Email Authentication with TXT Records
TXT records are versatile DNS records that store text data. In the context of email, they are primarily used for SPF, DKIM, and DMARC authentication, which help prevent email spoofing and improve deliverability.
What Is SPF?
Sender Policy Framework (SPF) specifies which mail servers are authorised to send email on behalf of your domain. Receiving servers check SPF records to verify the sender is legitimate.
Adding an SPF Record
- In your DNS management panel, add a new TXT record.
- Set the Name to
@. - Set the Value to your SPF policy. Common examples:
- SillyHost only:
v=spf1 a mx ~all - SillyHost + Google Workspace:
v=spf1 a mx include:_spf.google.com ~all - SillyHost + Microsoft 365:
v=spf1 a mx include:spf.protection.outlook.com ~all
- SillyHost only:
- Save the record.
What Is DKIM?
DomainKeys Identified Mail (DKIM) adds a digital signature to outgoing emails, allowing the recipient's server to verify that the message was not altered in transit and genuinely came from your domain.
Adding a DKIM Record
- Obtain your DKIM public key from your email provider (found in the admin panel of Google Workspace, Microsoft 365, or your server's mail configuration).
- Add a new TXT record.
- Set the Name to the DKIM selector provided (e.g.,
default._domainkeyorgoogle._domainkey). - Set the Value to the DKIM public key string (e.g.,
v=DKIM1; k=rsa; p=MIGfMA0GCS...). - Save the record.
What Is DMARC?
DMARC builds on SPF and DKIM to tell receiving servers what to do when authentication fails. A basic DMARC record looks like:
- Name:
_dmarc - Value:
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com
Best Practices
- Always configure all three (SPF, DKIM, and DMARC) for maximum email deliverability.
- Only have one SPF record per domain. If you use multiple email services, combine them into a single SPF record using
include:statements. - Start DMARC with
p=noneto monitor before enforcing.