SPFWise
Guides

Email authentication guides

Practical, no-nonsense guides to SPF, DKIM and DMARC. Fix what is broken and keep your mail out of spam.

dkim

Google Workspace SPF, DKIM & DMARC Setup: A Complete Step-by-Step Guide

A precise, ordered walkthrough for authenticating a Google Workspace domain. Copy the exact SPF value, run the Admin Console DKIM "Start Authentication" flow with the 2048-bit key set correctly, then add DMARC last. Validate each record live before moving on so you never stack a second mistake on top of the first.

Jul 3, 20266 min read
dkim

Amazon SES SPF, DKIM & DMARC Setup: The Complete DNS Configuration

Amazon SES passes SPF by default but does not align it for DMARC until you configure a custom MAIL FROM subdomain. This guide walks through Easy DKIM's three CNAME records, domain identity verification, the SPF TXT and MX records that fix DMARC alignment, and how to verify the whole stream in the checker before you enforce a reject policy.

Jul 3, 20267 min read
dkim

SendGrid Domain Authentication: SPF, DKIM & DMARC Setup (Automated vs Manual Security)

SendGrid Domain Authentication publishes CNAME records on a delegated em1234 subdomain so SPF and DKIM pass without touching your root SPF. This guide explains the delegated-subdomain model, contrasts Automated Security (CNAME) versus Manual (TXT), and shows how to add the DMARC policy SendGrid will not create for you, then confirm every CNAME resolves.

Jul 3, 20266 min read
dkim

How to Set Up SPF, DKIM, and DMARC for Mailchimp (2026 Step-by-Step)

Mailchimp authentication in 2026 is simpler than most guides claim: two CNAME records for DKIM and one TXT record for DMARC, with no SPF include to edit. This guide shows the exact records to paste, how to verify them with a free checker, and how to read your first DMARC report so campaigns align and stop landing in spam.

Jul 3, 20267 min read
dmarc

HubSpot Email Authentication: Connecting Your Domain with SPF, DKIM & DMARC

HubSpot sends your email from its own servers, so your DNS has to authorise it. This guide walks the connect-sending-domain flow record by record: the two DKIM CNAMEs, the return-path that makes SPF align on your own domain, why you usually leave your root SPF alone, and the DMARC policy that clears the Google and Yahoo bulk rules. Confirm every record resolves before you click Verify in HubSpot.

Jul 3, 20266 min read
dkim

Klaviyo SPF and DKIM Setup: Authenticate Your Sending Domain Correctly

Klaviyo does not want you to add its servers to your root SPF record. You point a branded sending subdomain at Klaviyo with CNAME records, and Klaviyo hosts SPF and DKIM for you. This guide gives the exact records for a Klaviyo branded sending domain, explains why a raw SPF include is a mistake, and shows how to add and validate the one record Klaviyo will not create for you: your DMARC policy.

Jul 3, 20267 min read
spf

Zoho Mail SPF, DKIM & DMARC Setup: Complete DNS Configuration

Zoho Mail needs three DNS records to pass authentication: one SPF record with include:zohomail.com, a DKIM TXT record enabled per domain in the admin console with Zoho's selector, and a DMARC policy you move from none to reject over a few weeks. This guide gives the exact records, the single-SPF-record rule, the correct DKIM selector, and a staged rollout you verify live.

Jul 3, 20267 min read
dmarc

DMARC Relaxed vs Strict Alignment Explained (and Which to Use)

DMARC alignment decides whether the domain in your visible From address matches the domain SPF or DKIM authenticated. Relaxed mode allows subdomains of the same organizational domain to align, and it is the default. Strict mode demands an exact match. This guide shows the difference with a mail.brand.com example, gives the literal aspf and adkim syntax, and walks through moving to strict only after your reports are clean.

Jul 3, 20267 min read
dmarc

How to Move DMARC From p=none to p=reject Safely: A Phased Enforcement Roadmap

Moving DMARC from p=none to p=reject protects your domain from spoofing, but rushing it blocks real mail. This roadmap gives you gated exit criteria for each phase, a realistic multi-week timeline, the pct ramp, sp handling for subdomains, and a checklist you run against your own DMARC aggregate reports before you advance a single step.

Jul 3, 20268 min read
dmarc

The DMARC pct Tag Explained: How to Ramp Enforcement Without Blocking Real Mail

The DMARC pct tag controls what fraction of your failing mail gets your policy applied, so you can enforce gradually. The catch most guides miss: unselected mail is not skipped, it drops down one policy level, so p=reject with pct=50 rejects half and quarantines the rest. This guide gives a 10/25/50/100 ramp tied to reading reports, and flags that DMARCbis deprecates pct.

Jul 3, 20267 min read
deliverability

Email Warm-Up Schedule: How to Warm a New Domain or IP Without Landing in Spam

A copy-paste 4 to 6 week warm-up schedule for a new sending domain or IP, with the exact daily volumes, segment targeting, and engagement tactics that Gmail and Outlook reward. Verify SPF, DKIM and DMARC alignment first, then ramp slowly and read your progress in Postmaster Tools.

Jul 3, 20268 min read
security

Business Email Compromise (BEC): The Email Authentication Checklist That Actually Reduces Risk

Business email compromise is not one attack, it is three: exact-domain spoofing, cousin-domain spoofing, and a genuinely compromised account. DMARC at reject only stops the first. This checklist maps each control to the attack it actually blocks, then ranks them so you fix the highest-leverage gaps first, starting with a free authentication check of your own domain.

Jul 3, 20268 min read
PreviousPage 1 of 2Next