Skip to content

SPF, DKIM, and DMARC

The three email authentication protocols (SPF, DKIM, and DMARC) tell receiving servers that your emails are legitimate. Without them, Gmail, Outlook, and Yahoo may send them to spam or reject them outright.


SPF (Sender Policy Framework) lists the servers authorized to send email from your domain. Receiving servers verify that the sender’s IP is on that list.

Add (or modify) the TXT record at the root of your domain:

_Name_: tuempresa.com (or @)
_Type_: TXT
_Value_: v=spf1 include:mailerdash.com ~all

If you already have an existing SPF record (for example from Google Workspace or another provider), do not create a second TXT — add the include to your existing record:

v=spf1 include:_spf.google.com include:mailerdash.com ~all

DKIM — cryptographic signature of content

Section titled “DKIM — cryptographic signature of content”

DKIM (DomainKeys Identified Mail) signs each email with a private key. The receiving server verifies the signature using the public key published in your DNS.

CNAME delegation (one-time setup, forever)

Section titled “CNAME delegation (one-time setup, forever)”

MailerDash uses CNAME delegation: you publish a CNAME once and the platform rotates the internal key without you ever having to touch your DNS again.

_Name_: <selector>._domainkey.tuempresa.com
_Type_: CNAME
_Value_: <the exact CNAME value shown in your dashboard>

When you verify your domain, the dashboard shows you the exact selector and CNAME value. Publish that record once and you’re done — key rotations are transparent to you.


DMARC (Domain-based Message Authentication, Reporting and Conformance) defines what the receiving server should do when an email fails SPF or DKIM, and sends you usage reports.

_Name_: _dmarc.tuempresa.com
_Type_: TXT
_Value_: v=DMARC1; p=none; rua=mailto:dmarc-reports@tuempresa.com
FieldDescription
p=noneMonitor without action — emails that fail still arrive. Ideal for getting started.
p=quarantineEmails that fail go to spam. Enable once you are confident in your configuration.
p=rejectEmails that fail are rejected. Maximum protection; enable after reviewing reports.
rua=mailto:...Address where you will receive daily XML reports from receiving servers.
  1. Weeks 1–2: publish p=none with rua to receive reports without any impact.
  2. Weeks 3–4: review the reports and confirm that your legitimate emails pass SPF and DKIM.
  3. Month 2: move up to p=quarantine.
  4. Month 3+: move up to p=reject if the reports show correct alignment.

Once the records are published, you can verify with online tools:

  • MXToolbox (mxtoolbox.com) — SPF, DKIM, and DMARC lookups
  • mail-tester.com — send a test email and receive a configuration score
  • Google Postmaster Tools — domain reputation monitoring for traffic to Gmail

RecordDNS NameTypeValue
SPFtuempresa.comTXTv=spf1 include:mailerdash.com ~all
DKIM<selector>._domainkey.tuempresa.comCNAMEthe exact target shown in your dashboard
DMARC_dmarc.tuempresa.comTXTv=DMARC1; p=none; rua=mailto:...

You get the exact selector and CNAME from the dashboard when you verify your domain, or by querying GET /v1/domains.


Next step: Verify your domain to complete registration on the platform.

API reference: Platform — Domains