Table of contents (3 sections)
Email authentication isn't optional anymore. With inbox providers tightening security in 2026, missing SPF, DKIM, or DMARC records can land your campaigns in spam folders—or worse, get them rejected entirely.
This comprehensive setup guide walks you through implementing all three protocols step-by-step, ensuring your emails reach inboxes reliably while protecting your brand from impersonation attacks.
Understanding Email Authentication Protocols
Before diving into setup, let's clarify what each protocol does and why you need all three working together.
SPF (Sender Policy Framework)
SPF tells receiving servers which IP addresses can send emails from your domain. Think of it as a guest list for your domain's email sending.
- Prevents basic email spoofing
- Required by major inbox providers
- Easy to implement via DNS TXT record
DKIM (DomainKeys Identified Mail)
DKIM adds a digital signature to your emails using cryptographic keys. Recipients can verify the signature against your DNS records to confirm authenticity.
DKIM signatures remain valid even when emails are forwarded, making them more reliable than SPF alone.
DMARC (Domain-based Message Authentication)
DMARC is the policy layer that tells receiving servers what to do when SPF or DKIM checks fail. It also provides valuable reporting on authentication results.
Step-by-Step SPF Setup Guide
Setting up SPF involves creating a DNS TXT record that lists authorized sending sources for your domain.
Creating Your SPF Record
Basic SPF record structure:
v=spf1 [mechanisms] [qualifier]
For Klaviyo users, your SPF record should include:
- Klaviyo's servers:
include:_spf.klaviyo.com - Your web host: Check with your hosting provider
- Any other email services: Google Workspace, Office 365, etc.
- Fail directive:
~all(soft fail) or-all(hard fail)
Example SPF record for Klaviyo + Google Workspace:
v=spf1 include:_spf.klaviyo.com include:_spf.google.com ~all
Adding SPF to Your DNS
- Log into your domain registrar or DNS provider
- Navigate to DNS management
- Add a new TXT record with these settings:
- Name/Host: @ (root domain) or leave blank
- Value: Your complete SPF record
- TTL: 3600 (1 hour)
- Save and wait for propagation (up to 48 hours)
Complete DKIM and DMARC Implementation
Save time on your Klaviyo campaigns
OptiSend helps you create, schedule, and analyze your emails in just a few clicks.
Try for free →DKIM Setup Process
DKIM setup varies by email service provider. For Klaviyo users:
- Navigate to your deliverability monitoring tools in OptiSend
- Generate DKIM keys in Klaviyo's account settings
- Add the provided CNAME records to your DNS
- Verify the setup in Klaviyo
The DKIM records typically look like:
klaviyo._domainkey.yourdomain.com CNAME klaviyo.yourdomain.com.dkim.klaviyo.com
DMARC Policy Configuration
Start with a monitoring-only DMARC policy to avoid disrupting legitimate emails:
| Policy | Action | Recommended For |
|---|---|---|
| p=none | Monitor only | Initial setup |
| p=quarantine | Send to spam | After analysis |
| p=reject | Block completely | Full protection |
Basic DMARC record:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; sp=none; adkim=r; aspf=r;
Testing Your Setup
After implementing all three protocols:
- Use online tools: MXToolbox, DMARCian, or mail-tester.com
- Send test emails to different providers (Gmail, Outlook, Yahoo)
- Check authentication headers in received messages
- Monitor your OptiSend campaign dashboard for deliverability improvements
Proper email authentication can improve deliverability rates by 10-15% and significantly reduce the risk of domain spoofing attacks.
Ready to optimize your email deliverability? OptiSend's integrated tools make it easy to monitor your authentication setup and track improvements in real-time. Our deliverability monitoring tools provide ongoing insights to keep your emails reaching inboxes consistently.
Start your free trial today and see how proper email authentication transforms your campaign performance.