What Are SPF & DMARC? (And How to Set Them Up)
This guide explains SPF and DMARC in plain English and walks you through adding them to your domain. No technical background needed.
What is SPF?
SPF stands for Sender Policy Framework. It's a short list, stored in your domain's DNS, of which mail servers are allowed to send email for your domain. DNS (Domain Name System) is your domain's address book — the place where you point your domain name to your website, your email provider, and other services. Your DNS is managed wherever you bought or host your domain (for example, Namecheap, GoDaddy, IONOS, or Cloudflare).
Think of SPF like a guest list at a door. When an inbox provider like Gmail or Outlook
receives an email claiming to be from yourdomain.com, it checks your SPF list to see
if the server that actually sent the email is allowed to. If the sending server isn't on
the list, that's a red flag.
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It's a second DNS record that tells inbox providers two things:
- What to do if an email claiming to be from your domain fails your SPF or DKIM checks (DKIM is a separate email-security stamp — more on that below). Should the inbox provider deliver it anyway, send it to spam, or reject it outright?
- Where to send reports — a summary email address where inbox providers will tell you how many messages passed or failed your checks, and who sent them.
Why both matter
- They help your emails land in the inbox instead of spam. Gmail, Outlook, and other major inbox providers check for SPF and DMARC. Domains without them look more suspicious, and that hurts delivery — even for emails you send yourself.
- They stop other people from faking emails as "you." Without SPF and DMARC, scammers can send emails that claim to be from your domain, and inbox providers have no easy way to tell the difference.
- They're expected for good deliverability. If you're doing cold outreach or warming up a new mailbox, SPF and DMARC are basic setup that every inbox provider expects to see, alongside DKIM.
How SPF, DKIM, and DMARC work together
These are three separate DNS records, and they each do a different job:
| Record | What it does | | --- | --- | | SPF | Lists which mail servers are allowed to send email for your domain. | | DKIM | Adds an invisible, tamper-proof stamp to each email proving it really came from you. | | DMARC | Tells inbox providers what to do if a message fails SPF or DKIM, and where to send reports. |
They work as a team. SPF and DKIM are the two checks an email can pass or fail. DMARC is the rulebook that says what happens next. You want all three set up. We cover DKIM, including how to set it up, in a separate guide: Setting up DKIM.
SPF and DMARC don't need a "selector"
If you've already read the DKIM guide, you'll know DKIM records have two parts: a
selector (a short label, like google) and a long value. That's because a domain can
have several different DKIM records at once, each with its own selector, so mailbox
providers need a way to tell them apart.
SPF and DMARC are simpler. Each one is just a single TXT record, and it always lives at your root domain — you don't add a selector name to the front of it. A TXT record is just a plain-text entry in your DNS. You'll add:
- One SPF TXT record at
yourdomain.com - One DMARC TXT record at
_dmarc.yourdomain.com
That's it — no selector to look up or configure, and no separate setting inside Warmerly for these two.
Where to add these records at your DNS host
The SPF and DMARC records go in the exact same place as your DKIM record — same DNS panel, same overall process. Only the record type and value are different. If you're not sure how to get into your DNS settings, follow the click-by-click DKIM guide for your host below, then repeat the same steps for your SPF and DMARC records.
| DNS host | Where to add records | Click-by-click steps | | --- | --- | --- | | Namecheap | Advanced DNS tab on your domain | Set up DKIM on Namecheap | | IONOS | DNS settings under Domains & SSL | Set up DKIM on IONOS | | GoDaddy | DNS Management page for your domain | Set up DKIM on GoDaddy | | Cloudflare | DNS > Records tab | Set up DKIM on Cloudflare |
These guides were written for DKIM, but the panel and process are identical for SPF and DMARC. Just add a new TXT record like the DKIM guide shows, but use the SPF or DMARC name and value instead (see below).
What a typical SPF record looks like
An SPF record is a TXT record added at your root domain (just yourdomain.com, no
prefix). For example, if you send email through Google Workspace, it might look like
this:
v=spf1 include:_spf.google.com ~all
In plain English, this just means "allow Google's mail servers to send email for me." Breaking it down:
v=spf1— this is an SPF record, version 1.include:_spf.google.com— trust the list of servers Google maintains for its customers.~all— treat anything not on this list as suspicious (but don't hard-reject it).
If you send from more than one provider (say, Google Workspace and a cold-outreach
tool), you'll have one SPF record with multiple include: parts, not one record per
provider. Adding two separate SPF records breaks SPF entirely — always combine them into
a single record.
What a typical starter DMARC record looks like
A DMARC record is a TXT record added at _dmarc.yourdomain.com (note the _dmarc.
prefix — this one is not at the bare root domain). A safe starting point looks like
this:
v=DMARC1; p=none; rua=mailto:[email protected]
In plain English:
v=DMARC1— this is a DMARC record, version 1.p=none— just watch and report, don't reject or quarantine anything yet. This is the safest way to start, especially if you're not 100% sure every one of your sending servers is covered by SPF yet.rua=mailto:[email protected]— send daily summary reports to this email address, so you can see what's passing and what isn't.
Once you've watched your reports for a few weeks and everything looks clean, you can
tighten p=none to p=quarantine (send failures to spam) or p=reject (block them
outright). Don't jump straight to p=reject — if your SPF record is missing a
sending server, you could accidentally block your own legitimate emails.
Check your provider's exact recommended value
The examples above use Google Workspace, but your SPF include: value will be
different if you send through Microsoft 365, Mailgun, SendGrid, Zoho, or another
provider. Always check your email provider's own help docs for their exact
recommended SPF include value — search their help center for "SPF record setup" plus
your provider's name. The DMARC record format, on the other hand, is the same no matter
which email provider you use.
Still stuck?
If you get stuck on any step, click the chat help button in the bottom corner of the Warmerly app. It connects you straight to a real person on our support team who can look at your account and help you sort it out.
