SPF, DKIM, and DMARC
The three email authentication protocols (SPF, DKIM, and DMARC) tell receiving servers that your emails are legitimate. Without them, Gmail, Outlook, and Yahoo may send them to spam or reject them outright.
SPF — who can send on your behalf
Section titled “SPF — who can send on your behalf”SPF (Sender Policy Framework) lists the servers authorized to send email from your domain. Receiving servers verify that the sender’s IP is on that list.
Record to publish
Section titled “Record to publish”Add (or modify) the TXT record at the root of your domain:
_Name_: tuempresa.com (or @)_Type_: TXT_Value_: v=spf1 include:mailerdash.com ~allIf you already have an existing SPF record (for example from Google Workspace or another provider), do not create a second TXT — add the include to your existing record:
v=spf1 include:_spf.google.com include:mailerdash.com ~allDKIM — cryptographic signature of content
Section titled “DKIM — cryptographic signature of content”DKIM (DomainKeys Identified Mail) signs each email with a private key. The receiving server verifies the signature using the public key published in your DNS.
CNAME delegation (one-time setup, forever)
Section titled “CNAME delegation (one-time setup, forever)”MailerDash uses CNAME delegation: you publish a CNAME once and the platform rotates the internal key without you ever having to touch your DNS again.
_Name_: <selector>._domainkey.tuempresa.com_Type_: CNAME_Value_: <the exact CNAME value shown in your dashboard>When you verify your domain, the dashboard shows you the exact selector and CNAME value. Publish that record once and you’re done — key rotations are transparent to you.
DMARC — alignment policy
Section titled “DMARC — alignment policy”DMARC (Domain-based Message Authentication, Reporting and Conformance) defines what the receiving server should do when an email fails SPF or DKIM, and sends you usage reports.
Recommended record to start
Section titled “Recommended record to start”_Name_: _dmarc.tuempresa.com_Type_: TXT_Value_: v=DMARC1; p=none; rua=mailto:dmarc-reports@tuempresa.com| Field | Description |
|---|---|
p=none | Monitor without action — emails that fail still arrive. Ideal for getting started. |
p=quarantine | Emails that fail go to spam. Enable once you are confident in your configuration. |
p=reject | Emails that fail are rejected. Maximum protection; enable after reviewing reports. |
rua=mailto:... | Address where you will receive daily XML reports from receiving servers. |
Recommended progression
Section titled “Recommended progression”- Weeks 1–2: publish
p=nonewithruato receive reports without any impact. - Weeks 3–4: review the reports and confirm that your legitimate emails pass SPF and DKIM.
- Month 2: move up to
p=quarantine. - Month 3+: move up to
p=rejectif the reports show correct alignment.
Verify your configuration
Section titled “Verify your configuration”Once the records are published, you can verify with online tools:
- MXToolbox (mxtoolbox.com) — SPF, DKIM, and DMARC lookups
- mail-tester.com — send a test email and receive a configuration score
- Google Postmaster Tools — domain reputation monitoring for traffic to Gmail
Summary of records to publish
Section titled “Summary of records to publish”| Record | DNS Name | Type | Value |
|---|---|---|---|
| SPF | tuempresa.com | TXT | v=spf1 include:mailerdash.com ~all |
| DKIM | <selector>._domainkey.tuempresa.com | CNAME | the exact target shown in your dashboard |
| DMARC | _dmarc.tuempresa.com | TXT | v=DMARC1; p=none; rua=mailto:... |
You get the exact selector and CNAME from the dashboard when you verify your domain, or by querying GET /v1/domains.
Next step: Verify your domain to complete registration on the platform.
API reference: Platform — Domains