Table of Contents

Why Your Emails Land in Spam (And How to Fix It)

If you're sending business emails and they keep ending up in spam - or worse, you're getting reports that someone is impersonating your domain - the root cause is almost always the same: SPF, DKIM, and DMARC are missing or misconfigured.

Here's the uncomfortable truth: without all three protocols properly set up, your emails are far more likely to be flagged as suspicious, sent to spam, or blocked entirely. Whether you're using Google Workspace (Gmail) or Microsoft 365 (Outlook), this guide will walk you through every single step. No IT background required.

What Are SPF, DKIM, and DMARC? (Plain English)

Think of your email domain as a physical office building. Before an email can be trusted, three checks need to happen:

Protocol The Analogy What It Actually Does
SPF Front desk check-in Lists the mail servers authorized to send email from your domain
DKIM A signed, tamper-proof envelope Adds a cryptographic signature to every email so receivers know it hasn't been altered
DMARC The security supervisor Tells receiving servers what to do when SPF or DKIM fail - deliver, quarantine, or reject

All three need to work together. Any one alone is not enough - SPF without DKIM means your emails can be intercepted and modified; DKIM without DMARC means there's no enforcement if authentication fails.

Why Google and Yahoo Now Require These

Since early 2024, Google and Yahoo updated their rules - any domain sending more than 5,000 emails per day must have all three configured. But even smaller senders are increasingly affected, as inbox providers now use these signals for all filtering decisions. Not having them is no longer optional for any business that relies on email.

A Note for Complete Beginners: What Is DNS?

DNS (Domain Name System) is essentially the address book of the internet. It's where all the settings for your domain name live - including the records that tell email servers how to handle your email.

When this guide says "add a record to your DNS," it means logging in to wherever you registered or manage your domain name. This is usually one of these providers:

💡 Not sure who your DNS provider is? Go to whois.domaintools.com, enter your domain name, and look for "Registrar" or "Name Servers" - that tells you where your DNS is managed.
WHOIS lookup tool showing domain registrar and name servers

Once you're inside your DNS provider, look for a section called "DNS," "DNS Management," "DNS Records," or "Advanced DNS." The exact label varies by provider but the concept is always the same.

GoDaddy DNS management dashboard example Cloudflare DNS records page example

Before You Start: What You'll Need

Regardless of whether you use Gmail or Microsoft 365, you need two things open in your browser before you begin:

  1. Your email platform's admin panel - links provided in each section below
  2. Your domain's DNS settings - the provider where your domain is registered (see above)
💡 Pro tip: Open both in separate browser tabs before you start. You'll be copying values from one and pasting into the other.

PART 1: Gmail / Google Workspace Setup

How to Log In to Google Workspace Admin Console

The Google Workspace Admin Console is where you control all settings for your business Gmail account. It is separate from your regular Gmail inbox - most people don't know it exists.

Direct link: admin.google.com

  1. Open a browser and go to admin.google.com
  2. Sign in with your Google Workspace admin email and password - this is the email address that was set up when your company first created Google Workspace (usually something like [email protected] or [email protected])
  3. You'll land on the Admin Console dashboard - a control panel for your entire organization's Google Workspace
Google Workspace Admin Console login screen
⚠️ Can't log in? You need to be the account owner or an admin. If someone else set up Google Workspace for your company (an IT person, agency, or web developer), ask them for admin credentials or to add you as an admin.
⚠️ Don't have Google Workspace yet? You need a paid Google Workspace account (not a free Gmail) to send email from a custom domain like [email protected]. Sign up at workspace.google.com. Plans start from $6/month per user.

PART 1: Gmail / Google Workspace Setup

SPF tells every mail server on the internet: "Google's servers are the only ones allowed to send email from this domain." It's the simplest record to add and the best place to start.

1.1 - Check if You Already Have an SPF Record

Before adding anything, check whether an SPF record already exists for your domain. Having two SPF records breaks email authentication entirely - this is the #1 most common mistake people make.

