Domain Authentication
Set up SPF, DKIM, and DMARC to ensure your emails land in the inbox
Why Domain Authentication Matters
When you send emails through SentinMail, recipient mail servers (Gmail, Outlook, Yahoo, etc.) check whether your domain actually authorized the sending server. Without proper authentication, your emails are far more likely to land in spam or be rejected entirely.
Domain authentication does three things:
- Improves deliverability — authenticated emails are trusted by inbox providers and reach the inbox instead of the spam folder
- Prevents spoofing — stops bad actors from sending emails that pretend to come from your domain
- Builds sender reputation — over time, properly authenticated domains earn a positive reputation that further boosts deliverability
Domain authentication is not optional for serious email sending. Major providers like Gmail and Yahoo now require SPF and DKIM authentication, and emails without it may be silently dropped.
There are three DNS records you need to set up: SPF, DKIM, and DMARC. Each one handles a different aspect of authentication. This guide walks you through all three.
SPF (Sender Policy Framework)
SPF tells receiving mail servers which servers are allowed to send email on behalf of your domain. It works by publishing a DNS TXT record that lists your authorized senders.
How SPF Works
When someone receives an email from you@yourdomain.com, their mail server looks up the SPF record for yourdomain.com. If the sending server's IP address is listed in the SPF record, the email passes the SPF check. If not, it fails.
Adding Your SPF Record
Identify your sending sources
Log in to your DNS provider
Add a TXT record
Create a new DNS TXT record with these values:
| Field | Value |
|---|---|
| Type | TXT |
| Host / Name | @ (or leave blank, depending on your provider) |
| Value | Your SPF string (see provider-specific examples below) |
| TTL | 3600 (or "1 hour") |
Wait for propagation
You can only have one SPF record per domain. If you already have an SPF record, do not create a second one. Instead, merge the new include: statements into your existing record. Multiple SPF records will cause authentication failures.
SPF Record Examples
If you are starting from scratch and only use one provider:
1v=spf1 include:_spf.google.com ~allIf you use multiple providers, combine them into one record:
1v=spf1 include:_spf.google.com include:amazonses.com include:sendgrid.net ~allThe ~all at the end means "soft fail" for any server not listed, which is the recommended starting point. Once you are confident your SPF record is complete, you can change it to -all (hard fail) for stricter enforcement.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to every email you send. The receiving server verifies this signature against a public key published in your DNS. This proves the email was not tampered with in transit and genuinely came from your domain.
How DKIM Works
Your SMTP provider signs each outgoing email with a private key. The corresponding public key is published as a DNS TXT record on your domain. When a recipient's mail server receives the email, it fetches the public key from DNS and verifies the signature.
Setting Up DKIM
Get your DKIM key from your provider
Add a CNAME or TXT record
Most providers ask you to create a CNAME record, while some give you a TXT record. The record name typically follows this pattern:
1```Verify in your provider's dashboard
DMARC (Domain-based Message Authentication)
DMARC ties SPF and DKIM together and tells receiving mail servers what to do when an email fails authentication. It also lets you receive reports about authentication results so you can monitor your domain's email health.
How DMARC Works
DMARC checks that the domain in the "From" header aligns with the domain that passed SPF or DKIM. Even if SPF and DKIM both pass, DMARC can still fail if the domains do not match. DMARC also defines a policy: should failing emails be delivered, quarantined, or rejected?
Adding Your DMARC Record
Create the DNS record
Add a TXT record with the following values:
| Field | Value |
|---|---|
| Type | TXT |
| Host / Name | _dmarc |
| Value | Your DMARC policy string (see below) |
| TTL | 3600 |
Start with a monitoring-only policy
Begin with p=none so you receive reports without affecting delivery. This lets you identify issues before enforcing a stricter policy.
1```dns2v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; fo=1;3```Replace dmarc-reports@yourdomain.com with an email address where you want to receive aggregate reports.
