DNS configurations
Before launching your email marketing, it is essential to set basic configurations (SPF, DKIM, DMARC) to ensure messages reach recipients' inboxes and do not end up in the SPAM folder.
- DNS (Domain Name System) is the system that translates website domain names into numerical IP addresses.
- SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) — critical DNS records that authenticate your emails. Without them your emails may be blocked entirely or routed to Spam folders.
- DMARC (Domain-based Message Authentication, Reporting & Conformance) defines how email providers should handle suspicious messages.
SPF Configuration
SPF is a DNS record that lists IP addresses authorized to send emails on behalf of a specific domain. This technology verifies the authenticity of the sender’s domain (from-domain). To enable SPF, a special TXT record should be added to the sender’s domain, defining which hosts are allowed to send messages.
In addition to listing IP addresses, the include directive can be used to inherit rules from another domain. This is particularly useful when multiple domains share the same email sending infrastructure, or when sender IP addresses change periodically.
It is recommended to include records for different protocol versions. In the example below, the configuration allows hosts from the domain spf.example.com and the IP address A.B.C.D. The ip4 directive can be used to specify both individual IP addresses and entire subnets.
| Domain | Record Type | Content |
| example.com | TXT | v=spf1 ip4:A.B.C.D include:spf.example.com -all |
| example.com | TXT | spf2.0/pra ip4:A.B.C.D. include:spf.example.com -all |
| example.com | SPF | spf2.0/pra ip4:A.B.C.D. include:spf.example.com -all |
Where:
- v=spf1 — SPF version;
- include:spf.example.com — authorizes emails sent via the specified domain (spf.example.com);
- –all — blocks all senders not listed above. Other possible prefixes:
- + — accepts messages;
- ~ — accepts but marks as suspicious;
- ? — neutral prefix, does not explicitly allow or block the IP address.
To generate the record promptly and accurately, you can use a special SPF record generator.
DKIM Configuration
DKIM is a DNS-based authentication method that verifies the sender’s domain integrity and ensures that emails have been sent from it. It is a standard email security method used to detect forged messages. The technology adds a digital signature linked to the sender's domain (from-domain), which is automatically validated by the recipient’s mail server.
A private key is used to create the signature. This key is installed and kept securely on the sender’s side and not shared with third parties. The public key is published as a special TXT record on the sender's subdomain.
The subdomain is to be chosen based on a selector being used, which is determined independently by the sender. It is recommended to use a unique selector for each key so that different senders can use individual keys.
Example of a typical DKIM record:
| Domain | Record Type | Content example |
| default._domainkey.example.com | TXT | v=DKIM1; k=rsa; p=<your public key> |
| _domainkey.example.com | TXT | o=-; |
Where:
- default — the selector. Multiple records with different selectors can be specified, each containing its own unique key.
- v — DKIM version, always set to v=DKIM1 (standard value).
- k — key type, always k=rsa.
- p — public key, which can be generated in your email service platform.
DMARC Configuration
DMARC is a set of rules for email authentication. This technology is designed to protect users from fraudulent activities and ensure email deliverability. A key aspect is defining how to handle messages that fail SPF and DKIM checks:
- none — monitoring mode. Emails are delivered normally, but reports are generated;
- quarantine — suspicious emails are routed to Spam folder;
- reject — emails that fail authentication are blocked entirely.
It is recommended to set policies that reject emails from untrusted IP addresses or those with invalid signatures.
| Domain | Record Type | Content example |
| _dmarc.example.com | TXT | v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc-reports@example.com |
Where:
- v=DMARC1 — DMARC version;
- p= — policy for handling failed messages;
- rua= — email address for receiving daily reports.
BIMI Configuration
BIMI (Brand Indicators for Message Identification) is a technology that works alongside SPF, DKIM, and DMARC to display a company’s logo (brand image) next to the email subject in the recipient’s inbox. Email providers use this to further verify the sender authenticity visually, increasing brand trust and recognition.
To use this technology, specify the path to the SVG file. The image must meet specific requirements (e.g., square format, no extra layers). For BIMI SVG file requirements, please read detailed recommendations from Google.
Add the following record in your domain settings:
| Domain | Record Type | Example Content |
| default._bimi.example.com | TXT | v=BIMI1; l=https://site.logo.svg |
Where:
- v — protocol version;
- l — path to the logo in SVG format.
You can also use a BIMI record generator at https://bimigroup.org/bimi-generator/.
Example of a Typical From-Domain Configuration
Considering all the above settings, your from-domain should have a set of records similar to the following:
| Subdomain | Type | Record | Comments |
| SPF | spf2.0/pra include:spf.example.com ip4:A.B.C.D -all | This record type is considered outdated. If you encounter problems adding it to DNS, it is recommended to skip this step. However, it may help to ensure additional compatibility. | |
| TXT | spf2.0/pra include:spf.example.com ip4:A.B.C.D -all | If the domain is already used for sending emails, ensure all current IP addresses are included in the SPF record. | |
| TXT | v=spf1 include:spf.example.com ip4:A.B.C.D -all | ||
| _dmarc | TXT | v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; sp=reject | Specify the email of the person responsible for mailings. |
| _domainkey | TXT | o=-; | |
| _policy._domainkey | TXT | o=-; | |
| default._domainkey | TXT | v=DKIM1; k=rsa; p=MIGfMAOG...... |
After configuring all protocols, it is recommended to wait for some time for the changes to take effect. Then perform testing to ensure everything works correctly and emails are delivered across different email services.