  1. Open a new browser tab and go to mxtoolbox.com/spf.aspx
  2. Type your domain name (e.g., yourcompany.com) in the search box
  3. Click SPF Record Lookup
MXToolbox SPF record lookup result

Read the result:

  • If the result shows "No Record Found" → you don't have an SPF record yet. Follow Step 1.2
  • If the result shows a record starting with v=spf1 → a record already exists. Follow Step 1.3 instead - do not create a new one

1.2 - Create a New SPF Record (If No Record Exists)

  1. Log in to your DNS provider (Cloudflare, GoDaddy, Namecheap, etc.)
  2. Navigate to DNS Records / DNS Management for your domain
  3. Click Add Record (or Add New Record - the button label varies by provider)
  4. Fill in the following fields exactly:
Field What to Enter
Type TXT
Host / Name @ ← this symbol means "the root domain itself"
Value / Content v=spf1 include:_spf.google.com ~all
TTL 3600 (or leave as "Automatic" / "Default")
Adding a new SPF TXT record in DNS provider
  1. Click Save
💡 What does ~all mean? The ~all at the end means "soft fail" - if an email comes from a server not on this list, mark it as suspicious but still deliver it. This is the safest setting when you're first getting started.

1.3 - Edit an Existing SPF Record (If a Record Already Exists)

If MXToolbox showed you already have a v=spf1 record, do not create a new one. Instead:

  1. Find the existing TXT record in your DNS provider that starts with v=spf1
  2. Click Edit on that record
  3. Find the ~all or -all at the very end of the value
  4. Insert include:_spf.google.com anywhere before that final ~all or -all

Before:

v=spf1 include:mailgun.org ~all

After:

v=spf1 include:mailgun.org include:_spf.google.com ~all Editing existing SPF record to include Google Workspace
  1. Click Save
🛑 Using SalesStack, Mailchimp, HubSpot, or another email tool? Each of those also needs to be in your SPF record. Your SalesStack account settings page shows you the exact include string to use. Add all of them into the same single TXT record.

Step 2 - Set Up DKIM for Google Workspace

DKIM requires two things done in the right order: first generate a key inside Google Admin Console, then publish it in your DNS, then come back and activate it.

2.1 - Go to the DKIM Settings in Google Admin Console

  1. Open admin.google.com in your browser and sign in
  2. In the left sidebar, click Apps
    Google Admin Console left sidebar highlighting Apps
  3. Click Google Workspace
  4. Click Gmail
    Google Workspace Gmail settings option
  5. The Gmail settings page opens. Scroll down until you see "Authenticate email" - click it

2.2 - Generate Your DKIM Key

  1. On the "Authenticate email" page, use the domain dropdown to select your domain (e.g., yourcompany.com)
    Google Workspace Authenticate email DKIM setup page
  2. Click Generate New Record
  3. A dialog box appears with two options:
Setting What to Choose Why
DKIM key bit length 2048-bit More secure - always use this unless your DNS provider doesn't support it
Prefix selector Leave as google This is the name that identifies your DKIM key
  1. Click Generate

2.3 - Copy the DKIM Values Google Gives You

After generating, you'll see two values on screen. You need both of these:

  • DNS Hostname: Will look like google._domainkey - this goes in the "Host/Name" field in DNS
  • TXT Record Value: A very long string starting with v=DKIM1; k=rsa; p=... - this goes in the "Value" field in DNS
💡 Don't click "Start Authentication" yet. That comes AFTER you've added the record to DNS.

2.4 - Add the DKIM Record to Your DNS

  1. Go back to your DNS provider tab
  2. Click Add Record
  3. Fill in the fields:
Field What to Enter
Type TXT
Host / Name google._domainkey (copy exactly from Google Admin)
Value / Content The long v=DKIM1; k=rsa; p=... string (copy exactly from Google Admin)
TTL 3600
Adding DKIM TXT record into DNS settings
  1. Click Save
  2. ⏳ Wait 15–30 minutes before continuing. DNS changes take time to spread across the internet.

2.5 - Activate DKIM in Google Admin Console

This is the step most people forget. Publishing the DNS record alone is not enough - you must go back and tell Google to start using it.

  1. Return to admin.google.com → Apps → Google Workspace → Gmail → Authenticate email
  2. Click Start Authentication
  3. Click Save
  4. The status should now change to "Authenticating email with DKIM" shown in green
    DKIM authentication activated in Google Workspace

✅ DKIM is now live.

Step 3 - Set Up DMARC for Google Workspace

DMARC is the simplest of the three to add - it's a single DNS record, and there's no Google Admin Console step involved.

