Get started

Verify SPF, DKIM & DMARC

These three records are how mailbox providers decide whether to trust your mail. Here's what each one does, the values BlacklistGuard uses, and how to fix the common mistakes.

SPF

Sender Policy Framework lists which servers are allowed to send for your domain. Adding our include authorizes BlacklistGuard's infrastructure.

v=spf1 include:blacklistguard.com ~all
A domain may have only one SPF record. If you already publish SPF (for Google Workspace, Microsoft 365, etc.), don't add a second one — merge our include:blacklistguard.com into your existing record, before the ~all.

The ~all (softfail) suffix is a safe default while you set things up. Once you're confident every legitimate source is listed, you can tighten it to -all (hardfail).

DKIM

DomainKeys Identified Mail adds a cryptographic signature to every message, letting receivers verify it wasn't altered in transit. BlacklistGuard generates the key pair for you (selector default) — you publish the public key as a TXT record and we sign with the private half.

Host:  default._domainkey.yourdomain.com
Value: v=DKIM1; k=rsa; p=<public key>

Copy the full value from the console exactly. Don't add line breaks or quotes — some DNS providers split long TXT values automatically, which is fine, but don't introduce spaces inside the key.

DMARC

Domain-based Message Authentication, Reporting & Conformance ties SPF and DKIM together and tells receivers what to do when a message fails authentication — and where to send reports.

Host:  _dmarc.yourdomain.com
Value: v=DMARC1; p=none; rua=mailto:you@yourdomain.com

Roll out the policy gradually:

  • p=none — monitor only. Collect reports without affecting delivery. Start here.
  • p=quarantine — failing mail goes to spam. Move here once your reports look clean.
  • p=reject — failing mail is rejected outright. The end goal for full protection.

Verifying

After publishing, use Verify DNS on the sending domain. Ownership must pass for the domain to be usable; SPF, DKIM, and DMARC are reported alongside. DNS can take a few minutes to propagate — occasionally up to 48 hours.

Troubleshooting

  • Records not found yet — propagation lag. Wait a few minutes and re-check.
  • Two SPF records — invalidates SPF. Merge them into one.
  • Host got the domain appended twice (e.g. _dmarc.yourdomain.com.yourdomain.com) — most providers append the domain automatically. Enter just the subdomain part (_dmarc) if your provider does this.
  • DKIM value altered — paste it exactly; don't wrap, quote, or add spaces inside the key.
  • Cloudflare — set these records to DNS only (grey cloud), not proxied.

Gmail & Yahoo bulk-sender rules

If you send to many recipients, Gmail and Yahoo require:

  • SPF and DKIM set up and aligned with your From domain.
  • A DMARC record published (p=none is enough to satisfy the requirement).
  • A spam-complaint rate kept well under 0.3% (aim for under 0.1%).
  • A working one-click unsubscribe in marketing mail.

Completing the records on this page covers the authentication half of those requirements.

← Previous
Set up a sending domain
Next →
All documentation