Complete Email Authentication Checklist: Your Step-by-Step Guide

Use this comprehensive checklist to ensure your domain has proper email authentication configured. Follow each step to maximize deliverability and protect your domain from spoofing.

Pre-Setup Assessment

Domain Information

• List all domains sending email
• Identify primary sending domain
• Document all subdomains used for email
• Note current email service providers
• List all third-party services sending email

Current State Audit

• Check if SPF record exists
• Check if DKIM is configured
• Check if DMARC record exists
• Review current authentication status
• Document any existing issues

SPF Configuration Checklist

Step 1: Inventory Sending Sources

• Email provider (Google Workspace, Microsoft 365, etc.)
• Marketing platform (Mailchimp, SendGrid, etc.)
• Transactional email service
• CRM system (Salesforce, HubSpot, etc.)
• Help desk system (Zendesk, etc.)
• Internal mail servers
• Other third-party services

Step 2: Gather SPF Includes

• Google Workspace: include:_spf.google.com
• Microsoft 365: include:spf.protection.outlook.com
• SendGrid: include:sendgrid.net
• Mailchimp: include:servers.mcsv.net
• Amazon SES: include:amazonses.com
• Other services: Document all includes

Step 3: Build SPF Record

• Start with v=spf1
• Add all include statements
• Add IP addresses if needed
• End with -all (fail) for production
• Verify record is on single line

Step 4: Check DNS Lookup Count

• Count all includes, a, mx mechanisms
• Ensure count is under 10
• Optimize if over limit
• Document lookup count

Step 5: Publish SPF Record

• Add TXT record to DNS
• Host: @ or root domain
• Value: Complete SPF record
• TTL: 3600 or default
• Verify only one SPF record exists

Step 6: Verify SPF Setup

• Use MXToolbox SPF checker
• Verify record is detected
• Check lookup count
• Test from different locations
• Document verification results

DKIM Configuration Checklist

Step 1: Choose Selector

• Decide on selector name (e.g., default, google)
• Document selector purpose
• Plan for multiple selectors if needed

Step 2: Generate Keys

Option A: Email Provider Generates

• Google Workspace: Generate in Admin Console
• Microsoft 365: Enable DKIM in Security Center
• Other providers: Follow their process

Option B: Generate Your Own

• Generate 2048-bit RSA key pair
• Extract public key
• Store private key securely

Step 3: Create DNS Record

• Record type: TXT
• Host: {selector}._domainkey
• Value: v=DKIM1; k=rsa; p={public-key}
• TTL: 3600 or default
• Verify key length (1024-bit minimum, 2048-bit recommended)

Step 4: Configure Mail Server

• Enable DKIM signing
• Configure selector
• Set signing domain
• Test signing functionality
• Verify private key matches public key

Step 5: Verify DKIM Setup

• Send test email
• Check email headers for DKIM-Signature
• Verify signature is valid
• Use online DKIM checker
• Document verification results

DMARC Configuration Checklist

Step 1: Prerequisites

• SPF is configured and working
• DKIM is configured and working
• Both SPF and DKIM are signing correctly
• Test emails show authentication passing

Step 2: Get Report Address

• Sign up for MailSentinel (or other service)
• Get unique report address
• Document report address
• Verify report address is accessible

Step 3: Create DMARC Record

Starting Policy (Monitoring):

• Version: v=DMARC1
• Policy: p=none
• Report address: rua=mailto:your-address@reports.mailsentinel.io
• Optional: Forensic reports ruf=mailto:...
• Alignment: adkim=r; aspf=r (relaxed, default)

Example:

v=DMARC1; p=none; rua=mailto:your-id@reports.mailsentinel.io

Step 4: Publish DMARC Record

• Record type: TXT
• Host: _dmarc
• Value: Complete DMARC record
• TTL: 3600 or default
• Verify only one DMARC record exists

Step 5: Verify DMARC Setup

• Use DMARC lookup tool
• Verify record is detected
• Check policy is correct
• Verify report address
• Document verification results

Step 6: Monitor Initial Reports

• Wait 24-48 hours for first reports
• Review reports in MailSentinel
• Identify all sending sources
• Check pass/fail rates
• Document findings

Alignment Verification Checklist

SPF Alignment

• Envelope sender domain matches From: domain (or subdomain)
• SPF passes for envelope sender
• Alignment mode matches DMARC policy
• Test emails show SPF alignment

DKIM Alignment

• DKIM signing domain matches From: domain (or subdomain)
• DKIM signature is valid
• Alignment mode matches DMARC policy
• Test emails show DKIM alignment

DMARC Alignment

• At least one (SPF or DKIM) aligns
• DMARC policy is passing
• Test emails show DMARC pass
• Reports show alignment success

Provider-Specific Checklists

Google Workspace

• SPF: include:_spf.google.com added
• DKIM: Enabled in Admin Console
• DKIM: DNS record published (google._domainkey)
• DMARC: Record published
• Postmaster Tools: Domain verified
• Postmaster Tools: Monitoring spam rates