3.1 - Add Your DMARC Record

  1. Go to your DNS provider and click Add Record
  2. Fill in:
Field What to Enter
Type TXT
Host / Name _dmarc ← must include the underscore
Value / Content v=DMARC1; p=none; rua=mailto:[email protected]; pct=100
TTL 3600
🔴 Replace [email protected] with a real email address you actually check. This is where you'll receive weekly reports about your email authentication health.
Adding DMARC TXT record in DNS provider
  1. Click Save

3.2 - Understanding Your DMARC Record

Here's what each part of v=DMARC1; p=none; rua=mailto:[email protected]; pct=100 means in plain English:

Tag Example Value What It Means
v=DMARC1 Fixed Tells servers this is a DMARC record
p= none / quarantine / reject Your enforcement policy (see table below)
rua= mailto:[email protected] Where to send weekly aggregate reports
pct= 100 Apply this policy to 100% of emails

3.3 - The DMARC Policy Ladder (Start Slow, Enforce Later)

Never start at p=reject. You could accidentally block your own legitimate emails. Work through these three stages:

Stage Policy What Happens How Long to Stay Here
1 - Monitor p=none All emails deliver normally; reports sent to you 2–4 weeks
2 - Quarantine p=quarantine Failing emails go to spam folder 2–4 weeks
3 - Enforce p=reject Failing emails are completely blocked Permanent goal

To move from p=none to p=quarantine: Go back to your DNS provider, find the _dmarc TXT record, click Edit, and change the word none to quarantine. Save. That's it.

Updating DMARC policy from none to quarantine

PART 2: Microsoft 365 / Outlook Setup

How to Log In to Microsoft 365 Admin Portals

Microsoft 365 setup involves two different admin portals - one for general settings and one specifically for email security. Here are the direct links:

Portal What It's For Direct Link
Microsoft 365 Admin Center General account, users, domains admin.microsoft.com
Microsoft 365 Defender Portal Email security, DKIM setup security.microsoft.com

To log in:

  1. Open admin.microsoft.com in your browser
  2. Enter your Microsoft 365 admin email - typically [email protected] or [email protected]
  3. Enter your password and complete any two-factor authentication prompt
    Microsoft 365 Admin Center login screen
Microsoft 365 Admin Center dashboard
⚠️ Can't log in? You need a Global Admin or Exchange Admin role. If someone else manages your Microsoft 365 account (an IT person or agency), ask them to add your account as an admin or complete these steps for you.
⚠️ Don't have Microsoft 365 yet? You need a paid Microsoft 365 Business plan to send email from a custom domain. Plans start from around $6/user/month. Sign up at microsoft.com/microsoft-365/business. Or reach out to your SalesStack Account manager and they can hook you up with great discounts for the same.

Step 4 - Set Up SPF for Microsoft 365

SPF for Microsoft 365 is configured entirely in your DNS provider - no Microsoft admin portal needed.

4.1 - Check for an Existing SPF Record First

Same as before - go to mxtoolbox.com/spf.aspx, enter your domain, and check.

  • No record found → Follow Step 4.2
  • Record exists → Follow Step 4.3

4.2 - Create a New SPF Record

Log in to your DNS provider, click Add Record, and fill in:

Field What to Enter
Type TXT
Host / Name @
Value / Content v=spf1 include:spf.protection.outlook.com -all
TTL 3600
Creating a new Microsoft 365 SPF record in DNS

Click Save.

💡 Note the difference: Google recommends ~all (soft fail). Microsoft recommends -all (hard fail). Both are valid - Microsoft's is slightly stricter.

4.3 - Edit an Existing SPF Record

Find the v=spf1 TXT record in your DNS provider, click Edit, and add Microsoft's include before the final all:

v=spf1 [your existing includes] include:spf.protection.outlook.com -all
⚠️ Watch the DNS lookup limit. SPF has a hard limit of 10 DNS lookups. If you use SalesStack, Mailchimp, HubSpot, and Microsoft 365 together - count your include: statements. Each one uses at least 1 lookup. Exceeding 10 silently breaks SPF.

Step 5 - Set Up DKIM for Microsoft 365

Microsoft 365 DKIM uses CNAME records (not TXT records like Google). The process has three phases: generate in Defender → publish in DNS → enable in Defender.

