Skip to content
FormReceipt

Email deliverability

Using SPF, DKIM, and DMARC together

A practical order of operations and checks when enabling authentication for outbound mail.

Published: 2026-05-01Last reviewed: 2026-05-01

Recommended order

  1. Fix SPF so legitimate sending IPs and includes are correct.
  2. Enable DKIM signing with your provider and publish the TXT records they supply.
  3. Publish DMARC in p=none while monitoring aggregate reports.
  4. Tighten policy once legitimate streams authenticate cleanly.

Documentation

Refer to your DNS host’s UI for TXT publishing—refer to Cloudflare DNS records as a generic example of creating TXT entries.

More in this category

DKIM signing explained

DomainKeys Identified Mail: cryptographic signatures, selectors, and DNS TXT publishing.

DMARC explained

DMARC builds on SPF and DKIM, adds alignment rules, and enables aggregate and forensic reporting.

Google Workspace: SPF and DKIM

High-level steps to publish Google’s SPF include and DKIM keys for your primary domain.

Microsoft 365: enable DKIM

Enable DKIM for Microsoft 365 custom domains and publish CNAME records as instructed.

← Email deliverabilityKnowledge base home← Back to home

Cookie choices

We use a required session cookie for login and optional analytics cookies for marketing pages. Read cookie policy