Gradually tighten the policy
After monitoring for 2-4 weeks and confirming all legitimate email is passing, move to quarantine and eventually reject:
- Quarantine — failing emails go to spam:
dns v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; fo=1; - Reject — failing emails are blocked entirely:
dns v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; fo=1;
DMARC reports are sent as XML files. Free tools like DMARC Analyzer or Postmark's DMARC Tool can parse these reports into human-readable dashboards.
Provider-Specific Guides
Each email provider has slightly different steps for setting up domain authentication. Select your provider below for specific instructions.
Verifying Your Setup
After adding your DNS records, use these free tools to confirm everything is working:
Check DNS records with MXToolbox
Go to MXToolbox and run these lookups:
- SPF check: Enter
yourdomain.comand select "SPF Record Lookup" - DKIM check: Enter
selector._domainkey.yourdomain.comand select "DKIM Lookup" (replaceselectorwith your actual DKIM selector) - DMARC check: Enter
yourdomain.comand select "DMARC Lookup"
Each lookup should return your records without errors.
Send a test email to mail-tester.com
Go to mail-tester.com, copy the test email address shown, and send an email to it from SentinMail. The tool will score your email out of 10 and flag any authentication issues.
Check email headers
Send a test email to a Gmail address, open the email, and click the three-dot menu then Show original. Look for these lines in the headers:
1```2SPF: PASS3DKIM: PASS4DMARC: PASS5```All three should show PASS. If any show FAIL or SOFTFAIL, revisit the corresponding DNS record.
Common Issues and Troubleshooting
Multiple SPF Records
Having more than one SPF TXT record on your domain will cause SPF to fail entirely. If you use multiple sending services, combine them into a single record:
1v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org ~allThe SPF specification has a limit of 10 DNS lookups. Each include: statement counts as one lookup, and nested includes count too. If you exceed this limit, SPF will return a permerror and fail. Use MXToolbox's SPF lookup to check your lookup count.
DKIM Alignment Failures
DKIM alignment fails when the domain in the DKIM signature (d= tag) does not match the domain in the email's "From" header. This commonly happens when:
- You send from
hello@yourdomain.combut your DKIM is signed with your provider's domain instead of yours - You have not completed the domain authentication process in your provider's dashboard
The fix is to complete domain authentication in your provider's settings so DKIM signs with your domain, not theirs.
SPF Alignment Failures
SPF alignment fails when the MAIL FROM domain (envelope sender) does not match the "From" header domain. This is common with Amazon SES unless you set up a custom MAIL FROM domain. Check the provider-specific guide above for instructions.
DNS Propagation Delays
DNS changes are not instant. If you just added records:
- Wait at least 1-2 hours before testing
- Some DNS providers can take up to 48 hours to propagate
- Use whatsmydns.net to check if your record has propagated globally
- Clear your local DNS cache if you are testing from the same machine
"SPF Record Not Found" After Adding It
Common causes:
- The record was added to the wrong domain or subdomain
- The host/name field contains the full domain (e.g.,
yourdomain.com) when the provider only expects@or a blank value - There is a typo in the record — double-check that it starts with
v=spf1
DMARC Reports Show Failures You Do Not Recognize
If your DMARC reports show emails failing from IP addresses you do not recognize, it could be:
- A legitimate service you forgot to include in your SPF record (e.g., a CRM, helpdesk, or marketing tool)
- Someone spoofing your domain (which is exactly what DMARC is designed to catch)
Review the source IPs in the reports and add any legitimate services to your SPF record. Unknown sources can be safely ignored — your DMARC policy will handle them.
Authentication Checklist
Use this checklist to make sure you have covered everything:
- SPF record added — a single TXT record at
@with all sending sources included - SPF lookup count is under 10 — verified with MXToolbox
- DKIM configured — public key added to DNS with the correct selector, verified in your provider's dashboard
- DMARC record added — TXT record at
_dmarcwith at leastp=noneto start - DMARC reporting email set —
rua=mailto:points to a mailbox you monitor - Test email sent — checked with mail-tester.com and scored 9/10 or higher
- Email headers verified — SPF, DKIM, and DMARC all show PASS in Gmail's "Show original"
- Monitoring scheduled — plan to review DMARC reports weekly and tighten policy to
p=quarantineorp=rejectwithin a month