Heeey lemlister! 👋

DKIM, SPF, DMARC are crucial set-ups that will protect your reputation and boost your deliverability to increase your chances of replies.

That's why we highly recommend taking care of it as soon as possible 😊

Before we deep dive into it, please note that DKIM, SPF and DMARC records are part of your DNS settings that you can find in your domain provider (e.g. GoDaddy, Squarespace, Namecheap, etc.).

Which means it's all on your domain provider end, not lemlist.

But of course, we're here to help you out with it, since it will help you have the best results with your campaigns 🔥

What DKIM, SPF and DMARC stand for?

DKIM (DomainKeys Identified Mail)

This is an email security standard designed to make sure messages aren't altered in transit between the sending and recipient servers. It uses public-key cryptography to sign email with a private key as it leaves a sending server.

DKIM signing (DomainKeys Identified Mail) is an email authentication method that assists in detecting forged sender addresses in email and helping senders associate a domain name with an email message, vouching for its authenticity in the process.

Sender Policy Framework (SPF)

This is an email authentication method designed to detect forging sender addresses during the delivery of the email.

SPF alone, though, is limited to detecting a forged sender claim in the envelope of the email, which is used when the mail gets bounced. Only in combination with DMARC can it be used to detect the forging of the visible sender in emails, a technique often used in phishing and email spam.

SPF allows the receiving mail server to check during mail delivery that a mail claiming to come from a specific domain is submitted by an IP address authorized by that domain's administrators. The list of authorized sending hosts and IP addresses for a domain is published in the DNS records for that domain.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

This is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing.

The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing emails, email scams and other cyber threat activities.

Once the DMARC DNS entry is published, any receiving email server can authenticate the incoming email based on the instructions published by the domain owner within the DNS entry. If the email passes the authentication, it will be delivered and can be trusted. If the email fails the check, depending on the instructions held within the DMARC record the email could be delivered, quarantined or rejected.

For example, one email forwarding service delivers the mail, but as "From: [email protected]<forwarding service>".

DMARC extends two existing email authentication mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify which mechanism (DKIM, SPF or both) is employed when sending email from that domain; how to check the "From:" field presented to end-users; how the receiver should deal with failures - and a reporting mechanism for actions performed under those policies.

DMARC is defined in the Internet Engineering Task Force's published document RFC 7489, dated March 2015, as "Informational".

Why do you need DMARC, SPF and DKIM?

Phishing and email spam are the biggest opportunities for hackers to enter the network. If a single user clicks on some malicious email attachment, it can compromise an entire enterprise with ransomware, cryptojacking scripts, data leakages or privilege escalation exploits.

What isn’t as well known is why most enterprises need all three of these protocols to protect their email infrastructures. Like much in the IT world, the multiple solutions don’t all necessarily overlap. Actually, they are quite complementary to each other, and chances are good that the average business will need all three of them.

If you are using Google for your email, they have instructions about DKIM and how to generate your domain key. If you are using cPanel to manage your domain, they have suggestions on how to configure the various DNS records. Once you think you are done, you can use and online tool to validate that the appropriate DKIM keys are happening in your email headers.

How to set them up?


1️⃣ Log in to Google Admin: admin.google.com

2️⃣ In the navigation menu on the left-hand side menu > Apps > GSuite > Gmail

3️⃣ Generate a DKIM Key

4️⃣ Create a DNS TXT Record with the DKIM key generated in the previous step.

For this, you will need to go to your domain provider. e.g. GoDaddy, Squarespace, Namecheap, etc.

5️⃣ After creating the DNS TXT record in your domain with the DKIM Key, you can start Authenticating.


1️⃣ Sign in to your domain account on your domain host's site (not your Google Admin Console). This can be GoDaddy, Squarespace, Namecheap, etc.

2️⃣ Go to the page for updating your domain’s DNS records.

DNS Management, Name Server Management, or Advanced Settings.

3️⃣ Find your TXT records and check if your domain has an existing SPF record. The SPF record starts with “v=spf1…”.

4️⃣ If your domain already has an SPF record, remove it.

5️⃣ Create a TXT record with these values:

  • Name/Host/Alias - Enter @ or leave blank

  • Other DNS records for your domain might indicate the correct entry.

  • Time to Live (TTL) - Enter 3600 or leave the default.

  • Value/Answer/Destination - Enter v=spf1 include:_spf.google.com ~all.

This can take up to 48 hours to take effect.


1️⃣ Go to your domain administrator’s site. Find DNS Management or Settings.

2️⃣ Add this TXT record to your DNS:

  • Host Name: _dmarc

  • VALUE (with email): v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=90; sp=none

  • The minimum is "v=DMARC1; p=none; rua=mailto:[email protected]" (you need to change the bold part)

    The email version will send reports to whatever email you put in there.
    This is totally optional. Here is the value without the email:
    VALUE (no email): v=DMARC1; p=quarantine; pct=90; sp=none

Enjoy ❤️

Did this answer your question?