DNS Setup for Email: SPF, DKIM, DMARC Explained
Last updated: February 2026 | 12 min read
Proper DNS configuration is the foundation of email deliverability. This guide explains each record type, provides examples, and shows you how to configure them correctly for Google Workspace and Microsoft 365.
DNS Records Overview
DNS (Domain Name System) records tell the internet how to handle your domain. For email, you need four types of records:
| Record | Purpose | Type |
|---|---|---|
| MX | Routes incoming email to your mail servers | MX |
| SPF | Authorizes servers that can send email for your domain | TXT |
| DKIM | Adds digital signature to verify email authenticity | TXT |
| DMARC | Tells receivers what to do when authentication fails | TXT |
MX Records
MX (Mail Exchange) records tell other servers where to send email destined for your domain. They point to your email provider's mail servers.
Google Workspace MX Records
| Priority | 1 | ASPMX.L.GOOGLE.COM |
| Priority | 5 | ALT1.ASPMX.L.GOOGLE.COM |
| Priority | 5 | ALT2.ASPMX.L.GOOGLE.COM |
| Priority | 10 | ALT3.ASPMX.L.GOOGLE.COM |
| Priority | 10 | ALT4.ASPMX.L.GOOGLE.COM |
Microsoft 365 MX Records
Priority 0: yourdomain-com.mail.protection.outlook.comNote: Replace "yourdomain-com" with your domain name (hyphens instead of dots).
SPF Records
SPF (Sender Policy Framework) specifies which mail servers are authorized to send email on behalf of your domain. Receiving servers check SPF to verify the sender.
SPF Syntax
SPF records are TXT records that start with "v=spf1" and include mechanisms:
include:- Include another domain's SPFip4:- Authorize specific IPv4 addressesa:- Authorize the domain's A record IP~all- Soft fail for unauthorized senders-all- Hard fail for unauthorized senders
Google Workspace SPF
v=spf1 include:_spf.google.com ~allMicrosoft 365 SPF
v=spf1 include:spf.protection.outlook.com ~allWarning: You can only have ONE SPF record per domain. If you need multiple includes, combine them in a single record:v=spf1 include:_spf.google.com include:sendgrid.net ~all
DKIM Records
DKIM (DomainKeys Identified Mail) adds a digital signature to your emails. The receiving server uses your public key (stored in DNS) to verify the signature.
DKIM Record Structure
DKIM records are TXT records at a specific subdomain: selector._domainkey.yourdomain.com
Google Workspace DKIM
Google uses the selector "google" by default. The record looks like:
Host: google._domainkey
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN... (generated in Google Admin)Microsoft 365 DKIM
Microsoft uses CNAME records for DKIM:
selector1._domainkey CNAME selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
selector2._domainkey CNAME selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.comDMARC Records
DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving servers how to handle emails that fail SPF or DKIM checks.
DMARC Record Structure
DMARC records are TXT records at _dmarc.yourdomain.com
DMARC Tags
v=DMARC1- Version (required)p=- Policy: none, quarantine, or rejectrua=- Aggregate report email addressruf=- Forensic report email addresspct=- Percentage of messages to apply policy to
Recommended DMARC for Cold Email
Start with a monitoring policy, then move to enforcement:
# Start here (monitoring only)
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
# After verifying setup works
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com
# Full enforcement (advanced)
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.comVerification and Testing
After configuring DNS records, verify them using our free tools:
DNS Propagation
DNS changes can take up to 48 hours to propagate globally, though most changes are visible within 15-30 minutes. During this time, results may be inconsistent depending on which DNS server you query.
Skip the DNS complexity
StackMail automatically configures all DNS records for your domains. No manual setup required.
Learn About Automated Setup