Setting Up Email for a New Domain?
We configure email authentication, security, and deliverability from day one.
Understanding Email Authentication
Email authentication is your first line of defense against email spoofing and phishing attacks. Without it, anyone can send emails that appear to come from your domain.
The Three Pillars
SPF (Sender Policy Framework) SPF is a TXT record in your DNS that lists all servers authorized to send email for your domain.
DKIM (DomainKeys Identified Mail) DKIM adds a cryptographic signature to your outgoing emails. The receiving server uses a public key in your DNS to verify this signature.
DMARC (Domain-based Message Authentication, Reporting & Conformance) DMARC tells receiving servers what to do when emails fail SPF or DKIM. It also provides reporting.
The DMARC Journey
- Monitor (p=none): Receive reports, do not affect delivery
- Quarantine (p=quarantine): Send failing emails to spam
- Reject (p=reject): Block failing emails entirely
Common Mistakes to Avoid
- Too many SPF lookups: SPF allows maximum 10 DNS lookups
- Forgetting marketing tools: Services like Mailchimp need to be in your SPF
- Jumping to DMARC reject: Always start with monitoring
- Not monitoring reports: DMARC reports reveal authentication issues
Frequently Asked Questions
Common questions about the Email Setup Wizard
Email authentication consists of SPF, DKIM, and DMARC - three DNS-based protocols that verify emails are legitimately from your domain. They help prevent email spoofing and phishing attacks.
Each protocol serves a different purpose: SPF specifies which servers can send email for your domain, DKIM adds a digital signature to verify message integrity, and DMARC tells receiving servers what to do with emails that fail authentication.
We recommend: 1) SPF first - simplest and most widely supported, 2) DKIM second - requires coordination with your email provider, 3) DMARC last - it relies on SPF and DKIM being configured.
DNS changes typically propagate within 1-4 hours, but can take up to 48 hours. If your records don't verify immediately, wait a few hours and check again.
Start with policy "none" (monitoring mode) to receive reports without affecting email delivery. Gradually move to "quarantine" then "reject" after verifying SPF and DKIM work correctly.
DKIM requires a private key that must be securely stored on your email server. This setup is provider-specific - Google Workspace, Microsoft 365, and other providers each have their own DKIM configuration process.
Include all your email services in your SPF record using "include:" mechanisms. Each service should have its own DKIM selector configured.
DMARC aggregate reports are XML files sent to the email address in your "rua" tag. Free services like DMARC Analyzer or Postmark's DMARC tool can parse these reports into readable dashboards.
⚠️ Security Notice
This tool is provided for educational and authorized security testing purposes only. Always ensure you have proper authorization before testing any systems or networks you do not own. Unauthorized access or security testing may be illegal in your jurisdiction. All processing happens client-side in your browser - no data is sent to our servers.