Back to Blog

DNS Records for Email: A Comprehensive Guide to SPF, DKIM, DMARC, and BIMI Configuration

April 18, 2026 FiresideSender Team
Hero image for DNS Records for Email: A Comprehensive Guide to SPF, DKIM, DMARC, and BIMI Configuration

Email Authentication: An Overview

Email authentication plays a crucial role in the deliverability and security of your email campaigns. Properly configuring SPF, DKIM, DMARC, and BIMI records helps you establish your domain's reputation and protect your brand from spoofing and phishing attacks. This guide will walk you through each of these components and provide actionable steps to improve your email deliverability.

SPF Records

A Sender Policy Framework (SPF) record lists authorized sending domains for a specific domain. It helps mail servers determine whether incoming emails are from legitimate sources or not. Here's an example of how to create an SPF record:

"v=spf1 ip4:192.168.0.1/16 mx include:thirdpartyprovider.com -all"

Explanation: The "v=spf1" mechanism defines the version of SPF used. "Ip4:192.168.0.1/16" authorizes all IP addresses in the 192.168.x.x range. "Mx" allows mail exchangers (Mail Servers) to send emails on behalf of the domain. "Include:thirdpartyprovider.com" includes the SPF record of the third-party provider. Lastly, "-all" explicitly rejects all other sources.

Actionable Takeaway: Ensure you include all legitimate sending domains and subdomains in your SPF record. Remember to follow the SPF best practices while constructing your records, and avoid common pitfalls like including too many mechanisms or creating overly permissive records.

DKIM Signing

DomainKeys Identified Mail (DKIM) is a cryptographic authentication technique that securely associates a domain name with an email message. This allows receiving servers to confirm that the email was indeed sent and authorized by the domain's owner and that it wasn't tampered with during transport.

Default Key: k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDtP3nDftIrh34sB0t5eUH7cY/hRANCAAXD88RxQLmH59L1uu6dzRiTL91jqJ4jbWG+l5XANa9ixxhIwZ/ADyS0KOBtTwhs0TWjdJK0txK7dWO5T2B+yJuxBKCrQU8SPej7cqCcw5a2IOZKV4mQTjb2vTkW9vjWrHsTDNxM1MwIDAQAB

Explanation: The "k=rsa" parameter specifies the algorithm used. The "p" parameter contains the domain key, which is created during the DKIM signing process.

Actionable Takeaway: Implement DKIM signing for all your email domains. When using an ESP like FiresideSender, make sure they support DKIM signing, and create unique keys for different domains or subdomains if necessary.

DMARC Policy

Domain-based Message Authentication, Reporting, and Conformance (DMARC) standardizes how to handle messages that fail SPF and DKIM authentication. It aggregates reports on authentication failures and allows domain owners to specify policies on how to treat emails that fail authentication. DMARC policy tags include "p=none", "p=quarantine" or "p=reject".

"v=DMARC1; p=reject; sp=reject; pct=100; rua=mailto:[[email protected]](mailto:[email protected])"

Explanation: The "v=DMARC1" mechanism identifies the version of DMARC. The "p=reject" policy instructs recipients to reject all non-authenticating messages. "Sp=reject" complements "p" by defining the policy for subdomains. "Pct=100" specifies that the policy applies to all emails, and "rua" indicates the URL where aggregate reports are to be sent.

Actionable Takeaway: Implement DMARC policies for all email domains and subdomains. To start, use the "p=none" policy and gradually move to "p=quarantine" or "p=reject" as you gain confidence in your authentication configuration. Analyze and act on the generated DMARC reports to fine-tune your email security and deliverability.

BIMI Configuration

Brand Indicators for Message Identification (BIMI) is a standard that enables organizations to display their logos within supporting email clients. For BIMI to work, your domain needs properly configured DNS records, a valid DMARC policy, and an SVG logo uploaded to a Verified Mark Certificate (VMC) provider.
"v=BIMI1; l= a=MAILTO:[email protected]"

Explanation: The "v=BIMI1" mechanism defines the BIMI version. "L=" specifies the location of the logo, and "a=" indicates the email address of the domain administrator.

Actionable Takeaway: Once you've properly set up DMARC, configure BIMI records to display consistent logos, reinforcing your brand's reputation and helping recipients recognize authentic emails.

Summary and Takeaways

Configuring SPF, DKIM, DMARC, and BIMI records are essential steps to improving email delivery while securing your brand from spoofing and phishing. By following the steps outlined in this guide, you can:

  • Ensure mail servers correctly identify your emails, reducing the risk of being marked as spam.
  • Gain deeper insights into email authentication failures and fine-tune your email security.
  • Establish brand consistency and enhance trust among recipients by displaying your logo in email clients.

Remember, these configurations can be complex, and even a minor misconfiguration can lead to delivery issues. Use ESPs that support SPF, DKIM, DMARC, and BIMI natively, like FiresideSender, and seek help from email deliverability experts if required.

Related Resources

Keep building your outbound system

Email Warming

Warm domains and improve inbox placement before outreach.

Cold Email Campaigns

Run sequences, personalize templates, and manage replies.

SiteSignals

Convert anonymous traffic into outreach-ready leads.
Share this article

Improve your email deliverability today

FiresideSender warms your email accounts automatically so your messages land in the inbox.

Start Free Trial
Back to all articles