DMARCGuardian Practical help for DMARC, SPF, DKIM, and BIMI.

Blog · Dmarc

How to Set Up SPF, DKIM, and DMARC for Your Small Company Email

By Dmarcguardian Editorial Team ·

Email authentication sounds like something only large enterprises worry about. But small companies are actually frequent targets for spoofing - attackers know you probably don't have strict email security, and they take advantage.

Setting up SPF, DKIM, and DMARC doesn't take long. Here's how to do it if you're a small company with a simple email setup.

Before you start: what you're protecting against

Without email authentication, anyone can send mail that appears to come from your domain. Phishing emails that look like they're from your CEO, fake invoices from your finance team, spoofed support requests, all of these are possible when your domain has no authentication.

SPF, DKIM, and DMARC make spoofing much harder. You don't need to be an enterprise to use them.

Step 1: Find all your sending sources

Before you touch DNS, write down every service that sends email as your domain. Common ones for small companies:

  • Your email provider (Microsoft 365, Google Workspace, FastMail, etc.)
  • Your website's contact form
  • Any automation tools (CRM, invoicing, appointment scheduling)
  • Your cold email platform if you use one

If you're not sure, check your existing SPF record. Log into your domain registrar or DNS provider and look for the TXT record starting with v=spf1. The includes and IPs in that record are your current sending sources.

Step 2: Set up SPF

Your SPF record lives as a TXT record in your DNS. It looks something like:

v=spf1 include:_spf.google.com ~all

The include: parts pull in the SPF records of the services you use. The ~all at the end means "soft fail", servers that aren't listed are treated as suspicious but not rejected.

Add every service from your list as an include. For Microsoft 365: include:spf.protection.outlook.com. For Google Workspace: include:_spf.google.com. For other services, they usually give you the exact include string.

Once your SPF record is updated, test it with a lookup tool before moving on.

Step 3: Set up DKIM

DKIM requires a key pair - a private key that signs your outgoing mail, and a public key that goes in your DNS. Most email providers generate this for you.

For Microsoft 365: go to the Exchange admin center → Protection → DKIM and follow the steps to enable it and add the CNAME records.

For Google Workspace: go to Admin Console → Apps → Google Workspace → Gmail → Authenticate email → Add DKIM TXT record.

Your provider will give you a TXT record to add to your DNS. It looks like a long string of characters. Add it exactly as provided.

Step 4: Publish your first DMARC record (p=none)

DMARC is a TXT record in your DNS that starts with v=DMARC1. Here's a basic record:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

This says: "I'm using DMARC version 1. For mail that fails, do nothing (p=none). Send aggregate reports to this email address."

The rua email address is where you'll receive DMARC reports. Use a dedicated address that won't fill up, reports come daily or weekly depending on volume.

This step is critical: p=none means you're not blocking anything yet. You're just watching.

Step 5: Read your DMARC reports for 2-4 weeks

DMARC reports arrive as XML file attachments, sent by receiving mail servers to the rua address in your record. In the first weeks of monitoring you might receive dozens of these files, one from each provider that processed your mail, each containing data on which IPs sent as your domain, whether they passed SPF and DKIM, and whether the alignment held.

For a small company running this alongside everything else, reading raw XML is not great. The files are machine-formatted, the data is spread across multiple attachments, and the fields you actually need, your alignment pass rate, unrecognized sending sources, failures you haven't accounted for, require cross-referencing entries manually.

This is where a monitoring tool is useful to have. A tool like DMARCFlow processes those report files automatically and shows you the data in a readable format: your pass rate by domain, which IPs are sending as you, and whether any of those sources are failing alignment. What makes it suited to this stage specifically - especially if you're doing this without a security background, is that it doesn't just show you numbers. It generates specific, prioritized suggestions from the report data: if your DKIM is passing but not aligned to your From domain, that surfaces as a flagged issue with an explanation of what's causing it and what to fix.

During this period you might discover sending sources you didn't know about, a website contact form, a legacy tool, an old integration. Add them to your SPF record before moving to the next step.

Step 6: Move to p=quarantine, then p=reject

Once you're consistently above 95% pass rates and you recognize every IP sending as your domain, change your DMARC policy:

First, p=quarantine: failing mail goes to spam instead of being delivered normally.

After a few more weeks with no issues, p=reject: failing mail is bounced entirely.

Most small companies can reach p=reject within 2-3 months if they started with a clean setup and no complex third-party sending.

What if you use third-party email tools?

If you use a CRM, cold email platform, or any other service that sends as you@yourdomain.com, they need to be properly set up:

  • Their sending IPs must be in your SPF record
  • They must DKIM sign with your domain (not their own)
  • If they can't do one of these, consider having them send from a subdomain instead

If a service can't give you proper DKIM alignment, using a subdomain isolate is safer than leaving them off your authentication entirely.

The afternoon that protects your domain

This setup takes a few hours for a small company with a straightforward email setup. The payoff: your domain can't be easily spoofed, your emails are more likely to land in inboxes, and you have visibility into who's sending as your domain.

Monitoring your DMARC reports is the ongoing part. A DMARC monitoring tool keeps you informed of changes, new sending sources, sudden drops in pass rates, attempts to send as your domain that you don't recognize.