Set up SPF, DKIM, and DMARC to ensure your emails reach their intended recipients. These three records are essential for every law firm using email marketing or client communication.
List all mail servers and third-party services (like email marketing platforms) that send email on behalf of your domain. You'll need to include all of them in your SPF record.
Log in to your domain registrar (GoDaddy, Namecheap, etc.) or DNS provider (Cloudflare, Amazon Route 53) and navigate to the DNS management section.
SPF is a TXT record. A basic example:
v=spf1 include:_spf.example.com ~all Replace _spf.example.com with your email provider's SPF domain. The ~all qualifier means soft fail for unlisted servers. Use -all for hard fail.
Create a new TXT record. Set the Name/Host field to @ (root domain). Paste your SPF value into the Value/Text field. Save.
Use MXToolbox or run nslookup -type=txt yourdomain.com to confirm the record is live.
Most email service providers (Google Workspace, Microsoft 365, Mailchimp) have built-in DKIM key generation. Log in, navigate to email authentication settings, and generate a new DKIM key. Use 2048-bit for stronger security.
Your ESP will provide a selector name and a public key. The public key will look something like:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN... Log in to your registrar or DNS provider and navigate to DNS management.
Create a new TXT record. In the Name/Host field, enter your selector followed by ._domainkey — for example, if your selector is mail, enter mail._domainkey. Paste the full public key value into the Value/Text field. Save.
Use MXToolbox or your ESP's built-in validation tool to confirm the DKIM record is live.
Return to your ESP's control panel and enable DKIM signing for your domain. This tells your ESP to sign outgoing emails with the private key that matches your published public key.
DMARC tells receiving mail servers what to do when an email fails SPF and DKIM checks. Three policy options:
none — take no action, just reportquarantine — send to spamreject — reject the email outrightA basic DMARC record:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com Replace yourdomain.com with your actual domain. Start with p=none if you're not confident about your SPF/DKIM setup — you can tighten the policy later.
Log in to your registrar or DNS provider.
Create a new TXT record. Set the Name/Host field to _dmarc. Paste your DMARC policy into the Value/Text field. Save.