How to set up SPF, DKIM, and DMARC
January 30, 2025
9 min read
TL;DR
Configure SPF, DKIM, and DMARC DNS records to prevent your emails from landing in spam. Add TXT records to your domain provider's DNS settings, one for each record type. These configurations, combined with lemwarm's warm-up process, will significantly improve your deliverability. Takes about 15–20 minutes.
Additionally, focus on email content optimization, recipient list hygiene, and proper sending practices to further improve deliverability.
Who Should Use This
  • New lemwarm users experiencing deliverability issues
  • Anyone whose emails are landing in spam
  • Users setting up email for the first time on a custom domain
  • Teams that haven't configured DNS records yet
πŸ’‘ If you use Gmail (@gmail.com) or Outlook (@outlook.com) personal accounts: These are already configured. This guide is for custom domains (e.g., you@yourcompany.com).
Why This Matters
If your DNS records aren't configured correctly:
  • Your emails land in spam or get rejected entirely
  • Recipients' email providers don't trust your domain
  • Your deliverability tanks, undermining the work lemwarm is doing to build your sender reputation
Setting up SPF, DKIM, and DMARC:
  • βœ… Prevents emails from going to spam
  • βœ… Protects your domain from spoofing/phishing
  • βœ… Builds trust with Gmail, Outlook, and other providers
  • βœ… Maximizes the effectiveness of lemwarm's warm-up process
  • βœ… Improves open and reply rates
Key Concept: What Are DNS Records?
DNS (Domain Name System) records are settings that tell the internet how your domain works.
For email, DNS records tell providers like Gmail and Outlook:
  • Who is allowed to send emails from your domain (SPF)
  • Whether emails are actually from you (DKIM)
  • What to do if authentication fails (DMARC)
Without these, email providers assume your emails are spam β€” and lemwarm can't fully protect a domain that isn't properly authenticated.
The 3 Required DNS Records
You must set up SPF, DKIM, and DMARC for proper email deliverability.
1. SPF (Sender Policy Framework)
  • Tells email servers which services can send emails from your domain
  • Example: "Only Google Workspace can send emails from @yourcompany.com"
2. DKIM (DomainKeys Identified Mail)
  • Adds a digital signature to your emails to confirm they're from you
  • Prevents email tampering in transit
3. DMARC (Domain-based Message Authentication, Reporting & Conformance)
  • Tells email providers what to do if SPF or DKIM fail
  • Core recommendation: set DMARC to at least p=quarantine β€” never p=none
  • Options: quarantine (spam) or reject (block)
Set Up DNS Records at Your Provider
The steps below show you what records to create. If you need a walkthrough of where to add them in your specific domain provider, jump to the guide for your provider:
Step-by-Step: Set Up DNS Records
Step 1: Set up SPF
What SPF does: SPF tells email servers which services are allowed to send emails from your domain.
Example SPF record:
v=spf1 a mx include:_spf.yourprovider.com ~all
Replace _spf.yourprovider.com with your email provider:
  • Google Workspace: _spf.google.com
  • Outlook/Office 365: spf.protection.outlook.com
  • Zoho: zoho.com
How to add SPF:
  1. Log in to your domain provider (e.g., GoDaddy, Namecheap, Cloudflare)
  2. Go to DNS settings (usually under "DNS Management" or "Domain Settings")
  3. Add a new TXT record:
    • Name/Host: @ (or leave blankβ€”represents your root domain)
    • Type: TXT
    • Value: Your full SPF string (e.g., v=spf1 include:_spf.google.com ~all)
    • TTL: 3600 (or use default)
  4. Save changes
  5. Verify: Use MXToolbox SPF Checker to confirm it's working
πŸ’‘ Important: Only include your actual email provider. Do NOT include lemwarm. lemwarm doesn't send emails directly β€” your provider does.
Step 2: Set up DKIM
What DKIM does: DKIM adds a digital signature to your emails to confirm they were really sent by you.
How to add DKIM:
  1. Get your DKIM key from your email provider:
    • Google Workspace: Go to Admin Console β†’ Apps β†’ Gmail β†’ Authenticate Email β†’ Generate New Record
    • Outlook/Office 365: Go to Microsoft 365 Admin Center β†’ Settings β†’ Domains β†’ Select domain β†’ DNS Records
    • Zoho: Go to Zoho Mail Admin Console β†’ Email Configuration β†’ DKIM
  2. Copy the DKIM key (it's a long string of characters)
  3. Log in to your domain provider
  4. Go to DNS settings
  5. Add a new TXT record:
    • Name/Host: Usually default._domainkey (your provider will specify)
    • Type: TXT
    • Value: The DKIM key provided by your email provider
    • TTL: 3600 (or default)
  6. Save changes
  7. Verify: Use DKIM Core Checker to confirm
⚠ Note: DKIM keys are long. Make sure you copy the entire string without truncating it.
Step 3: Set up DMARC
Core recommendation: Always set DMARC to at least p=quarantine β€” never p=none.
What DMARC does: DMARC tells email providers what to do if SPF and/or DKIM fail.
Why never p=none:
  • Many people set DMARC to none just to comply with rules without understanding how DMARC actually works.
  • Many anti-spam systems treat p=none the same as having no DMARC at all β€” because telling a system "do nothing" is essentially the same as not having a policy.
