Publish SPF, DKIM & DMARC — on your provider.
Concrete, correct walkthroughs for adding the three records that get your mail authenticated, on the DNS host your domain actually lives on. Each guide uses the same safe rollout: publish the records, start DMARC at p=none, read the reports, then tighten to quarantine and reject.
New to the standards themselves? Start with the email authentication reference — what SPF, DKIM, DMARC, ARC, MTA-STS, DANE, and BIMI each do — then come back here to set them up.
Pick your DNS provider.
Cloudflare
Set up SPF, DKIM, and DMARC for a domain whose DNS is managed in Cloudflare.
Sign in at dash.cloudflare.com, pick your domain, and open the DNS → Records tab. All three records are added here with the 'Add record' button.
GoDaddy
Set up SPF, DKIM, and DMARC for a domain whose DNS is managed in GoDaddy.
Sign in at godaddy.com, open your Products, find the domain, and choose DNS → Manage DNS (or 'Manage Zones'). Records are added with the 'Add' / 'Add New Record' button.
On a different host? The steps translate closely — every provider adds the same three TXT records (SPF at the root, DKIM at a selector, DMARC at _dmarc). Use whichever guide is closest and match the field names in your provider's DNS editor.
The order, at a glance.
- 1. Publish SPF — One TXT record listing every service that sends for your domain. Confirm there is exactly one SPF record.
- 2. Turn on DKIM — Publish the public-key record for your sending service's selector so every message is signed.
- 3. Start DMARC at p=none — Publish _dmarc with p=none and an rua address, then read the aggregate reports to find every legitimate sender.
- 4. Move DMARC to quarantine, then reject — Once your real mail all aligns on SPF or DKIM, tighten the policy in stages. Don't jump straight to reject.
- 5. Consider ARC, MTA-STS/DANE, then BIMI — ARC helps forwarded mail keep its earned trust; MTA-STS or DANE harden the transport; BIMI shows your logo once DMARC is enforcing.