All Collections
Everything on deliverability
Maintaining good deliverability
General DNS setup: SPF, DKIM and DMARC
General DNS setup: SPF, DKIM and DMARC
Chris Traczyk avatar
Written by Chris Traczyk
Updated over a week ago

← Previous article | Next article →

In this article you can learn more about what are DNS records and how to properly set them up based on your mailbox and DNS provider:

What are DNS records and what do they actually do?

Before we get into the technicalities, let’s take a step back and explain what DNS is. It stands for “Domain Name Server” – the Internet's system for converting alphabetic names into numeric IP addresses. DNS has functionalities that enable defining important information about a domain or hostname, particularly its current IP address – DNS records/settings.

Make sure to correctly set up the below domain records to improve deliverability. You (or your IT admin) can do so in the settings section of your domain.

Each time you send an email, multiple aspects of your email setup are tested. Based on the outcome of these tests, the decision is made whether your email should be delivered to the recipient or rejected (bounced).

Based on our recent research, SPF and DKIM records are the most important records that you should set up to keep your deliverability on track. We noticed that adding both of these can increase open rates significantly. DMARC record is also highly recommended.

SPF

It’s a TXT record that lists all authorized host names/IP addresses that are permitted to send emails on behalf of your domain.

DKIM

It’s an email authentication method that allows the receiver to check if an email that came from a specific domain was authorized by the domain’s owner.

DMARC

It’s based upon the results of SPF and/or DKIM, which means that at least one of these has to be in place for DMARC to work. It controls what happens if a message fails authentication tests. It's a very important record that can help with maintaining a good deliverability, especially if Google is your domain's provider.

CNAME

It’s a DNS record that specifies that one domain name is an alias of another domain’s name. In case of Growbots, the CNAME record is used to create a custom tracking domain for your account. Check this article for more specific instructions on setting up CNAME and why it’s important.

If you're lacking the SPF record and/or the DKIM record, you'll see a notification in the SettingsIntegrations part of the app, looking like the ones below:

It means you need to take the steps below to add the remaining DNS records mentioned in the notification.

Please note that our app does not inform you about the lack of DMARC and CNAME records, but we strongly recommend setting them up as well!

NOTE: Keep in mind that if you created a separate domain specifically for outbound, it's very important to set up a URL forwarding to your company's website. It's highly recommended, because it makes your domain more credible, which can improve deliverability.

Find your mailbox and DNS provider

DNS provider: Before you start, please make sure that you know the DNS provider for your domain. You can check it here. Just enter your domain and scroll down to the Domain Information. The domain information is usually your DNS provider where you edit and manage your DNS settings.

Mailbox provider: You configure your DNS record in your DNS provider’s admin console however the next steps may differ depending on your email provider. The most popular mailbox providers are Google and Microsoft 365.

Here you can check the DNS setup rules for the most popular domain providers:

  1. Google

  2. MS Outlook

  3. Other providers

DNS setup if you use Google as mailbox:

In a new browser tab or window, sign in to your DNS hosting provider. Next, find where you manage your DNS settings (for example, Zone File Settings, Manage Domains, Domain Manager, DNS Manager). After logging in please make sure to follow the instructions according to your DNS provider.

SPF:

Add the following TXT record in your DNS settings (not mailbox setting):

  • Record type: TXT

  • Record name: you should be able to leave it blank or put in: @

  • Record value: v=spf1 include:_spf.google.com ~all

Check if it’s working correctly:

Proceed here and insert your domain name. If it says ‘pass’, it means that everything is set up correctly. Growbots will display a notification if there’s anything wrong with your SPF!

DKIM:

  1. From the Admin console homepage, go to Apps-> Google Workspace-> Gmail.

    image3.png


    image1.png


    image2.png

  2. Click Authenticate email.

  3. Your primary domain is selected by default. Click on your primary domain name and select another domain where you’ll be using DKIM.

  4. Click on Generate new record and the following options will be displayed:

    • Select DKIM key bit length —If your domain host doesn't support 2048-bit keys, change the key length to 1024.

