Calling Brisbane home since 2016 Get in Touch
Company Home About Pricing Case Studies Blog Guides Contact
AI Consulting
Company
HomeAboutPricingCase StudiesBlogGuidesContact
Get in Touch
Back to Guides
Email Marketing intermediate 45-60 minutes

How to Set Up SPF, DKIM, and DMARC for Email Deliverability

Learn how to configure technical email settings to prevent your messages from hitting the spam folder and protect your brand's reputation.

Sarah 28 January 2026

# How to Set Up SPF, DKIM, and DMARC for Maximum Deliverability

In the world of Australian business, your reputation is everything. If your emails are landing in your customers' spam folders—or worse, being used by scammers to spoof your identity—your brand's credibility takes a massive hit. Setting up SPF, DKIM, and DMARC is the digital equivalent of putting a registered seal on your envelopes, proving to mail servers like Gmail and Outlook that you are exactly who you say you are.

By the end of this guide, you will have implemented the three pillars of email authentication, ensuring your newsletters, invoices, and quotes actually reach your clients' inboxes.

---

Prerequisites: What You’ll Need Before Starting

Before we dive in, ensure you have the following ready:
  • Access to your Domain Registrar: You need the login details for where your website domain is hosted (e.g., GoDaddy, VentraIP, Crazy Domains, or Cloudflare).
  • Access to your Email Service Provider (ESP): This is where you send emails from, such as Google Workspace (Gmail), Microsoft 365, or an email marketing tool like Mailchimp or Klaviyo.
  • A list of your sending tools: Take note of every service that sends emails on your behalf (your CRM, accounting software like Xero, or your website’s contact forms).

---

Step 1: Identify Your DNS Management Area

Log in to your domain registrar. You are looking for a section labelled "DNS Management," "Name Server Management," or "Advanced DNS Settings." What you should see: A table containing columns like "Type," "Host/Name," "Value/Points To," and "TTL." This is the "phone book" for your domain, and this is where we will be adding our records.

Step 2: Understand and Create Your SPF Record

SPF (Sender Policy Framework) is a text record that lists all the IP addresses and services authorised to send email on your domain's behalf. The Rule: You can only have one SPF record per domain. If you have multiple, they will all fail.
  • If you use Google Workspace: Your value is usually v=spf1 include:_spf.google.com ~all
  • If you use Microsoft 365: Your value is usually v=spf1 include:spf.protection.outlook.com -all

If you use both an email provider and a tool like Xero, you combine them: v=spf1 include:_spf.google.com include:xero.com ~all

Step 3: Add the SPF Record to Your DNS

In your DNS settings, click "Add New Record."
  • Type: TXT
  • Host/Name: @ (or leave blank, depending on your provider)
  • Value: [Paste your SPF string from Step 2]
  • TTL: 3600 or Default

Step 4: Generate Your DKIM Keys

DKIM (DomainKeys Identified Mail) adds a digital signature to your emails. Unlike SPF, you can have multiple DKIM records (one for each service you use).
  • For Google Workspace: Go to the Admin Console > Apps > Google Workspace > Gmail > Authenticate Email. Click "Generate new record."
  • For Microsoft 365: Go to the Microsoft 365 Defender portal > Policies & rules > Threat policies > DKIM.
What you should see: A long string of random characters and a "selector" (often something like google or selector1).

Step 5: Add the DKIM Record to Your DNS

Go back to your DNS Management area and add another record:
  • Type: TXT
  • Host/Name: [The selector provided].__domainkey
  • Value: [The long string of characters provided]

Pro Tip: If your registrar doesn't allow long strings, you may need to contact their support, though most modern Australian registrars handle DKIM strings easily.

Step 6: Activate DKIM Signing

Crucially, once the DNS record is saved, you must go back to your Email Provider (Google or Microsoft) and click "Start Authentication" or "Enable." It may take 20 minutes for the provider to "see" the DNS change you just made.

Step 7: Create Your DMARC Record

DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving servers what to do if SPF or DKIM fails.

For beginners, we start with a "Monitoring" policy. This ensures you don't accidentally block your own emails while you're setting things up.

The recommended starter record: v=DMARC1; p=none; rua=mailto:yourname@yourdomain.com.au
  • p=none means "just monitor, don't block anything yet."
  • rua is where the reports will be sent.

Step 8: Add the DMARC Record to Your DNS

  • Type: TXT
  • Host/Name: _dmarc
  • Value: v=DMARC1; p=none; rua=mailto:yourname@yourdomain.com.au

Step 9: Verify Your Setup

You can't just set and forget. Use a free tool like MXToolbox or DMARC Advisor to verify your records. Enter your domain name, and the tool will show green ticks if your SPF, DKIM, and DMARC are correctly formatted and visible to the world.

---

Common Mistakes to Avoid

  • Multiple SPF Records: Never have two TXT records starting with v=spf1. Merge them into one.
  • Typos: DNS records are extremely sensitive. A missing semicolon or a space in the wrong place will break your email.
  • The "p=reject" Trap: Do not set your DMARC policy to p=reject immediately. If you've forgotten to authorise a service (like your website's contact form), your emails will be deleted before they reach the recipient.

Troubleshooting

  • "Record not found": DNS changes can take up to 48 hours to propagate globally, though in Australia, it usually takes about 1-2 hours. Be patient.
  • "SPF PermError": This usually means you have more than 10 "lookups" in your SPF record. If you use too many third-party tools, you may need to use a "Subdomain" for your marketing emails (e.g., news.yourbusiness.com.au).
  • Emails still going to spam: Authentication is only half the battle. Check your email content for "spammy" keywords or overly large images, and ensure you aren't sending to unverified lists.

---

Next Steps

  • Monitor your DMARC reports: You will start receiving XML files in your inbox. These are hard to read, so use a service like Postmark's free DMARC monitor to visualise them.
  • Move to enforcement: Once you are confident all your legitimate mail is passing (usually after 4-8 weeks), change your DMARC record from p=none to p=quarantine (sends failures to spam) and eventually p=reject (blocks failures entirely).

If this feels a bit too technical or you're worried about breaking your business communications, the team at Local Marketing Group can handle the technical heavy lifting for you. Feel free to reach out to us at https://lmgroup.au/contact for a domain health check.

Email MarketingDNSCyber SecurityDeliverability

Related Guides

intermediate 45-60 minutes

How to Calculate True Email ROI & Deliverability Costs

Read Guide
intermediate 30-45 minutes

How to Test Email Rendering Across Clients and Devices

Read Guide
intermediate 45-60 minutes

How to Build an Email Preference Centre to Stop Unsubscribes

Read Guide

Need Help With This?

Our team can help you implement this and more. Book a free consultation.

Book Free Consultation