Fix email authentication in order: (1) publish SPF listing every sender, (2) enable DKIM and add each provider's DNS key, (3) add DMARC at p=none with reporting, (4) review reports and escalate to p=reject. Use the dedicated fix guides for each record type for platform-specific steps.
Email authentication is a three-layer stack — SPF authorises senders, DKIM signs messages, DMARC enforces policy and reports abuse. This guide is your roadmap: what to fix first, how the pieces fit, and when you are done. For step-by-step platform instructions, follow the individual SPF, DKIM and DMARC fix guides.
Check your website
See how your site handles how to fix email authentication (spf, dkim & dmarc together) — free, no account needed.
Business impact
Incomplete email authentication means phishing in your brand, invoices in spam folders, and failed compliance checks from enterprise customers. Getting all three layers right is one of the highest-ROI trust improvements a domain owner can make — and it is increasingly mandatory for bulk email.
Why this happens
Scanners flag missing SPF and DMARC because they are quick DNS checks on the scanned domain. DKIM requires knowing your selectors, so gaps often surface during deeper review. The rollout order matters: SPF and DKIM must pass with alignment before DMARC enforcement blocks anything. Typical timeline: SPF in day one, DKIM within a week (one provider at a time), DMARC at p=none immediately after, enforce after 2–4 weeks of clean reports.
How to confirm the issue
Audit checklist:
- SPF TXT on apex —
v=spf1present, one record, all senders included. - DKIM — test email shows
dkim=passfor each provider. - DMARC —
_dmarcTXT withv=DMARC1, policy appropriate for your stage.
With Plexa Trust: scan your domain. Clear "SPF Record Missing" and "DMARC Record Missing", then use the individual fix guides for anything still failing.
Step-by-step fix
Inventory every system that sends email as your domain (workspace, marketing, CRM, ecommerce, support).
Fix SPF first — one apex TXT record with all includes (see fix-spf-records guide).
Enable DKIM at each provider and publish every selector's DNS key (see fix-dkim guide).
Add DMARC at p=none with an rua reporting address (see fix-dmarc guide).
Send test messages; confirm spf=pass, dkim=pass, dmarc=pass in headers.
Review DMARC reports for 2–4 weeks; fix any failing senders.
Escalate DMARC to p=quarantine, then p=reject when reports are clean.
Re-scan with Plexa Trust to confirm findings are cleared.
Platform-specific fixes
Small business (Google Workspace only)
SPF: v=spf1 include:_spf.google.com ~all
DKIM: enable in Google Admin → Authenticate email.
DMARC: _dmarc TXT with p=none, then tighten after a month.
Microsoft 365 + marketing tool
SPF: include:spf.protection.outlook.com plus marketing include (e.g. include:servers.mcsv.net for Mailchimp).
DKIM: enable in Defender for M365; add marketing platform DKIM separately.
DMARC: start p=none; verify both senders pass in reports before enforcing.
Ecommerce (Shopify + Klaviyo/Mailchimp)
List Shopify transactional, Klaviyo campaigns, and any support desk.
Merge all SPF includes; add each platform's DKIM records.
DMARC reports will show which platform fails — fix before p=reject.
Self-hosted / custom SMTP
SPF: add ip4:your-server-ip or include your SMTP provider.
DKIM: configure OpenDKIM or your provider's signing; publish the public key.
DMARC: essential here — without a major provider handling it, you own the full stack.
How to verify the fix
Document every sender and its SPF include / DKIM selector in one internal runbook.
Never skip straight to DMARC p=reject — you will block legitimate mail.
Re-scan after each layer is added, not only at the end.
Use a DMARC report service if XML reports are hard to parse manually.
Common mistakes
Fixing only SPF and assuming you are done — DKIM and DMARC are required for full protection.
Adding DMARC before SPF/DKIM work — causes deliverability surprises.
Forgetting a new SaaS tool that starts sending mail months later.
Leaving p=none indefinitely — monitoring without enforcement.
Frequently asked questions
What order should I fix SPF, DKIM and DMARC?
SPF first, then DKIM for each sender, then DMARC at p=none. Enforce only after reports show consistent passes.
Is SPF enough for Google and Yahoo bulk sender rules?
No. They require SPF, DKIM and DMARC with alignment for bulk senders. All three are needed.
How do I find all my senders?
Check your stack: email host, CRM, marketing, ecommerce, ticketing, calendar invites. DMARC reports at p=none also reveal unknown senders.
What does dmarc=pass require?
Either SPF or DKIM must pass AND align with the From domain, and the DMARC policy must be satisfied.
Can I use one guide instead of three?
This guide is the overview. Use fix-spf-records, fix-dkim and fix-dmarc for detailed platform steps on each record.
How long does full setup take?
Basic setup: a few hours. Safe enforcement: 2–4 weeks of monitoring DMARC reports first.
Does this affect my website scan score?
Yes. Plexa Trust checks SPF and DMARC on your domain. Fixing them improves your email security findings.
What is "good enough" for most businesses?
SPF + DKIM passing for all senders, DMARC at p=quarantine or p=reject with rua reporting — and a process to update DNS when you add new senders.
Think you've fixed it?
Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.
Verify with a free scan