Nobody likes spam, and as a professional, the last thing you want is for your legitimate emails to end up in your client's junk folder. To prevent this, you need to prove to the internet that you are who you say you are.
This is done using two "digital ID cards" called SPF and DKIM. While they sound technical, they are simply entries you add to your domain settings to protect your reputation.
This guide explains what these records do and how to set them up to keep your emails safe and professional.
SPF (Sender Policy Framework) works like a bouncer at a club with a guest list. It tells the world which computers or services (like Google Workspace, Microsoft 365, or Mailchimp) are authorized to send email on behalf of your business domain.
When you send an email, the receiver's mail server checks this "guest list" (your SPF record). If the email comes from an approved server, it gets in. If it comes from an unlisted server, it might be marked as spam or rejected.
1. Identify Your Senders: Make a list of every service you use to send email, such as your main email provider and any marketing tools.
2. Create the Record: An SPF record is a single line of text that lists these services. For example, if you use Google, your record might look like v=spf1 include:_spf.google.com ~all.
3. Publish to DNS: You add this text to your domain’s DNS settings as a "TXT record".
A domain can only have one SPF record. If you have multiple services, you must combine them into a single line (e.g., include:google.com include:mailchimp.com) rather than creating separate records.
DKIM (DomainKeys Identified Mail) acts like a digital wax seal on an envelope. It adds a hidden digital signature to your emails that proves the message was truly sent by you and hasn't been tampered with during its journey to the recipient.
While SPF approves the delivery truck (the server), DKIM verifies the package (the message itself).
1. Get the Key: Log in to your email provider's admin panel (like Google Admin or Microsoft 365). They will generate a "public key" for you.
2. Publish to DNS: Copy this key and add it to your domain's DNS settings as a TXT record. Your provider will tell you exactly what to name it (this name is called a "selector").
3. Turn It On: Once the record is saved, go back to your email provider's settings and click the button to "Start Authenticating" or "Enable DKIM".
It is good practice to rotate your DKIM keys (generate new ones) periodically, such as once a year, to keep your security fresh.
Without these two records, bad actors can easily pretend to be you (spoofing). If they send spam using your domain name, your reputation takes a hit, and eventually, even your real emails will get blocked.
By setting up SPF and DKIM, you tell email providers like Gmail and Outlook that you are a responsible sender. This significantly improves your deliverability, ensuring your emails actually reach the inbox.
SPF has a technical limit of 10 lookups. This means you cannot include too many different vendors in your "guest list." If you exceed this limit, your SPF will break, and emails may be rejected.
DNS (Domain Name System) The settings panel where you manage your domain name. This is where you save your SPF and DKIM records.
TXT Record A type of DNS entry that allows you to store text information (like your SPF list or DKIM key) for the internet to read.
Selector A unique name given to your DKIM record so the receiver knows where to look for your digital key (e.g., "google._domainkey").
Propagation The time it takes (usually up to 48 hours) for your new settings to update across the internet.
Configuring SPF and DKIM is essential for any business. SPF creates an authorized "guest list" of senders, while DKIM adds a "wax seal" to prove authenticity.
Together, they prevent criminals from impersonating your brand and help ensure your legitimate emails stay out of the spam folder.
Once these are active, you are ready for the final layer of protection: DMARC.
Professional email creates separation between work and noise.