Microsoft 365

• SPF: include:spf.protection.outlook.com added
• DKIM: Enabled in Security Center
• DKIM: CNAME records published
• DMARC: Record published
• SNDS: IPs registered
• SNDS: Monitoring reputation

SendGrid/Mailchimp/Other ESPs

• SPF: Include statement added
• DKIM: Configured in ESP dashboard
• DKIM: DNS records published
• DMARC: Record published
• ESP: Domain verified
• ESP: Authentication tested

Ongoing Maintenance Checklist

Weekly Tasks

• Review DMARC reports
• Check authentication pass rates
• Monitor for new sending sources
• Review spam complaint rates
• Check for authentication failures

Monthly Tasks

• Audit SPF record (remove unused services)
• Review DKIM key rotation schedule
• Analyze deliverability trends
• Review engagement metrics
• Update documentation

Quarterly Tasks

• Complete DNS audit
• Review all authentication records
• Check blacklist status
• Review sender reputation
• Update security policies

Troubleshooting Checklist

If DMARC Fails

• Check SPF record is correct
• Verify SPF alignment
• Check DKIM is signing
• Verify DKIM alignment
• Review DMARC reports for details
• Test from different sources
• Check for misconfiguration

If Emails Go to Spam

• Verify authentication is passing
• Check spam complaint rate (<0.3%)
• Review sender reputation
• Check blacklist status
• Review email content
• Verify list hygiene
• Check engagement rates

If Bounce Rate is High

• Remove hard bounces immediately
• Retry soft bounces (3 attempts)
• Clean email lists regularly
• Verify email addresses
• Review bounce reasons
• Update list hygiene practices

Compliance Checklist

Google & Yahoo Requirements (2024)

• SPF configured
• DKIM configured (1024-bit+ keys)
• DMARC policy published
• DMARC passing (alignment required)
• One-click unsubscribe implemented
• Spam rate below 0.3%
• Valid PTR records configured
• TLS encryption enabled

Microsoft Requirements (2025)

• SPF configured
• DKIM configured
• DMARC policy published
• DMARC passing
• One-click unsubscribe implemented
• Spam rate below 0.3%
• Valid DNS records
• SNDS monitoring set up

Documentation Checklist

• Document all SPF includes
• Document all DKIM selectors
• Document DMARC policy
• Document report addresses
• Document sending sources
• Create runbook for team
• Document escalation procedures
• Keep records of changes

Testing Checklist

Before Going Live

• Send test emails to Gmail
• Send test emails to Outlook
• Send test emails to Yahoo
• Check authentication headers
• Verify DMARC passes
• Test from all sending sources
• Use Mail-Tester for spam score
• Verify reports are received

After Changes

• Test immediately after changes
• Wait for DNS propagation (15-60 min)
• Verify changes took effect
• Monitor for 24-48 hours
• Review DMARC reports
• Check for any issues

Success Criteria

Authentication Goals

• DMARC pass rate: 95%+
• SPF pass rate: 95%+
• DKIM pass rate: 95%+
• Alignment rate: 95%+

Deliverability Goals

• Inbox placement: 95%+
• Bounce rate: <2%
• Spam complaint rate: <0.2%
• Block rate: <0.1%

Engagement Goals

• Open rate: Industry benchmark+
• Click rate: Industry benchmark+
• Conversion rate: Target achieved
• Unsubscribe rate: <0.5%

Quick Reference

SPF Record Template

v=spf1 include:_spf.google.com include:sendgrid.net -all

DKIM Record Template

Host: default._domainkey
Type: TXT
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

DMARC Record Template (Monitoring)

v=DMARC1; p=none; rua=mailto:your-id@reports.mailsentinel.io

DMARC Record Template (Enforcement)

v=DMARC1; p=reject; rua=mailto:your-id@reports.mailsentinel.io; ruf=mailto:your-id@forensic.mailsentinel.io; adkim=r; aspf=r

Download This Checklist

Want a printable PDF version of this checklist?

Download Complete Email Authentication Checklist PDF →

Or use this page as your reference guide.

Getting Help

Resources

• DMARC Setup Guide - Detailed DMARC configuration
• SPF Setup Guide - Complete SPF guide
• DKIM Setup Guide - Complete DKIM guide
• Email Delivery Troubleshooting - Fix issues

Tools

• MailSentinel - DMARC monitoring platform
• MXToolbox - DNS checking tools
• Mail-Tester - Spam testing

Support

• Check our documentation
• Contact support: support@mailsentinel.io
• Join our community

Next Steps

1. Start with MailSentinel - Free 14-day trial
2. Follow This Checklist - Step by step
3. Monitor Your Progress - Track improvements
4. Achieve Full Protection - Move to p=reject

Start Your Free Trial →