Missing SPF/DMARC: Protecting Your Emails
Why SPF and DMARC matter, and how to add them to your DNS in minutes.
Missing SPF/DMARC: Protecting Your Emails
Without SPF and DMARC records, anyone can send emails that appear to come from your domain. This means phishing attacks impersonating your brand, emails landing in spam, and damaged reputation. These DNS records are your domain's email authentication system.
What SPF and DMARC Do
SPF (Sender Policy Framework) tells receiving mail servers which servers are allowed to send email on behalf of your domain. If an email comes from a server not on the list, the recipient's mail server knows it's likely forged.
DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF (and DKIM) to tell receiving servers what to do with emails that fail authentication — monitor, quarantine, or reject them. It also sends you reports about who's sending email using your domain.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to emails, proving they haven't been tampered with. Most email providers set this up for you.
Check If You Already Have Them
Check SPF:
dig TXT example.com +short | grep spf
You should see something like:
"v=spf1 include:_spf.google.com ~all"
If nothing is returned, you have no SPF record.
Check DMARC:
dig TXT _dmarc.example.com +short
You should see something like:
"v=DMARC1; p=none; rua=mailto:dmarc@example.com"
Check DKIM (for Google Workspace):
dig TXT google._domainkey.example.com +short
Adding SPF for Common Email Providers
SPF is a single TXT record on your root domain. You can only have one SPF record — if you use multiple email services, combine them into one.
Google Workspace
v=spf1 include:_spf.google.com ~all
Microsoft 365
v=spf1 include:spf.protection.outlook.com ~all
OVH Email
v=spf1 include:mx.ovh.com ~all
Multiple Providers (e.g., Google Workspace + Mailchimp)
v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
Warning: Never create multiple SPF records. If you have two TXT records starting with
v=spf1, both are invalid. Combine everything into one record.
Understanding the SPF ending:
- ~all (softfail) — Emails from unlisted servers are suspicious but delivered. Recommended starting point.
- -all (hardfail) — Emails from unlisted servers are rejected. Use once you're confident in your SPF record.
- ?all (neutral) — No opinion. Provides no real protection.
Adding DMARC
DMARC is a TXT record on _dmarc.yourdomain.com. Start with a monitoring-only policy:
Step 1: Start with p=none (monitoring only)
Record type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-reports@example.com; fo=1;
This doesn't block anything. It just sends you reports showing who's sending email as your domain. Leave this for 2-4 weeks to understand your email flows.
Step 2: Move to p=quarantine
After reviewing reports and confirming all legitimate senders are covered by SPF and DKIM:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; pct=100;
Emails failing authentication go to spam instead of the inbox.
Step 3: Move to p=reject
Once you're confident:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; pct=100;
Emails failing authentication are completely rejected.
Tip: The
ruaparameter tells receiving servers where to send aggregate reports. Use a dedicated email address for these — they come in XML format and arrive in volume. Services like dmarcian.com or postmarkapp.com/dmarc can parse them into readable dashboards.
Adding DNS Records at Your Registrar
The exact steps vary, but the process is the same everywhere:
- Log in to your DNS provider (registrar or DNS host)
- Go to the DNS zone management for your domain
- Add a TXT record
Example for SPF:
Type: TXT
Host: @ (or leave blank, depending on registrar)
Value: v=spf1 include:_spf.google.com ~all
TTL: 3600
Example for DMARC:
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com;
TTL: 3600
Common Mistakes
Multiple SPF records: The most common mistake. If you add a second SPF record instead of combining, both become invalid. Always check first:
dig TXT example.com +short | grep -c spf
If this returns 2 or more, you have a problem.
SPF too many lookups: SPF has a 10-DNS-lookup limit. Each include: counts as a lookup. If you exceed 10, the entire SPF record fails. Use an SPF flattening tool if needed.
DMARC on the wrong subdomain: DMARC must be on _dmarc.example.com, not example.com. It's a common typo to forget the _dmarc prefix.
Jumping straight to p=reject: If you enforce rejection before identifying all legitimate senders, you'll block your own emails (newsletter platforms, CRM tools, transactional email services).
Testing With Online Tools
After adding records, verify everything works:
- MXToolbox (mxtoolbox.com/spf.aspx) — Validates SPF syntax and checks for common errors
- Mail-tester (mail-tester.com) — Send a test email and get a deliverability score
- Google Admin Toolbox (toolbox.googleapps.com/apps/checkmx/) — Comprehensive MX, SPF, DKIM, DMARC check
- DMARC Analyzer (dmarcanalyzer.com) — Parse and visualize DMARC reports
# Quick command-line verification after adding records
dig TXT example.com +short
dig TXT _dmarc.example.com +short
dig MX example.com +short
How SiteWatch Helps
SiteWatch scans DNS records for all your client domains and flags missing or misconfigured email authentication:
- Detects missing SPF and DMARC across your entire portfolio
- Alerts on configuration errors like multiple SPF records or invalid syntax
- Monitors for changes that might break email delivery after a DNS update
- Portfolio view shows email authentication status for every client at a glance
Email authentication isn't glamorous, but one phishing attack using your client's domain can destroy trust overnight.