5.1 - Navigate to DKIM in Microsoft Defender Portal

  1. Open security.microsoft.com in your browser
    Microsoft 365 Defender Portal homepage
  2. In the left sidebar, click Email & Collaboration
  3. Click Policies & Rules
    Microsoft Defender Email and Collaboration Policies and Rules
  4. Click Threat Policies
  5. Scroll down to the Rules section and click Email Authentication Settings
  6. Click the DKIM tab at the top of the page
    Microsoft Defender Email Authentication Settings DKIM tab

5.2 - Generate Your DKIM Keys

  1. In the DKIM tab, you'll see a list of your domains - click on your domain name
  2. A panel slides out from the right. Click Create DKIM Keys
  3. Microsoft will display two CNAME records. They'll look something like this (yours will be different):
selector1._domainkey → selector1-yourcompany-com._domainkey.yourcompany.onmicrosoft.com selector2._domainkey → selector2-yourcompany-com._domainkey.yourcompany.onmicrosoft.com Microsoft Defender displaying two DKIM CNAME records
🔑 Critical: These values are completely unique to your domain and Microsoft tenant. Never copy CNAME values from this article or any other guide. Always copy them directly from the Defender portal.

5.3 - Add Both CNAME Records to Your DNS

Go to your DNS provider. You'll add two separate CNAME records - one for each selector.

Record 1:

Field What to Enter
Type CNAME
Host / Name selector1._domainkey
Value / Content (paste from Microsoft Defender)
TTL 3600

Record 2:

Field What to Enter
Type CNAME
Host / Name selector2._domainkey
Value / Content (paste from Microsoft Defender)
TTL 3600

Click Save. Wait at least 15–30 minutes for DNS to propagate.

5.4 - Enable DKIM in Microsoft Defender

Just like Google, publishing the DNS records alone is not enough. You must go back and flip the switch.

  1. Return to security.microsoft.com → Email & Collaboration → Policies & Rules → Threat Policies → Email Authentication Settings → DKIM
  2. Click your domain
  3. In the right-side panel, find the toggle for "Sign messages for this domain with DKIM signatures"
  4. Click to switch it to Enabled
    Toggle to enable DKIM signatures in Microsoft Defender
  5. The status should change to Enabled with a green checkmark ✅
💡 Why are there two selectors? Microsoft uses two CNAME records (selector1 and selector2) so it can rotate between them over time for added security - like changing the locks periodically. Both must be in DNS for this to work.

Step 6 - Set Up DMARC for Microsoft 365

Microsoft does not set up DMARC for you automatically - this must be done manually in DNS. The process is identical to Google's DMARC setup.

Go to your DNS provider, click Add Record, and enter:

Field What to Enter
Type TXT
Host / Name _dmarc ← underscore is mandatory
Value / Content v=DMARC1; p=none; rua=mailto:[email protected]; pct=100
TTL 3600

Click Save. Follow the same three-stage policy ladder (none → quarantine → reject) from Part 1, Step 3.3.

PART 3: Testing Your Setup

Wait at least 30–60 minutes after saving your last DNS change before testing. DNS changes need time to spread across the internet. For some providers, it can take up to 48 hours (though 1–2 hours is typical).

Option A: Test With SalesStack (Easiest - No Technical Knowledge Needed)

SalesStack includes a built-in Email Deliverability Checker that scans your domain and gives you a plain-English health report - no technical knowledge required.

  1. Log in to your SalesStack account at salesstack.com
    SalesStack email deliverability checker login
  2. Navigate to Settings → Email Accounts
    Navigating to Email Accounts in SalesStack settings
  3. Connect your Email Account
    Connecting email account in SalesStack
  4. SalesStack displays a traffic-light status for each record and gives you score out of 10. 3 points for each SPF, DMARC and DKIM and 1 for BIMI record.
  • 🟢 Green = record is set up correctly
  • 🟡 Amber = record exists but has issues
  • 🔴 Red = record is missing or broken
SalesStack email health report showing all green checks for SPF, DKIM, and DMARC

If anything shows amber or red, SalesStack tells you exactly what's wrong and what to fix - no guesswork required.

Option B: Test With MXToolbox (Free, Industry Standard)

MXToolbox is a free tool used by IT professionals worldwide to check DNS and email authentication records.