    • Prefix selector—The default prefix selector for the Gmail domain key is google. We recommend keeping it as it is.

    • Click Generate.

  5. Now log in to your DNS provider and go to the DNS management tab:

    • Add a new TXT record including the data generated in your Google Admin page in the previous step:

    • In the Name field, enter the text displayed in the Google Admin console under ‘DNS Host name’.

    • In the Value field, enter the text string displayed in the Google Admin console under ‘TXT record value’.

    • Save your changes.

      NOTE: If you recently set up Google Workspace or Gmail, you might see this error: "We are unable to process your request at this time. Please try again later. (Error #1000)." After you turn on Gmail, you must wait 24–72 hours before you can generate a DKIM key.

  6. Turn on DKIM signing in Google Admin Console to start adding a DKIM signature to all your outgoing messages:

    • From the Admin console homepage, go to Apps->Google Workspace->Gmail.

    • Click Authenticate email.

    • Select the domain where you want to start email signing. The page displays the status of email signing for the selected domain.

    • Click Start authentication. When the DKIM setup is complete, "Authenticating email" displays.

How to check if it’s set up correctly?

Proceed here and insert your domain name and set the selector to “google”. If it displays ‘pass’, it means that everything is set up correctly. Growbots will also notify you if there’s anything wrong with your DKIM.

Note: it's possible you already have a DKIM record set up, but you're using a more custom selector which our app does not detect. Then the app will give you the notification about DKIM not being set up. If you're sure you have it set up, you can ignore this notification.

DMARC:

  1. Go to your domain provider settings page,

  2. Add the following DNS record:

  • Record type: TXT

  • TXT record name: _dmarc

  • TXT record value: v=DMARC1; p=none; pct=90; sp=none

How to check if it’s set up correctly?

Proceed here and include your domain name. If it shows “pass”, it means that everything is set up correctly.

Here's a video showing how to set up the DNS records for Gmail and Cloudflare (the process is very similar for other domain providers):

DNS setup if you use Microsoft 365/Outlook as mailbox:

In a new browser tab or window, sign in to your DNS hosting provider. Next, find where you manage your DNS settings (for example, Zone File Settings, Manage Domains, Domain Manager, DNS Manager). After logging in please make sure to follow the instructions according to your DNS provider.

SPF:

Add the following TXT record in your DNS settings (not mailbox setting):

  • Record type: TXT

  • Record name: you should be able to leave it blank or put in: @

  • Record value: v=spf1 include:spf.protection.outlook.com -all

How to check if it’s set up correctly?

Click here and insert your domain name. If it says ‘pass’, it means that everything is set up correctly. Growbots will also show you a notification if there’s anything wrong with your SPF!

DKIM:

1. Publish two CNAME records for your custom domain in DNS:

  • Host name: selector1._domainkey

  • Points to address or value: selector1-<domainGUID>._domainkey.<initialDomain>

  • TTL:3600

  • Host name: selector2._domainkey

  • Points to address or value: selector2-<domainGUID>._domainkey.<initialDomain>

  • TTL: 3600

Where you need to replace:

  • <domainGUID> with your actual domainGUID, which you can find in the MX records for your custom domain. It appears before mail.protection.outlook.com, you will find your MX records in your DNS settings.

    For example, in the following MX record for the domain contoso.com, the domainGUID is contoso-com:
    contoso.com. 3600 IN MX 5 contoso-com.mail.protection.outlook.com

  • <initialDomain> with the domain that you used when you signed up for Microsoft 365.

    InitialDomain always ends with onmicrosoft.com. If you’re not sure what is your InitialDomain, just go to Email & Collaboration > Policies & Rules > Threat policies page > Rules section > DKIM. Or, to go directly to the DKIM page, use https://security.microsoft.com/dkimv2

2. Enable DKIM signing for your custom domain:

  1. Open the Microsoft 365 Defender portal using your account.

  2. Go to Email & Collaboration > Policies & Rules > Threat policies page > Rules section > DKIM. Or, to go directly to the DKIM page, use https://security.microsoft.com/dkimv2.

