Calling Brisbane home since 2016 Get in Touch
Company Home About Pricing Case Studies Blog Guides Contact
AI Consulting
Company
HomeAboutPricingCase StudiesBlogGuidesContact
Get in Touch
Back to Guides
Email Marketing intermediate 45-60 minutes

How to Use Email Authentication to Prevent Spoofing

Secure your brand and improve email deliverability by setting up SPF, DKIM, and DMARC records for your Australian business domain.

Angus 28 January 2026

# How to Use Email Authentication to Prevent Spoofing

In the digital age, your business’s reputation is your most valuable asset. If cybercriminals spoof your email address to send scams to your customers, it doesn't just damage your brand—it destroys the trust you’ve worked hard to build with your Brisbane community. Email authentication acts like a digital wax seal, proving to your recipient's inbox that the email really came from you and not a malicious impersonator.

Setting up these protocols is no longer optional. As of 2024, major providers like Google and Yahoo require proper authentication for anyone sending bulk mail. This guide will walk you through securing your domain to ensure your marketing reaches the inbox and keeps the scammers out.

Prerequisites: What You’ll Need

Before we dive in, ensure you have the following ready:
  • Domain Registrar Access: You need the login details for where your domain is hosted (e.g., VentraIP, GoDaddy, or Crazy Domains).
  • Email Service Provider (ESP) Details: Access to your email platform (e.g., Google Workspace, Microsoft 365, Mailchimp, or ActiveCampaign).
  • A list of your sending tools: Any software that sends email on your behalf (invoicing software like Xero, CRM, etc.).

---

Step 1: Understand the Three Pillars of Authentication

Before touching any settings, you need to know what you are installing. Think of them as three layers of security:
  • SPF (Sender Policy Framework): A list of IP addresses authorised to send mail for your domain.
  • DKIM (DomainKeys Identified Mail): A digital signature that ensures the email content hasn't been tampered with.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance): Instructions for the receiving server on what to do if SPF or DKIM fails.

Step 2: Audit Your Sending Sources

Make a list of every service that sends email using your @yourbusiness.com.au address. Common ones for Australian SMEs include:
  • Google Workspace or Outlook
  • Xero or MYOB for invoicing
  • Mailchimp for newsletters
  • Your website's contact forms

Step 3: Access Your DNS Management Console

Log in to your domain registrar. Look for a section labelled "DNS Management," "Name Server Management," or "Advanced DNS."

Screenshot Description: You should see a table with columns like Type (A, MX, TXT, CNAME), Host/Name, and Value/Points To.

Step 4: Create or Update Your SPF Record

Check if you already have a TXT record starting with v=spf1. You should only ever have one SPF record. If you have one, you will edit it. If not, create a new TXT record.
  • Host/Name: @ (or leave blank depending on the registrar)
  • Value: v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
Note: Replace the 'include' sections with the specific codes provided by your email host and Mailchimp/Xero.

Step 5: Generate Your DKIM Keys

Go to the admin settings of your primary email provider (e.g., Google Workspace Admin Console). Search for "DKIM setup."
  • Click "Generate new record."
  • Select the prefix (usually 'google' or 'selector1').
  • Copy the long string of text provided.

Step 6: Add the DKIM Record to Your DNS

Go back to your DNS settings and add a new TXT record.
  • Host/Name: google._domainkey (or whatever your provider gave you)
  • Value: Paste the long string of code from Step 5.

Step 7: Verify DKIM within your Email Provider

Return to your Email Provider’s admin panel and click "Start Authentication" or "Verify." It may take up to 48 hours for the internet to "see" this change, but in Australia, it often updates within the hour.

Step 8: Prepare Your DMARC Policy

Now we tell the world what to do if an email fails the tests above. For beginners, we start with a "Monitoring" policy. This doesn't block anything yet; it just sends you reports.

Step 9: Add the DMARC Record

In your DNS settings, create a final TXT record:
  • Host/Name: _dmarc
  • Value: v=DMARC1; p=none; rua=mailto:admin@yourbusiness.com.au
The p=none tells servers: "If it fails, let it through anyway, but tell me about it."

Step 10: Monitor Your Reports

You will start receiving XML files via email. These are hard to read. Use a free tool like Postmark’s DMARC Monitor to visualise who is sending mail as you. If you see your own services (like Xero) failing, you need to fix their SPF/DKIM settings.

Step 11: Move to a "Quarantine" Policy

Once you are confident that all your legitimate emails are passing authentication (usually after 4-8 weeks of monitoring), update your DMARC record to: v=DMARC1; p=quarantine; This moves failing emails (spoofers) into the recipient's Spam folder.

Step 12: Reach "Reject" Status

The gold standard. Update your record to p=reject. This completely blocks any unauthorised email from being delivered, effectively ending spoofing of your domain.

---

Pro Tips for Australian Business Owners

  • Avoid SPF Flattening: If you have too many "includes" in your SPF (more than 10), it will break. If you use many tools, look into SPF flattening services.
  • Check Your ABN/Contact Details: Ensure your domain registration details are up to date. Occasionally, DNS changes can be flagged if ownership is in question.
  • Use a Dedicated Subdomain: For high-volume marketing, consider sending from news.yourbusiness.com.au to protect your primary domain's reputation.

Common Mistakes to Avoid

  • Multiple SPF Records: This is the #1 mistake. If you have two SPF TXT records, they will both be ignored by receiving servers. Always merge them into one.
  • Typos in DNS: A single missing semicolon in a DMARC record can invalidate the whole thing.
  • Forgetting the Underscore: DMARC and DKIM records require underscores (_dmarc, _domainkey). Don't leave them out!

Troubleshooting

  • "Changes aren't showing up": DNS propagation can take time. Use a tool like mxtoolbox.com to check if your new records are live.
  • "My emails are going to spam after setup": This usually means your SPF record is missing a service you use (like a CRM). Check your DMARC reports to identify the missing source.
  • "I can't find TXT records": Some older Australian registrars have limited interfaces. You may need to email their support desk to add these records for you.

Next Steps

Securing your domain is a massive step in professionalising your local marketing. Now that your emails are authenticated, you can focus on growing your list and crafting content that converts.

If you find the technical side of DNS records a bit daunting, or you’re worried about accidentally taking your email offline, we can help. Contact the team at Local Marketing Group for a technical audit of your email setup at https://lmgroup.au/contact.

Email MarketingCyber SecuritySPF DKIM DMARCSmall Business Tech

Related Guides

intermediate 45-60 minutes

How to Calculate True Email ROI & Deliverability Costs

Read Guide
intermediate 30-45 minutes

How to Test Email Rendering Across Clients and Devices

Read Guide
intermediate 45-60 minutes

How to Build an Email Preference Centre to Stop Unsubscribes

Read Guide

Need Help With This?

Our team can help you implement this and more. Book a free consultation.

Book Free Consultation