{"id":674,"date":"2026-04-09T09:46:58","date_gmt":"2026-04-09T09:46:58","guid":{"rendered":"https:\/\/www.hashetools.com\/blog\/?p=674"},"modified":"2026-04-09T09:49:08","modified_gmt":"2026-04-09T09:49:08","slug":"spf-dkim-dmarc-bimi-setup-guide","status":"publish","type":"post","link":"https:\/\/www.hashetools.com\/blog\/spf-dkim-dmarc-bimi-setup-guide\/","title":{"rendered":"SPF, DKIM, DMARC & BIMI: Complete 2026 Setup Guide"},"content":{"rendered":"

Google, Yahoo, and Microsoft now enforce email authentication for bulk senders. 83.9% of domains still have no DMARC record, making them prime targets for spoofing, phishing, and spam. This step-by-step guide covers every protocol you need: SPF, DKIM, DMARC, and BIMI.<\/p>\n

What is Email Authentication?<\/h2>\n

Every time you send an email, receiving mail servers ask a simple question: Is this message really from who it claims to be? Without authentication, anyone can forge your domain in the From: field; this is how most phishing and business email compromise (BEC) attacks work.<\/p>\n

Four DNS-based protocols work together to answer that question definitively:<\/p>\n\n\n\n\n\n\n\n\n
Protocol<\/b><\/th>\nWhat It Does<\/b><\/th>\nWhere It Checks<\/b><\/th>\nEnforced By<\/b><\/th>\n<\/tr>\n<\/thead>\n
SPF<\/td>\nLists authorized sending IPs for your domain<\/td>\nReturn-Path \/ envelope<\/td>\nReceiving mail server<\/td>\n<\/tr>\n
DKIM<\/td>\nCryptographically signs every outgoing message<\/td>\nDKIM-Signature header<\/td>\nReceiving mail server<\/td>\n<\/tr>\n
DMARC<\/td>\nTies SPF\/DKIM to visible From: domain + reports<\/td>\nFrom: header alignment<\/td>\nInbox providers (Gmail, etc.)<\/td>\n<\/tr>\n
BIMI<\/td>\nDisplays your brand logo in the inbox<\/td>\nBIMI DNS record + VMC<\/td>\nGmail, Yahoo, Apple Mail<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Think of these as a security stack<\/b>: SPF and DKIM authenticate the message, DMARC enforces a policy when they fail, and BIMI is the trust signal that rewards you for doing it right.<\/p>\n

2026 Enforcement Update: <\/b>Google & Yahoo require SPF + DKIM + DMARC for all senders of 5,000+ emails\/day. Microsoft enforced similar rules from early 2025. Non-compliant messages are rejected at the SMTP level, not just filtered to spam.<\/p>\n

SPF: Sender Policy Framework<\/h2>\n

What is SPF?<\/h3>\n

SPF is a DNS TXT record that publishes a list of IP addresses<\/a> and servers authorized to send email on behalf of your domain. When a message arrives, the receiving server checks the sender’s IP against your SPF record. If the IP isn’t on the list, SPF fails.<\/p>\n

Important limitation: <\/b>SPF only checks the Return-Path \/ envelope sender, not the visible From: address your recipient sees. That’s why SPF alone doesn’t prevent spoofing. You need DMARC for full alignment.<\/p>\n

How to Write an SPF Record<\/h3>\n

SPF records are DNS TXT records published on your root domain. Here’s the anatomy:<\/p>\n\n\n\n\n
DNS TXT record: @\u00a0 (your root domain)<\/b><\/td>\n<\/tr>\n
v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.10 -all<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Mechanism<\/b><\/th>\nExample<\/b><\/th>\nMeaning<\/b><\/th>\n<\/tr>\n<\/thead>\n
v=spf1<\/td>\nv=spf1<\/td>\nRequired, declares this is an SPF record<\/td>\n<\/tr>\n
include:<\/td>\ninclude:_spf.google.com<\/td>\nAuthorizes all IPs listed in that domain’s SPF record<\/td>\n<\/tr>\n
ip4:<\/td>\nip4:203.0.113.10<\/td>\nAuthorizes a specific IPv4 address or CIDR range<\/td>\n<\/tr>\n
ip6:<\/td>\nip6:2001:db8::\/32<\/td>\nAuthorizes a specific IPv6 address or range<\/td>\n<\/tr>\n
a<\/td>\na:mail.example.com<\/td>\nAuthorizes the A record IP of the given domain<\/td>\n<\/tr>\n
mx<\/td>\nmx<\/td>\nAuthorizes the MX record IPs of your domain<\/td>\n<\/tr>\n
-all<\/td>\n-all<\/td>\nFAIL, reject all senders not listed (recommended)<\/td>\n<\/tr>\n
~all<\/td>\n~all<\/td>\nSOFTFAIL, mark suspicious but deliver (use while testing)<\/td>\n<\/tr>\n
?all<\/td>\n?all<\/td>\nNEUTRAL, no policy (avoid in production)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

SPF Setup Step-by-Step<\/h3>\n
    \n
  1. Log in to your DNS provider (Cloudflare, GoDaddy, Route 53, Namecheap, etc.)<\/li>\n
  2. Create a new TXT record on your root domain (@)<\/li>\n
  3. Set the value to: v=spf1 [your sending sources] -all<\/li>\n
  4. List every service that sends email as your domain (your mail server, email marketing platform, CRM, support desk, etc.)<\/li>\n
  5. Save and wait for DNS propagation (up to 48 hours)<\/li>\n
  6. Verify using the HasheTools SPF Lookup tool<\/li>\n<\/ol>\n

    The 10-Lookup Limit: <\/b>SPF records may not trigger more than 10 DNS lookups during evaluation. Each ‘include:’ counts as one lookup, and those includes often have their own includes. If you exceed 10, SPF fails with a PermError. Use SPF flattening tools to consolidate if needed.<\/p>\n

    Read Also:<\/b> DNS Records for ns1.dns-parking.com<\/a><\/p>\n

    Common SPF Record Examples<\/h3>\n

    Google Workspace users:<\/b><\/p>\n\n\n\n\n
    DNS TXT: @<\/b><\/td>\n<\/tr>\n
    v=spf1 include:_spf.google.com ~all<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    Microsoft 365 users:<\/b><\/p>\n\n\n\n\n
    DNS TXT: @<\/b><\/td>\n<\/tr>\n
    v=spf1 include:spf.protection.outlook.com ~all<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    Google Workspace + Mailchimp + custom mail server:<\/b><\/p>\n\n\n\n\n
    DNS TXT: @<\/b><\/td>\n<\/tr>\n
    v=spf1 include:_spf.google.com include:servers.mcsv.net ip4:203.0.113.10 -all<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    DKIM: DomainKeys Identified Mail<\/h2>\n

    What is DKIM?<\/h3>\n

    DKIM<\/a> adds a cryptographic digital signature to every outgoing email. The signature is added to the DKIM-Signature header and is verified by the receiving server using a public key stored in your DNS.<\/p>\n

    Unlike SPF, DKIM proves that the message content hasn’t been tampered with in transit. Even if an email passes through a mail relay or forwarding service, the DKIM signature remains valid, making it more resilient than SPF for complex mail flows.<\/p>\n

    How DKIM Works<\/h3>\n