SPF/DKIM/DMARC Wizard

What is this

This is an all-in-one, end-to-end SPF/DKIM/DMARC deployment wizard which will guide you through the whole process of setting up SPF, DKIM, and DMARC for your organization to secure email, via email authentication.

Why you need this

There was no end-to-end SPF/DKIM/DMARC wizard to help people implement DMARC, DKIM, and SPF. People had to go through tons of materials from different sources in order to achieve an effective DMARC implementation.

But it doesn't have to be like that. Using this SPF/DKIM/DMARC wizard, you can start from zero to full email authentication much faster and less painful.

Article

This wizard can be used in tandem with the article The Definitive Guide to SPF, DKIM, and DMARC, which explains essential concepts in modern email authentication.

Protect your email now >>

First we need to know the email domain you need to set up SPF, DKIM, and DMARC on.

For example, if you organization sends emails from such an email address: contact@example.com, enter example.com below.

Enter domain to set up SPF, DKIM, and DMARC on, e.g., example.com
After you've entered the domain, click the Next button to go to the SPF wizard to set up SPF.

Create SPF record

Publish SPF record

Create DKIM record

If you are using a 3rd-party email delivery service, creating a DKIM record is easy enough: simply use their service to create the private/public keypair which will be kept with their service. I am going to show you exactly how to do this in SendGrid now:

  • log in to SendGrid' dashboard;

  • go to Settings/Sender Authentication/Authenticate Your Domain, choose your DNS host and click the Next button.

  • enter the domain you want to authenticate (we are using example.com), and click the Next button.

  • now SendGrid has created 2 DKIM records for you, using selectors s1 and s2 respectively, as highlighted below:

There is no private key/public key management on your end - SendGrid manages all this for you! All you have to do is to publish these 2 DKIM records for your domain in DNS.

Publish DKIM record

Publishing a DKIM record is just creating a CNAME record on (selector)._domainkey.example.com. I will show you how to do this in GoDaddy step by step:

  • Log in to GoDaddy. Click the domain in question, then click the DNS button.

  • If the DKIM record doesn't exist on the domain, click the Add button under the Records section.

  • Otherwise edit it instead. To check if the DKIM record already exists, look for any CNAME record that looks like (selector)._domainkey.

  • Select CNAME for the Type drop-down menu. Enter s1._domainkey for the Host field, where s1 is the selector. Enter the POINTS TO value you obtain from the "Create DKIM record" step, for the Points to field. Then click the Save button.

Create DMARC record

DMARC Record Generator

Use DMARC Record Generator to create a DMARC record.

To learn how to implement SPF/DKIM/DMARC, check out this definitive, step-by-step guide:
How to Implement SPF/DKIM/DMARC to Prevent Email Spoofing/Phishing

Send aggregate reports to this system generated email address
Send forensic reports to this system generated email address
  Generate DMARC Record


Help on DMARC generator

What is a DMARC record?

A DMARC record is a TXT record published to the DNS for your domain, under _dmarc.yourdomain.com, where “yourdomain.com” is replaced with your actual domain (or subdomain). It tells the email receiver what to do when an email message fails DMARC authentication, and also where to send reports on email delivery statistics.

Publish DMARC record

Log in to your DNS management console, choose the domain you need to publish the DMARC record on, i.e., mycompany.com.

Create a TXT entry on mycompany.com with these settings:

    Type: TXT
    Host: _dmarc
    TXT Value: (DMARC record created in the previous step)
    TTL: 1 hour
    

For example, here is what it looks like in GoDaddy's DNS management console:

To publish a DMARC record in CloudFlare:

Check all records

Now that you have published all the DNS records, it's time to check if all SPF, DKIM, and DMARC are set up correctly.

To check if the whole deployment is correct, send an email from your domain to check@dmarcly.com.

You will get a report on the deployments shortly.

Keep in mind that DNS propagation takes up to 1 hour, therefore, if you think your settings are correct, but find some issues in the report, wait a while and check again.