SPF, DKIM, and DMARC setup for small business domains

A plain-English guide to email authentication records, safe DMARC rollout, and common DNS mistakes that hurt deliverability.

Email deliverability is now a DNS job as much as a mail server job. If SPF, DKIM, and DMARC are missing or wrong, perfectly legitimate mail can land in spam or get rejected.

What each record does

SPF says which servers are allowed to send mail for your domain.

DKIM signs outgoing messages so receivers can verify they were not changed.

DMARC tells receivers what to do when SPF or DKIM fails and gives you reports.

You need all three.

SPF: keep it short

Example:

v=spf1 include:_spf.google.com include:sendgrid.net -all

Rules:

Only one SPF record per domain
Keep DNS lookups under the SPF limit of 10
Include every service that sends as your domain
Use -all only when you are confident the list is complete

Common senders include Google Workspace, Microsoft 365, Mailchimp, SendGrid, Postmark, CRM platforms, helpdesk tools, and website SMTP plugins.

DKIM: copy the provider record exactly

Your mail provider gives you a selector and a TXT or CNAME record:

selector1._domainkey.example.com

Do not invent this value. Copy it from the sending platform. If you use multiple platforms, each can have its own selector.

DMARC: roll out gradually

Start with monitoring:

v=DMARC1; p=none; rua=mailto:dmarc@example.com; adkim=s; aspf=s

After you have reports and know legitimate senders are aligned, move to quarantine:

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com

Then enforce:

v=DMARC1; p=reject; rua=mailto:dmarc@example.com

Do not jump straight to p=reject on a domain with unknown senders.

Alignment matters

DMARC passes when either SPF or DKIM aligns with the visible From domain. A message can pass SPF technically but fail DMARC if it was sent through a provider’s bounce domain without alignment.

For marketing tools, make sure custom DKIM is enabled. For WordPress, send through a proper SMTP provider rather than the local server.

Check your DNS

Use:

dig TXT example.com
dig TXT selector1._domainkey.example.com
dig TXT _dmarc.example.com

Then test with external tools such as MXToolbox, Google Postmaster Tools, or your mail provider’s built-in verifier.

Common mistakes

Two SPF records on the same domain
Old providers left in SPF forever
Website contact forms sending directly from the web server
DKIM selector pasted at the wrong hostname
DMARC reports sent to an unmonitored mailbox
Using p=reject before auditing all senders

Minimum setup for WordPress sites

For a small business WordPress site:

Use Google Workspace, Microsoft 365, Postmark, SMTP2GO, or another real sender.
Configure FluentSMTP or an equivalent SMTP plugin.
Add SPF for that sender.
Add DKIM from that sender.
Publish DMARC at p=none.
Review reports, then tighten policy.

This is more reliable than sending mail from the web server, especially on shared hosting or VPS providers where IP reputation is mixed.