TL;DR
Configure SPF, DKIM, and DMARC DNS records to prevent your emails from landing in spam. Add TXT records to your domain provider's DNS settings, one for each record type. Takes about 15β20 minutes.
Who Should Use This
New lemlist users experiencing deliverability issues
Anyone whose emails are landing in spam
Users setting up email for the first time on a custom domain
Teams that haven't configured DNS records yet
π‘ If you use Gmail (@gmail.com) or Outlook (@outlook.com) personal accounts: These are already configured. This guide is for custom domains (e.g., [email protected]).
Why This Matters
If your DNS records aren't configured correctly:
Your emails land in spam or get rejected entirely
Recipients' email providers don't trust your domain
Your deliverability tanks, killing campaign performance
Setting up SPF, DKIM, and DMARC:
β Prevents emails from going to spam
β Protects your domain from spoofing/phishing
β Builds trust with Gmail, Outlook, and other providers
β Improves open and reply rates
Key Concept: What Are DNS Records?
DNS (Domain Name System) records are settings that tell the internet how your domain works.
For email, DNS records tell providers like Gmail and Outlook:
Who is allowed to send emails from your domain (SPF)
Whether emails are actually from you (DKIM)
What to do if authentication fails (DMARC)
Without these, email providers assume your emails are spam.
The 3 Required DNS Records
You must set up SPF, DKIM, and DMARC for proper email deliverability.
1. SPF (Sender Policy Framework)
Tells email servers which services can send emails from your domain
Example: "Only Google Workspace can send emails from
@yourcompany.com"
2. DKIM (DomainKeys Identified Mail)
Adds a digital signature to your emails to confirm they're from you
Prevents email tampering in transit
3. DMARC (Domain-based Message Authentication, Reporting & Conformance)
Tells email providers what to do if SPF or DKIM fail
Options: monitor, quarantine (spam), or reject (block)
Step-by-Step: Set Up DNS Records
Step 1: Set up SPF
What SPF does: SPF tells email servers which services are allowed to send emails from your domain.
Example SPF record:
v=spf1 a mx include:_spf.yourprovider.com ~all
Replace _spf.yourprovider.com with your email provider:
Google Workspace:
_spf.google.comOutlook/Office 365:
spf.protection.outlook.comZoho:
zoho.com
How to add SPF:
Log in to your domain provider (e.g., GoDaddy, Namecheap, Cloudflare)
Go to DNS settings (usually under "DNS Management" or "Domain Settings")
Add a new TXT record:
Name/Host:
@(or leave blankβrepresents your root domain)Type:
TXTValue: Your full SPF string (e.g.,
v=spf1 include:_spf.google.com ~all)TTL:
3600(or use default)
Save changes
Verify: Use MXToolbox SPF Checker to confirm it's working
π‘ Important: Only include your actual email provider. Do NOT include lemlist. lemlist doesn't send emails directly, your provider does.
Step 2: Set up DKIM
What DKIM does: DKIM adds a digital signature to your emails to confirm they were really sent by you.
How to add DKIM:
Get your DKIM key from your email provider:
Google Workspace: Go to Admin Console β Apps β Gmail β Authenticate Email β Generate New Record
Outlook/Office 365: Go to Microsoft 365 Admin Center β Settings β Domains β Select domain β DNS Records
Zoho: Go to Zoho Mail Admin Console β Email Configuration β DKIM
Copy the DKIM key (it's a long string of characters)
Log in to your domain provider
Go to DNS settings
Add a new TXT record:
Name/Host: Usually
default._domainkey(your provider will specify)Type:
TXTValue: The DKIM key provided by your email provider
TTL:
3600(or default)
Save changes
Verify: Use DKIM Core Checker to confirm
β οΈ Note: DKIM keys are long. Make sure you copy the entire string without truncating it.
Step 3: Set up DMARC
What DMARC does: DMARC tells email providers what to do if SPF and DKIM fail.
Example DMARC record:
v=DMARC1; p=quarantine; rua=mailto:[email protected]
DMARC policy options:
p=noneβ Just monitor (no action taken)p=quarantineβ Send suspicious emails to spamp=rejectβ Block suspicious emails completely
π‘ Start with p=none to monitor first, then move to p=quarantine after a few weeks.
How to add DMARC:
Log in to your domain provider
Go to DNS settings
Add a new TXT record:
Name/Host:
_dmarcType:
TXTValue: Your DMARC rule (e.g.,
v=DMARC1; p=quarantine; rua=mailto:[email protected])TTL:
3600(or default)
Save changes
Verify: Use DMARC Inspector
How You'll Know It Worked
β SPF, DKIM, and DMARC pass validation when checked with online tools (MXToolbox, DKIM Core, DMARC Inspector)
β Test emails land in inbox, not spam (send test emails to Gmail, Outlook, etc.)
β Email headers show authentication passed (check email source/headers for "PASS" status)
β Deliverability improves within 24β48 hours after DNS propagation
Other DNS Records (Not Required for Email)
While not needed for deliverability, here's a quick overview:
A Record β Points your domain to a website IP address
AAAA Record β Same as A, but for IPv6
CNAME Record β Redirects one subdomain to another (used for custom tracking domains in lemlist)
NS Record β Shows who manages your DNS settings (auto-set by domain provider)
MX Record β Defines where incoming mail is delivered (needed to receive replies)
For lemlist, you need:
TXT records (SPF, DKIM, DMARC) β
MX record (to receive replies) β
CNAME record (for custom tracking domainβoptional) β
Troubleshooting
Issue: SPF validation fails
Root cause: Wrong SPF syntax or missing provider include.
Fix:
Verify you included your email provider's SPF record (e.g.,
include:_spf.google.com)Ensure syntax starts with
v=spf1and ends with~allorallCheck for typos in the provider domain
Use MXToolbox SPF Checker to debug
Issue: DKIM validation fails
Root cause: DKIM key not added correctly or DNS hasn't propagated yet.
Fix:
Double-check the DKIM key was copied in full (no truncation)
Verify the Name/Host field matches what your provider specified (e.g.,
default._domainkey)Wait 72 hours for DNS propagation
Use DKIM Core Checker to verify
Issue: DMARC validation fails
Root cause: DMARC record syntax error or wrong Name/Host field.
Fix:
Verify Name/Host is exactly
_dmarc(not@or blank)Check DMARC syntax: must start with
v=DMARC1;Ensure you included a valid email for
rua=mailto:...Use DMARC Inspector to debug
Issue: DNS changes aren't taking effect
Root cause: DNS propagation takes time.
Fix:
Wait 24β72 hours for DNS records to propagate globally
Clear your DNS cache locally:
ipconfig /flushdns(Windows) orsudo dscacheutil -flushcache(Mac)Check propagation status with DNS Checker
Issue: Emails still going to spam after DNS setup
Root cause: DNS is only one factor. Other issues may include domain reputation, email content, or sending volume.
Fix:
Verify SPF, DKIM, DMARC all pass using online checkers
Use Lemwarm to improve domain reputation
Review email content for spam triggers (all caps, excessive links, misleading subject lines)
Ensure sending volume is within safe limits (100 emails/day max)
Common Questions
Q: Do I need to include lemlist in my SPF record?
A: No. lemlist doesn't send emails directly. Only include your actual email provider (Google, Outlook, Zoho, etc.) in your SPF record.
Q: How long does DNS propagation take?
A: Usually 1β24 hours, sometimes up to 72 hours. You can check the propagation status with DNS Checker.
Q: Can I use the same SPF/DKIM/DMARC for multiple email addresses?
A: Yes, if they're all on the same domain (e.g., [email protected], [email protected]). These records apply to the entire domain.