  3. On the DKIM page, select the domain by clicking on the name.

  4. In the details flyout that appears, change the Sign messages for this domain with DKIM signatures setting to Enabled. When you're finished, click Rotate DKIM keys.

NOTE: Microsoft is quite frequently changing their instructions on enabling DKIM signing, so if the above instructions don't coincide with your account settings - please, just take a look at their help page to find the latest instructions.

How to check if it’s set up correctly?

Proceed here and include your domain name along with the selector. If it displays “pass”, it means that everything is set up correctly. Growbots will also notify you if there’s something wrong with your DKIM.

DMARC:

  1. Go to your domain provider settings page,

  2. Add the following DNS record:

  • Record type: TXT

  • TXT record name: _dmarc

  • TXT record value: v=DMARC1; p=none; pct=90; sp=none

How to check if it’s set up correctly?

Click here and include your domain name. If it says ‘pass’, it means that everything is working properly.

Here's a video showing how to set up the DNS records for Outlook and GoDaddy (the process is very similar for other domain providers):

DNS setup for other providers

How to configure your domain with other domain providers?

  1. Find out who your domain provider is.

  2. Locate your domain management page.

  3. Go to the DNS records section.

  4. Add SPF, DKIM, DMARC and CNAME records according to the instructions below:

SPF:

  1. Create your SPF: For other mailbox providers, the fastest way to check how SPF should look will be by searching on the Internet. The general rule is:
    a. Start with v=spf1 and add the IP addresses that are authorized to send emails. For example, v=spf1 ip4:1.2.3.4 ip4:2.3.4.5
    b.If you use a third party to send messages on your behalf, you have to add an “include” part in your SPF record (for example, include:third_party.com)
    c. End your record with an “~all” or “-all” part.

Here’s an example of a correct SPF:

v=spf1 ip4:1.2.3.4 ip4:2.3.4.5 include:thirdparty.com -all

4. Publish your SPF: This step varies depending on your domain provider. The general instruction is:

  1. Go to the domain settings.

  2. Add a TXT record with the SPF that you created.

You can always ask your domain administrator for help with publishing!

How to check if it’s set up correctly?

Click here and insert your domain name. If it says ‘pass’, it means that everything is set up correctly. Growbots will also show you a notification if there’s anything wrong with your SPF!

DKIM:

Below, you'll find the guides to the most common email service providers (ESP):

For other providers (if no specific instructions were provided):

  1. Generate DKIM: here are third-party tools that you can use to generate the DKIM record, for example, Sparkpost. Recommended selector: “dkim”.

  2. Publish: You can do so by adding a TXT (or CNAME, for some providers) record with the generated DKIM to your DNS settings.

Example: If you use Gmail as mailbox provider and Godaddy as DNS provider:

  1. Generate the domain key for your domain in Google Admin Console

  2. Publish DKIM record in the Domain Control Center in Godaddy:

  • Click the Add button in the Records section. You will see a form where you can enter the settings for your DKIM record.

  • Make sure the record type is TXT, Host is set to s1._domainkey where s1 is the DKIM selector, and Points to is set to the TXT record generated above.

  • Click the Save button. The record has been added!!

Turn on DKIM signing to start adding a DKIM signature to all your outgoing messages in the Google Admin Console by clicking on “Start Authentication”.

How to check if it’s set up correctly?

Click here and insert your domain name and selector. If you see ‘pass’, it means that everything is set up correctly. Growbots will also notify you if there’s anything wrong with your DKIM.

Note: it's possible you already have a DKIM record set up, but you're using a more custom selector which our app does not detect. Then the app will give you the notification about DKIM not being set up. If you're sure you have it set up, you can ignore this notification.

DMARC:

It’s based upon the results of SPF and/or DKIM, so at least one of those has to be in place for the email domain.

How to set it up?

Add a TXT record in your domain settings with a name “_dmarc” and value “v=DMARC1; p=none; pct=90; sp=none”.

How to check if it’s set up correctly?

Click here and insert your domain name. If it shows “pass”, it means that everything is set up correctly.

← Previous article | Next article →

Did this answer your question?