing SPF, DKIM, or both, indicating misconfigurations or outdated settings.
  • Volume Spikes: Sudden increases in email activity, which could signal abuse or a need to adjust your policy.
  • Disposition Outcomes: How receiving servers handle unauthenticated emails (e.g., delivered, quarantined, rejected). Key things to monitor before tightening your p= setting.
Manually reviewing these reports can be time-consuming and complex

That’s why we offer a DMARC Monitoring and Protection Service. We analyze your reports, flag threats, and fix any issues. Ensuring your email stays secure and deliverable without the hassle. Schedule a consultation to learn more about how this service works to protect your business.

🎉 That’s It!

You’ve now added a DMARC record to your domain! This helps protect your brand, improve email deliverability, and reduce the risk of phishing using your domain.

Verify Your DMARC Settings

🙋 Need Help?

If you need assistance configuring any of these email security features, contact our team — we’re here to help protect your business.

Troubleshooting Tips

  • SPF Still Failing?: Double-check for typos or extra includes causing lookup limits.
  • DKIM Not Signing?: Confirm the CNAME records match exactly and DKIM is enabled in the admin center.
  • Not Sure?: Schedule a consultation with us.

💬SPF, DKIM, and DMARC: Frequently Asked Questions (FAQs)

Do I need to fix SPF, DKIM, and DMARC for every Microsoft 365 or Google Workspace domain?
Yes, each custom domain requires its own setup.

Do I need all three—SPF, DKIM, and DMARC?
Yes. SPF and DKIM validate different parts of an email. DMARC ties them together and enforces a policy. Using all three gives you the best protection against spoofing, phishing, and deliverability issues.

How long does it take for changes to work?
DNS updates typically propagate within 24 hours, often sooner.

What if I use other email services with Microsoft 365 or Google Workspace?
Add their SPF includes and ensure DKIM is configured separately for those services.

Will these settings stop all spam from my domain?
They won’t stop incoming spam, but they do prevent spoofing of your domain, improve email deliverability, and build trust with recipients. They’re essential for any business sending professional email.

How do I know if my SPF, DKIM, or DMARC are working?
Use the tools on this page to verify your settings are correct.

Boost Your Email Success Now

Ready to stop worrying about lost emails? Scan your domain for DMARC, DKIM, and SPF compliance today and unlock the full potential of your business email system.

Need help? Call us today at 502-200-1169 or use the contact form to get in touch.