Implementation

From theory to DNS records

This chapter turns the previous ones into a practical setup. The goal is the same for any domain owner: configure SPF, DKIM, and DMARC correctly, protect your primary domain’s reputation, and verify everything works before tightening the rules.

A multi-domain strategy

Organizations often run several domains and more than one email provider, for example a business-mail provider like Google Workspace alongside a bulk-sending service like Mailjet or SendGrid. A sensible split:

  • Primary domain (for example example.co): business communications and transactional mail through your main provider.
  • Dedicated sending domain (for example example.com or a subdomain): mass sending (notifications, marketing) through the bulk service.
  • Spare domains: keep as a backup or redirect to the main domain.

Separating mass sending from your primary domain protects the primary domain’s reputation if a bulk campaign runs into trouble. Each domain needs its own properly configured SPF, DKIM, and DMARC records, even when they point at the same services.

SPF in practice

To authorize two providers on one domain, combine their includes:

example.com  TXT  "v=spf1 include:_spf.google.com include:spf.mailjet.com -all"
  • include:_spf.google.com authorizes Google Workspace.
  • include:spf.mailjet.com authorizes Mailjet.
  • -all is a strict policy that rejects unauthorized senders.

If a domain only sends through the bulk service, simplify it to v=spf1 include:spf.mailjet.com -all. Verify each record with dig TXT example.com or an online SPF validator.

DKIM in practice

DKIM keys are generated per provider, each with its own selector so the public keys do not collide:

selector._domainkey.example.com  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A..."

Typical flow with common providers:

  • Google Workspace: in the Admin console, go to Apps > Google Workspace > Gmail > Authenticate email, generate the record, add it to DNS, then start authentication.
  • Mailjet: in Account Settings > SPF & DKIM, select the domain, copy the record (often using a mailjet selector, so the record name is mailjet._domainkey.yourdomain.com), add it to DNS, and verify.

DMARC in practice

Start in monitoring mode so you can see what is happening without affecting delivery:

_dmarc.example.com  TXT  "v=DMARC1; p=none; rua=mailto:[email protected]; pct=100;"

This monitors authentication, sends aggregate reports to your address, and applies to all traffic. For a multi-domain setup:

  1. Put identical monitoring records on all domains first.
  2. Analyze reports for two to four weeks to identify every legitimate sender.
  3. Tighten the main business domain toward quarantine then reject gradually.
  4. Move bulk-sending domains to stricter policies faster if all their sending is controlled through one service.
  5. Consider a DMARC report analysis tool to make the reports readable.

After editing DNS, allow time for propagation (up to 48 hours) before expecting changes to take effect.

Application and CRM senders

Systems that send mail on your behalf (an ERP like Odoo, a CRM, ticketing tools) need the same care:

  • Route them through an authenticated provider.
  • Set the “From” address to match an authenticated domain, and configure Reply-To correctly.
  • Consider a subdomain or separate domain for automated system mail.
  • Test deliverability of generated mail and watch bounce and complaint rates.

Troubleshooting common issues

  • SPF “too many DNS lookups.” SPF allows at most 10 DNS lookups. Stacking many includes can exceed it. Flatten the record by replacing nested includes with their IP addresses.
  • DKIM verification failures. Check that the correct selector is used and that the DNS record has no stray line breaks or spaces.
  • DMARC alignment issues. Ensure the “From” domain matches the domain used for DKIM signing or SPF authentication, which is especially important when sending through third parties.
  • Third-party senders that cannot authenticate against your root domain. Use subdomain delegation or a dedicated sending domain.

The rollout checklist

For each domain you send from:

  1. Publish an SPF record listing every legitimate sending source.
  2. Enable DKIM signing on each source and publish the matching keys.
  3. Publish a DMARC record at p=none with a reporting address.
  4. Read the reports and confirm your real mail aligns and passes.
  5. Tighten DMARC to quarantine, then reject.
  6. Layer in TLS everywhere, and S/MIME or PGP where secrecy is required.

Treat this as ongoing maintenance, not a one-time task. Sending sources change, providers come and go, and the DMARC reports are what keep you honest.

Previous