All Collections
Knowledge base
Domain details
What is DKIM/SPF/DMARC and how to set it?
What is DKIM/SPF/DMARC and how to set it?
Jan Moravec avatar
Written by Jan Moravec
Updated over a week ago

DKIM, SPF and DMARC are email authorization methods that increase deliverability of your emails and decrease the chance they end up in spam. Gmail is currently tightening their security which may end up frequently in false negatives and affect the deliverability of your emails. Having correctly set up these auth methods will definitely help. Even if you are not experiencing any issues right now, we recommend going through the processes to prevent any future problems.

More information about spam beside these tools can be found here

You can learn how to check the status of these tools on your domains in SignatureSatori here.


The recommended first step in tackling this task is setting up the SPF (Sender Policy Framework). A shortened version of the set up process is below, the complete procedure with all the details necessary even for uncommon cases can be found here:

Step 1: Create your SPF record

If you use exclusively G Suite to send your emails, your SPF will be

v=spf1 ~all

If any of these points apply to your situation:

  • You send mail from other servers, in addition to G Suite.

  • You use a third-party mail provider.

  • Your website uses a service that generates automatic emails, for example a "Contact us" form.

please consult this Google Support article that will guide you before you return for the next step.

Step 2: Enable SPF for your domain

  • Have prepared the text line you obtained in the previous step.

  • Sign in to the management console for your domain host (your domain settings available at site of the company you registered your website at). You can look up your domain host at

  • Locate the page with DNS TXT records and add a new record like this:

Now save your progress and you're done. It may take a couple hours before SPF "kicks in".

If you use multiple domains, you will need to repeat the process for each of them.

Another specialized tool that can be used to complete the processes is

If you outsourced the management of domain, please share with your contact person your requests and this article, they should be able to complete the process for you.


The next step is DKIM (DomainKeys Identified Mail). The process is described here:

Step 1: Generate the domain key for your domain

  • From the Admin console Home page, go to Apps and then G Suite and then Gmail.

  • Click Authenticate email.

  • Your primary domain is selected by default.

  • Click Generate new record and you’ll see these options: Select DKIM key bit length — If your domain host supports 2048-bit keys, we recommend using them as they’re more secure. If you previously used a 1024-bit key, there's no impact when you switch to a 2048-bit key. (You can learn the supported key size from your domain host.)

  • If your domain host doesn't support 2048-bit keys, change the key length to 1024.

  • Prefix selector—Domain keys include a text string called the prefix selector which you can modify when you generate the key. The default prefix selector for the Gmail domain key is google. Change the prefix only if your domain already uses a DKIM key with the prefix selector google.

  • Click Generate.

If you have multiple domains, you will have to generate the record for each of them.

Step 2: Add the public key to your domain's DNS records. Email servers can use this key to verify your messages' DKIM signatures.

  • Sign in to the management console for your domain host.

  • Locate the page where you update DNS records.

  • Add a TXT record:

  • In the first field, enter the text displayed in the Admin console under DNS Host name (TXT record name).

  • In the second field, enter the text string displayed in the Admin console under TXT record value.

  • Save your changes.

Note: Your domain provider may limit the length of TXT records. You can learn details about such a situation here.

Step 3: Turn on DKIM signing to start adding a DKIM signature to all outgoing messages.

  • From the Admin console Home page, go to Apps and then G Suite and then Gmail.

  • Click Authenticate email.

  • Select the domain where you want to start email signing. The page shows the status of email signing for the selected domain.

  • Click Start authentication.


The final step is setting up DMARC (Domain-based Message Authentication, Reporting, and Conformance) as described here:

To turn on DMARC, update your domain settings with a DNS TXT record.

About TXT records

A TXT record is a DNS record that contains text information used by sources outside of your domain. You will need to update it at your domain host.

Did this answer your question?