Skip to main content
How to set up your DKIM, SPF and DMARC?

Increase your chances to land in the primary tab by setting up your DKIM, SPF and DMARC records

Updated over a week ago

Heeey lemlister! 👋

DKIM, SPF, DMARC are crucial set-ups that will protect your reputation and boost your deliverability to increase your chances of replies.

That's why we highly recommend taking care of it as soon as possible 😊

Before we deep dive into it, please note that DKIM, SPF and DMARC records are part of your DNS settings that you can find in your domain provider (e.g. GoDaddy, Squarespace, Namecheap, etc.).

Which means it's all on your domain provider end, not lemlist.

But of course, we're here to help you out with it, since it will help you have the best results with your campaigns 🔥

What DKIM, SPF and DMARC stand for?

DKIM (DomainKeys Identified Mail)

This is an email security standard designed to make sure messages aren't altered in transit between the sending and recipient servers. It uses public-key cryptography to sign email with a private key as it leaves a sending server.

DKIM signing (DomainKeys Identified Mail) is an email authentication method that assists in detecting forged sender addresses in email and helping senders associate a domain name with an email message, vouching for its authenticity in the process.

Sender Policy Framework (SPF)

This is an email authentication method designed to detect forging sender addresses during the delivery of the email.

SPF alone, though, is limited to detecting a forged sender claim in the envelope of the email, which is used when the mail gets bounced. Only in combination with DMARC can it be used to detect the forging of the visible sender in emails, a technique often used in phishing and email spam.

SPF allows the receiving mail server to check during mail delivery that a mail claiming to come from a specific domain is submitted by an IP address authorized by that domain's administrators. The list of authorized sending hosts and IP addresses for a domain is published in the DNS records for that domain.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

This is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing.

The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing emails, email scams and other cyber threat activities.

Once the DMARC DNS entry is published, any receiving email server can authenticate the incoming email based on the instructions published by the domain owner within the DNS entry. If the email passes the authentication, it will be delivered and can be trusted. If the email fails the check, depending on the instructions held within the DMARC record the email could be delivered, quarantined or rejected.

For example, one email forwarding service delivers the mail, but as "From: no-reply@<forwarding service>".

DMARC extends two existing email authentication mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify which mechanism (DKIM, SPF or both) is employed when sending email from that domain; how to check the "From:" field presented to end-users; how the receiver should deal with failures - and a reporting mechanism for actions performed under those policies.

DMARC is defined in the Internet Engineering Task Force's published document RFC 7489, dated March 2015, as "Informational".

Q: Why do you need DMARC, SPF and DKIM?

Phishing and email spam are the biggest opportunities for hackers to enter the network. If a single user clicks on some malicious email attachment, it can compromise an entire enterprise with ransomware, cryptojacking scripts, data leakages or privilege escalation exploits.

What isn’t as well known is why most enterprises need all three of these protocols to protect their email infrastructures. Like much in the IT world, the multiple solutions don’t all necessarily overlap. Actually, they are quite complementary to each other, and chances are good that the average business will need all three of them.

If you are using Google for your email, they have instructions about DKIM and how to generate your domain key. If you are using cPanel to manage your domain, they have suggestions on how to configure the various DNS records. Once you think you are done, you can use an online tool to validate that the appropriate DKIM keys are happening in your email headers.

Q: How to set them up?

⚠️ Note that all the examples below apply in case Google is your domain provider and your mail provider.

So don't copy/paste the values without checking with your own provider first, they usually have their own FAQ on the subject. ⚠️

If you are missing some or all, each record will require you to create a new TXT record.

TXT records are a type of Domain Name System (DNS) record that contains text information for sources outside of your domain.


1️⃣ Log in to Google Admin:

2️⃣In the Admin console, go to Menu ➡️ Apps ➡️ Google Workspace ➡️ Gmail.

3️⃣ Generate a DKIM Key.

4️⃣ Create a DNS TXT Record with the DKIM key generated in the previous step.

For this, you will need to go to your domain provider. e.g. GoDaddy, Squarespace, Namecheap, etc.

5️⃣ After creating the DNS TXT record in your domain with the DKIM Key, you can start Authenticating.


1️⃣ Sign in to your domain account on your domain host's site (not your Google Admin Console). This can be GoDaddy, Squarespace, Namecheap, etc.

2️⃣ Go to the page for updating your domain’s DNS records.

DNS Management, Name Server Management, or Advanced Settings.

3️⃣ Find your TXT records and check if your domain has an existing SPF record. The SPF record starts with “v=spf1…”.

4️⃣ If your domain already has an SPF record, please check with your IT and/or provider.

One domain cannot have more than 1 SPF record. So deleting the one that is already there is not always the best choice since it might cause issues with other tools you're using.

Instead, you want to include more providers to your existing SPF.


Let's say that you already have a SPF that is including Salesforce at the moment.

It looks like this: v=spf1 ~all

Now what you want to do is also to include google in this SPF since google is your email provider.

You want to modify the existing SPF so it now looks like this:

v=spf1 ~all

5️⃣ Create a TXT record with these values:

  • Name/Host/Alias - Enter @ or leave blank

  • Other DNS records for your domain might indicate the correct entry.

  • Time to Live (TTL) - Enter 3600 or leave the default.

  • Value/Answer/Destination - Enter v=spf1 ~all

Again, careful the example of value above will work only if Google is your email provider.

If your email provider is not Google, please double check with your email provider what is the correct value to use, we cannot confirm on our end.

This can take up to 72 hours to take effect.


1️⃣ Go to your domain administrator’s site. Find DNS Management or Settings.

2️⃣ Add this TXT record to your DNS:

  • Host Name: _dmarc

  • VALUE (with email): v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=90; sp=none


  • Minimum VALUE is: v=DMARC1; p=none; rua=mailto:[email protected];


  • VALUE (without email): v=DMARC1; p=quarantine; pct=90; sp=none

    Please always replace our example emails by one that actually exists and belongs to you.

    The email version will send reports to whatever email you put in there.

Enjoy ❤️

Did this answer your question?