Configure all three email authentication records correctly — in under 15 minutes — and permanently improve your inbox placement. No technical background required.
In 2024, Google and Yahoo issued a joint mandate: senders who send more than 5,000 emails/day must have SPF, DKIM, and DMARC configured or their emails will be rejected. But even for smaller senders, these records are critical.
Without authentication, ISPs have no way to verify that emails claiming to come from your domain actually do. Spammers regularly forge sender addresses — so inbox providers have learned to distrust unauthenticated email by default.
| Record | What It Does | Who Checks It | Priority |
|---|---|---|---|
| SPF | Authorizes which IP addresses can send email for your domain | Every receiving mail server | Required |
| DKIM | Cryptographically signs outgoing email to prove it wasn't tampered with | Gmail, Outlook, Yahoo — all major ISPs | Required |
| DMARC | Policy that ties SPF and DKIM together and tells ISPs what to do with failures | Gmail, Outlook, Yahoo — enforced for bulk senders | Strongly Recommended |
| BIMI | Displays your brand logo in supported inboxes (Gmail, Yahoo) | Gmail, Apple Mail, Yahoo | Optional |
SPF (Sender Policy Framework) is a DNS TXT record that lists every IP address authorized to send email on behalf of your domain. When a receiving mail server gets a message from you, it checks your DNS to see if the sending IP is on the list.
v=spf1 — Declares this is an SPF record (always the first tag)include:smtp.turumail.com — Authorizes TuruMail's sending IPsip4:1.2.3.4 — Directly authorize a specific IP address~all — Soft fail for IPs not on the list (recommended for initial setup)-all — Hard fail for IPs not on the list (use after DMARC is proven working)include: statements (multiple ESPs, Google Workspace, etc.), you'll exceed this limit and cause SPF failures. Use our SPF flattening tool to stay under the limit.DKIM (DomainKeys Identified Mail) uses public-key cryptography. TuruMail generates a private/public key pair. The private key stays on our servers and signs every outgoing email. The public key goes in your DNS so receiving servers can verify the signature.
In your TuruMail dashboard, go to Settings → Domain Authentication → DKIM Keys. If you haven't added a domain yet, click "Add Sending Domain" first and enter your domain name.
Click "Generate New DKIM Key". Select 2048-bit (not 1024-bit — longer keys are required by most enterprise mail servers in 2026). TuruMail will generate a unique key pair and show you the public key value to add to DNS.
Copy the DNS record values from TuruMail and add them to your domain's DNS provider (Cloudflare, GoDaddy, Namecheap, AWS Route 53, etc.). The record format is:
The turumail._domainkey part is the DKIM selector — TuruMail sets this automatically. If you use multiple sending services, each gets a unique selector.
DNS changes typically propagate within 5–30 minutes, though it can take up to 48 hours in rare cases. In your TuruMail dashboard, click "Verify DKIM" to check if the record has propagated correctly. You'll see a green checkmark when it's live.
DMARC (Domain-based Message Authentication, Reporting & Conformance) tells inbox providers what to do when an email fails SPF or DKIM alignment — and sends you reports so you can monitor spoofing attempts.
Always start with p=none (monitoring only) and only upgrade to p=quarantine or p=reject after 2–4 weeks of reviewing your DMARC reports.
p=none — Monitor only. All emails pass regardless of authentication result. Review daily DMARC reports.p=quarantine; pct=25 — Quarantine 25% of failing emails. Increase percentage weekly as you verify legitimate sources.p=reject — Reject all failing emails. Maximum domain protection. Required for BIMI.rua tag to send reports to TuruMail (use rua=mailto:dmarc-reports@turumail.com,mailto:your@email.com), we automatically parse, visualize, and alert you to suspicious sources in your TuruMail dashboard.After adding all three records, verify they're working correctly using these tools and methods:
Cause: Your SPF record has more than 10 DNS lookup mechanisms (include:, a:, mx:). Fix: Use our SPF flattening tool to replace nested includes with raw IP addresses, reducing lookup count to under 10.
Cause: Usually means the public key in DNS doesn't match the private key TuruMail is using to sign — this happens if you regenerated keys without updating DNS. Fix: Generate a new key pair in TuruMail and update the DNS record. Allow 30 min for propagation.
Cause: SPF and DKIM are passing but the "From" domain doesn't align with either. DMARC requires alignment (the From domain must match the SPF or DKIM domain). Fix: Ensure your TuruMail sending domain exactly matches your From address domain.
Authentication is necessary but not sufficient for inbox placement. If all three records pass but you're still hitting spam, the issue is likely your IP reputation, content triggers, or list quality. Start with our Spam Testing Guide and IP Warmup Guide.
TuruMail generates your DKIM keys, guides you through DNS setup, and verifies everything — no technical expertise required.