Skip to main content
MalwareHigh priority

Set up email authentication for your domain (SPF, DKIM, DMARC)

Add SPF, DKIM, and DMARC records to your domain's DNS settings. These prevent attackers from sending emails that appear to come from your business — protecting your clients, suppliers, and reputation.

Why this matters

Without SPF, DKIM, and DMARC records, anyone can send emails that appear to come from your business domain — impersonating you to your clients, suppliers, and staff. This is called email spoofing and is the foundation of many business email compromise attacks. Adding these three DNS records is a permanent, high-impact security improvement that takes an hour or two to complete.

How to do it

  1. Log in to your domain provider's DNS management panel (the same place you manage your DNS records — for example, Hostinger, GoDaddy, or Cloudflare).
  2. Create an SPF record: add a TXT record at your root domain with the value `v=spf1 include:[your email provider] ~all` — your email provider's documentation will give you the exact include value to use.
  3. Create a DKIM record: your email provider (Google Workspace, Microsoft 365, or Zoho) will generate a DKIM key for you — copy the TXT record value they provide and add it at the selector they specify (e.g. google._domainkey).
  4. Create a DMARC record: add a TXT record at `_dmarc.yourdomain.co.uk` with the value `v=DMARC1; p=none; rua=mailto:you@yourdomain.co.uk` to begin in monitoring mode.
  5. Verify all three records are working using MXToolbox at mxtoolbox.com — enter your domain and check the SPF, DKIM, and DMARC results.

Cyber Essentials framework

This task falls under the Malwarecontrol — one of five areas assessed in the UK's Cyber Essentials scheme. Completing it counts toward your Cyber Essentials alignment.

Track your full security score — free

Create a free account to check off tasks, see your Security Score, and build toward Cyber Essentials alignment.

Start your free security check