// setup guides · DNS

Publish SPF, DKIM & DMARC — on your provider.

Concrete, correct walkthroughs for adding the three records that get your mail authenticated, on the DNS host your domain actually lives on. Each guide uses the same safe rollout: publish the records, start DMARC at p=none, read the reports, then tighten to quarantine and reject.

New to the standards themselves? Start with the email authentication reference — what SPF, DKIM, DMARC, ARC, MTA-STS, DANE, and BIMI each do — then come back here to set them up.

Pick your DNS provider.

On a different host? The steps translate closely — every provider adds the same three TXT records (SPF at the root, DKIM at a selector, DMARC at _dmarc). Use whichever guide is closest and match the field names in your provider's DNS editor.

The order, at a glance.

  1. 1. Publish SPFOne TXT record listing every service that sends for your domain. Confirm there is exactly one SPF record.
  2. 2. Turn on DKIMPublish the public-key record for your sending service's selector so every message is signed.
  3. 3. Start DMARC at p=nonePublish _dmarc with p=none and an rua address, then read the aggregate reports to find every legitimate sender.
  4. 4. Move DMARC to quarantine, then rejectOnce your real mail all aligns on SPF or DKIM, tighten the policy in stages. Don't jump straight to reject.
  5. 5. Consider ARC, MTA-STS/DANE, then BIMIARC helps forwarded mail keep its earned trust; MTA-STS or DANE harden the transport; BIMI shows your logo once DMARC is enforcing.
radmail@inbox:~$ radmail deliverability --setup