Email authentication setup showing SPF, DKIM, and DMARC DNS records protecting a domain from spoofing and phishing
Back to Blog
GENERAL Insights Published June 8, 2026 Updated June 8, 2026 8 min read

Email Authentication Setup Guide: SPF, DKIM, and DMARC

A practical SPF, DKIM, and DMARC setup guide to stop domain spoofing, improve deliverability, and protect against phishing and business email compromise.

David Darmstandler, Co-CEO & Co-Founder at Datapath

By

David Darmstandler

Co-CEO & Co-Founder

cybersecuritydata securitycompliance

Quick summary

  • SPF, DKIM, and DMARC together give your domain a verifiable sending identity that blocks most spoofing.
  • SPF lists who can send for you, DKIM cryptographically signs your mail, and DMARC tells receivers how to handle failures.
  • Roll out in phases and keep SPF and DKIM stable before moving DMARC to quarantine or reject.

How do SPF, DKIM, and DMARC protect your email?

SPF, DKIM, and DMARC are three DNS records that together give your domain a verifiable sending identity, so receiving servers can tell real mail from spoofed mail and reject impersonation attempts. Configured correctly, they are the single most effective defense against domain spoofing and a major control against phishing and business email compromise.

Email is still a primary attack vector, especially for regulated sectors like healthcare, finance, education, and government, where attackers impersonate trusted domains to launch phishing and business email compromise (BEC) attacks. These three protocols make that impersonation far harder and improve the odds your legitimate mail reaches the inbox instead of the spam folder.

What is the SPF, DKIM, and DMARC setup checklist?

Set them up in this order, since DMARC depends on the other two:

  1. SPF (Sender Policy Framework). Publish a TXT record in your DNS that lists the IP addresses and services — Microsoft 365, Google Workspace, your marketing platform — authorized to send mail on your behalf. Receivers reject senders that are not on the list.
  2. DKIM (DomainKeys Identified Mail). Generate a cryptographic key pair in your email admin console and publish the public key in DNS. This lets receiving servers verify the message was signed by your domain and not altered in transit.
  3. DMARC (Domain-based Message Authentication, Reporting, and Conformance). Publish a DMARC policy in DNS that tells receivers how to handle mail that fails SPF or DKIM — none (monitor only), quarantine, or reject — and where to send aggregate reports.

Keep SPF and DKIM stable and monitor DMARC aggregate reports for legitimate traffic before moving the policy to quarantine or reject. Tightening the policy too early can block legitimate mail from services you forgot to authorize.

These protocols are well documented in vendor-neutral guidance — for example, CISA’s recommendations on email authentication for protecting against spoofing and phishing.1 Authentication is one layer; it pairs naturally with Microsoft 365 phishing protection and a tested business email compromise response plan for the cases that still get through.

Why Datapath for email authentication

At Datapath, our Accountability-as-a-Service™ model means we do not just publish your records and walk away. We manage DNS propagation, monitor authentication and DMARC reports, and keep your configuration aligned as you add or change sending services. That work lives inside our cybersecurity services and managed IT services, so email security is maintained, not set once and forgotten.

Struggling with deliverability or impersonation risk? Contact our team to review your domain’s security posture.

FAQ: SPF, DKIM, and DMARC setup

Why do I need all three protocols?

SPF and DKIM each prove part of the picture — who is allowed to send and whether the message was tampered with. DMARC ties them together with a policy receivers can act on, plus reporting that shows you who is sending mail using your domain.

Will this affect my email deliverability?

When configured correctly, these protocols improve deliverability by proving your mail is legitimate, which helps keep it out of spam folders. The risk comes from misconfiguration, which is why a phased rollout with monitoring matters.

How long does implementation take?

The DNS records themselves can be published quickly, but we recommend a phased approach over several weeks so you can monitor reports and confirm no legitimate sending service is being blocked before enforcing.

Does this apply to K-12 and government agencies?

Yes. Any organization can be impersonated, and public-sector and education domains are frequent targets. Email authentication is widely treated as a baseline security control for these sectors.

Can Datapath manage this for us?

Yes. We set up and then continuously monitor SPF, DKIM, and DMARC as part of our cybersecurity and managed IT services, including reviewing DMARC reports and updating records as your sending services change.

Sources

  • CISA — Email Authentication / protecting against spoofing and phishing guidance1

Footnotes

  1. Cybersecurity and Infrastructure Security Agency, “Email Authentication,” https://www.cisa.gov/resources-tools/resources/email-authentication 2

Book a Consultation
Book a Consultation

See also

general

AI Acceptable Use and Governance Policy for Businesses: How to Build One

8 min read

general

ACH Fraud Prevention and Positive Pay Controls: A Practical Guide

8 min read

general

Building a Patch Management Program: A Practical Guide

8 min read

Disclaimer: This blog is intended for marketing purposes only, and nothing presented in here is contractually binding or necessarily the final opinion of the authors.

Need a practical roadmap for regulated-industry IT performance?

Datapath can benchmark your current model and define the next 90 days of high-impact improvements.

Book a Consultation