Check Your SPF

  1. Go to mxtoolbox.com/spf.aspx
  2. Enter your domain → click SPF Record Lookup
  3. ✅ Healthy result: Your v=spf1 record appears with all includes listed and no red error rows

Check Your DKIM

  1. Go to mxtoolbox.com/dkim.aspx
  2. Enter your domain
  3. In the Selector field, enter:
    • google → if you're on Google Workspace
    • selector1 → if you're on Microsoft 365
  4. ✅ Healthy result: You see a long public key and no errors

Check Your DMARC

  1. Go to mxtoolbox.com/dmarc.aspx
  2. Enter your domain → click DMARC Lookup
  3. ✅ Healthy result: You see your v=DMARC1 record and the current policy level

Option C: Google's Free Checker (Google Workspace Only)

Google provides its own diagnostic tool that checks everything at once:

  1. Go to toolbox.googleapps.com/apps/checkmx/
  2. Enter your domain
  3. Google checks MX, SPF, DKIM, and DMARC simultaneously and flags anything wrong

Troubleshooting: The 7 Most Common Mistakes

These are the errors that trip up almost everyone - including experienced IT teams:

  1. Two SPF records on one domain - The single most common mistake. You can only have ONE v=spf1 TXT record per domain. Having two breaks SPF permanently and silently. Always edit the existing one, never create a second
  2. Missing the underscore in _dmarc - The host must be _dmarc with an underscore. Without it, the record is invisible and your DMARC policy never applies
  3. Forgetting to click "Start Authentication" in Google Admin - Publishing the DKIM DNS record alone is not enough. You must go back to Admin Console and activate it
  4. Forgetting to click "Enable" in Microsoft Defender - Same issue on the Microsoft side. DNS records alone don't activate DKIM - the toggle in Defender must be switched on
  5. Going straight to p=reject on DMARC - Start at p=none for 2–4 weeks. Jumping straight to reject can block your own newsletters, support emails, or CRM emails
  6. Exceeding the SPF 10 DNS lookup limit - Each include: statement uses at least 1 of your 10 allowed lookups. If you stack too many email services, SPF silently stops working. Count your includes carefully
  7. Copying DKIM values from a guide instead of the portal - Microsoft's DKIM CNAME values are unique to your specific account. Never copy them from an example - always generate and copy them from your own Defender portal

Quick Reference: All DNS Records at a Glance

Google Workspace (Gmail)

Record Type Host Value
SPF TXT @ v=spf1 include:_spf.google.com ~all
DKIM TXT google._domainkey (Generate in Google Admin → Authenticate Email → copy from there)
DMARC TXT _dmarc v=DMARC1; p=none; rua=mailto:[email protected]; pct=100

Microsoft 365 (Outlook)

Record Type Host Value
SPF TXT @ v=spf1 include:spf.protection.outlook.com -all
DKIM CNAME selector1._domainkey (Generate in Microsoft Defender → DKIM → copy from there)
DKIM CNAME selector2._domainkey (Generate in Microsoft Defender → DKIM → copy from there)
DMARC TXT _dmarc v=DMARC1; p=none; rua=mailto:[email protected]; pct=100

Frequently Asked Questions

Do I need all three - SPF, DKIM, and DMARC?

Yes. Each one protects against a different attack vector. SPF prevents server impersonation, DKIM prevents content tampering, and DMARC provides the enforcement layer that completes the system. Using only one or two leaves gaps.

What's the difference between ~all and -all in SPF?

~all (tilde = soft fail) means suspicious emails are flagged but still delivered. -all (dash = hard fail) means emails from unlisted servers are rejected outright. Google recommends ~all as a starting point; Microsoft recommends -all

What are the DMARC reports that get sent to my rua email address?

These are XML files that tell you which servers sent email using your domain, and whether SPF and DKIM passed or failed for each one. They’re sent weekly by major email providers. They look technical, but tools like SalesStack parse them automatically into readable reports.

How long does DNS propagation take?

Between 15 minutes and 48 hours. In practice, most changes appear within 1–2 hours. If your checks still show no record after 2 hours, double-check you saved the record correctly.

Can I have SPF set up for both Google Workspace AND Microsoft 365 on the same domain?

Yes – but in one single TXT record. Merge both: v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

I set up DKIM but it still shows "Email not being signed" in Google Admin.

Almost always means you forgot to click Start Authentication after publishing the DNS record. Go back to Admin Console → Apps → Google Workspace → Gmail → Authenticate email → Start Authentication.

I enabled DKIM in Defender but MXToolbox shows no DKIM record.

Wait another 30–60 minutes. If it still doesn’t appear, go back to your DNS provider and verify both CNAME records are saved correctly – check for typos in the hostname or value.

How often should I rotate DKIM keys?

At minimum once per year. Microsoft 365 supports key rotation directly from the Defender portal via the “Rotate DKIM Keys” button. Google allows you to generate new keys and re-publish through the same Admin Console process.