Quarantine vs. Reject β€” what they do:
  • Quarantine = tells the receiving server: keep the message, re-analyze it later β€” maybe it will be fine after further checks.
  • Reject = tells the receiving server: reject the message during delivery, and the sender will decide what to do with it (often a bounce).
  • In both cases, the email does not reach the lead's inbox, so on paper there is no difference in score impact.
When to use p=reject:
  • Reject is appropriate only when you have a postmaster (or tooling) handling incoming DMARC reports.
  • When you set DMARC to reject, you also define an email address for incoming DMARC report requests (e.g., dmarc-policy@yourdomain.com).
  • Every time someone rejects an email based on the DMARC policy, a report is sent to that address.
  • These reports are very complex: they arrive in XML format inside archive files β€” complicated to use on their own without a postmaster tool.
  • If you don't want to manage/postmaster your DMARC reports, don't use reject β€” you'll be overwhelmed with report emails.
Example DMARC record (recommended baseline):
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com
How to add DMARC:
  1. Log in to your domain provider
  2. Go to DNS settings
  3. Add a new TXT record:
    • Name/Host: _dmarc
    • Type: TXT
    • Value: Your DMARC rule (e.g., v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com)
    • TTL: 3600 (or default)
  4. Save changes
  5. Verify: Use DMARC Inspector
How You'll Know It Worked
βœ“ SPF, DKIM, and DMARC pass validation when checked with online tools (MXToolbox, DKIM Core, DMARC Inspector)
βœ“ Test emails land in inbox, not spam (send test emails to Gmail, Outlook, etc.)
βœ“ Email headers show authentication passed (check email source/headers for "PASS" status)
βœ“ Deliverability improves within 24–48 hours after DNS propagation
βœ“ lemwarm's warm-up results improve β€” a properly authenticated domain lets lemwarm build your sender reputation faster
Other DNS Records (Not Required for Email)
While not needed for deliverability, here's a quick overview:
A Record – Points your domain to a website IP address
AAAA Record – Same as A, but for IPv6
CNAME Record – Redirects one subdomain to another
NS Record – Shows who manages your DNS settings (auto-set by domain provider)
MX Record – Defines where incoming mail is delivered (needed to receive replies)
Troubleshooting
Issue: SPF validation fails
Root cause: Wrong SPF syntax or missing provider include.
Fix:
  • Verify you included your email provider's SPF record (e.g., include:_spf.google.com)
  • Ensure syntax starts with v=spf1 and ends with ~all or all
  • Check for typos in the provider domain
  • Use MXToolbox SPF Checker to debug
Issue: DKIM validation fails
Root cause: DKIM key not added correctly or DNS hasn't propagated yet.
Fix:
  • Double-check the DKIM key was copied in full (no truncation)
  • Verify the Name/Host field matches what your provider specified (e.g., default._domainkey)
  • Wait 72 hours for DNS propagation
  • Use DKIM Core Checker to verify
Issue: DMARC validation fails
Root cause: DMARC record syntax error or wrong Name/Host field.
Fix:
  • Verify Name/Host is exactly _dmarc (not @ or blank)
  • Check DMARC syntax: must start with v=DMARC1;
  • Ensure you included a valid email for rua=mailto:...
  • Use DMARC Inspector to debug
Issue: DNS changes aren't taking effect
Root cause: DNS propagation takes time.
Fix:
  • Wait 24–72 hours for DNS records to propagate globally
  • Clear your DNS cache locally: ipconfig /flushdns (Windows) or sudo dscacheutil -flushcache (Mac)
  • Check propagation status with DNS Checker
Issue: Emails still going to spam after DNS setup
Root cause: DNS is only one factor. Other issues may include domain reputation, email content, or sending volume.
Fix:
  • Verify SPF, DKIM, DMARC all pass using online checkers
  • Run lemwarm continuously to maintain a spam-free sender score of 80+ and allow a proper warm-up period of 3–5 weeks for building credibility
  • Review email content for spam triggers (all caps, excessive links, misleading subject lines)
  • Keep your sending volume conservative, especially with new mailboxes. For optimal results, do not go over 40 emails/day for a new mailbox account (< 1 year). If you keep lemwarm running alongside your campaigns, you should generally be around 60–70 emails/day.
  • Use professional subject lines, limit spam-trigger words (e.g., "FREE"), and maintain simple email formatting
  • Regularly validate email lists to ensure they contain active, engaged recipients
  • Include an unsubscribe link to comply with GDPR/CAN-SPAM regulations, minimizing complaints
Common Questions
Q: Do I need to include lemwarm in my SPF record?
A: No. lemwarm doesn't send emails directly. Only include your actual email provider (Google, Outlook, Zoho, etc.) in your SPF record.
Q: How long does DNS propagation take?
A: Usually 1–24 hours, sometimes up to 72 hours. You can check the propagation status with DNS Checker.
Q: Can I use the same SPF/DKIM/DMARC for multiple email addresses?
A: Yes, if they're all on the same domain (e.g., john@company.com, sarah@company.com). These records apply to the entire domain.
Q: Do I need to set up DNS records before starting lemwarm?
A: Yes. DNS authentication is a prerequisite for effective warm-up. lemwarm works by building your sender reputation through real email interactions β€” but if SPF, DKIM, or DMARC are missing, those emails are far more likely to land in spam, which undermines the warm-up process.